WindowsFileSystemProvider checkAccess

Alan Bateman Alan.Bateman at oracle.com
Tue Aug 9 14:07:24 PDT 2011


Salter, Thomas A wrote:
> *:*
>
>
> */[Salter, Thomas A] /*I am normally logged in as a domain user who is 
> a member of the BUILTIN\Administrators account.  The ordinary user is 
> a local user that's a member of BUILTIN\Users.  I ran as the local 
> user while signed in as an administrator by using RunAs from the 
> command prompt.  I thought maybe I didn't have permission to read the 
> ACLs but I was able to run cacls while signed in as the ordinary user.
>
>  
>
> The ACLs don't seem very interesting:
>
> C:\>cacls C:\Windows\System32\drivers\etc\hosts
>
> C:\Windows\System32\drivers\etc\hosts BUILTIN\Administrators:(ID)F
>
>                                       NT AUTHORITY\SYSTEM:(ID)F
>
>                                       BUILTIN\Users:(ID)R
>
>  
>
>  
>
> C:\>cacls C:\Java\jdk7_fcs\jre\readme.txt
>
> C:\Java\jdk7_fcs\jre\README.txt BUILTIN\Administrators:(ID)F
>
>                                 NT AUTHORITY\SYSTEM:(ID)F
>
>                                 BUILTIN\Users:(ID)R
>
>                                 NT AUTHORITY\Authenticated Users:(ID)C
>
>  
>
> / /
>
>
I need to double check but I think that GetEffectiveRightsFromAcl needs 
to enumerate these groups in the active directory and this is failing 
because the account is local. That would explain why you can read the 
DACL but not determine the effective access.

-Alan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/nio-dev/attachments/20110809/09e007db/attachment.html 


More information about the nio-dev mailing list