D
Dmitry Maslakov
Hi.
Some related questions were discussed here, but my question is some
different.
I'm writing the project, the metter of it can be expressed as following.
* System: IIS 6 on W2003server.
* Site: application pool works with NETWORK SERVICE, anonymous access is
allowed on site.
* Goal: operate with files and change permissions on files (remote files
using UNC as well).
Using form authentication i recieve UPN and password from user. Than
inpersonate using API LogonUser and saves returned token in session vars.
All operations with files performs after call to API function
ImpersonateLoggedOnUser.
The account user logs in has full access to files. So it operates
(move/copy/delete) with files successfully, and reads DACL as well.
BUT THE PROBLEMS begin when i try to set permissions to files (try to use
WRITE_DAC access). I use ActiveDs ActiveX. Here are two situations.
1) if user is owner of file he tries to set permissions on, permissions
will set successfully. But this is not the case of real situation because
a) owner of files is Administrators group, b) user have full access to his
files, but belongs to Users group.
2) if user is not an owner of files, the following error occures when call
to SetSecurityDescriptor:
System.Runtime.InteropServices.COMException: This security ID may not be
assigned as the owner of this object.
Attemps to take SeTakeOwnershipPrivilege to user token gives nothing. The
try to take same privilege to the process (after impersonation) gives error
"Access is denied".
Have someone suggestions how could i achieve the goal.
Some related questions were discussed here, but my question is some
different.
I'm writing the project, the metter of it can be expressed as following.
* System: IIS 6 on W2003server.
* Site: application pool works with NETWORK SERVICE, anonymous access is
allowed on site.
* Goal: operate with files and change permissions on files (remote files
using UNC as well).
Using form authentication i recieve UPN and password from user. Than
inpersonate using API LogonUser and saves returned token in session vars.
All operations with files performs after call to API function
ImpersonateLoggedOnUser.
The account user logs in has full access to files. So it operates
(move/copy/delete) with files successfully, and reads DACL as well.
BUT THE PROBLEMS begin when i try to set permissions to files (try to use
WRITE_DAC access). I use ActiveDs ActiveX. Here are two situations.
1) if user is owner of file he tries to set permissions on, permissions
will set successfully. But this is not the case of real situation because
a) owner of files is Administrators group, b) user have full access to his
files, but belongs to Users group.
2) if user is not an owner of files, the following error occures when call
to SetSecurityDescriptor:
System.Runtime.InteropServices.COMException: This security ID may not be
assigned as the owner of this object.
Attemps to take SeTakeOwnershipPrivilege to user token gives nothing. The
try to take same privilege to the process (after impersonation) gives error
"Access is denied".
Have someone suggestions how could i achieve the goal.