WindowsFileSystemProvider checkAccess
Alan Bateman
Alan.Bateman at oracle.com
Tue Aug 9 14:07:24 PDT 2011
Salter, Thomas A wrote:
> *:*
>
>
> */[Salter, Thomas A] /*I am normally logged in as a domain user who is
> a member of the BUILTIN\Administrators account. The ordinary user is
> a local user that's a member of BUILTIN\Users. I ran as the local
> user while signed in as an administrator by using RunAs from the
> command prompt. I thought maybe I didn't have permission to read the
> ACLs but I was able to run cacls while signed in as the ordinary user.
>
>
>
> The ACLs don't seem very interesting:
>
> C:\>cacls C:\Windows\System32\drivers\etc\hosts
>
> C:\Windows\System32\drivers\etc\hosts BUILTIN\Administrators:(ID)F
>
> NT AUTHORITY\SYSTEM:(ID)F
>
> BUILTIN\Users:(ID)R
>
>
>
>
>
> C:\>cacls C:\Java\jdk7_fcs\jre\readme.txt
>
> C:\Java\jdk7_fcs\jre\README.txt BUILTIN\Administrators:(ID)F
>
> NT AUTHORITY\SYSTEM:(ID)F
>
> BUILTIN\Users:(ID)R
>
> NT AUTHORITY\Authenticated Users:(ID)C
>
>
>
> / /
>
>
I need to double check but I think that GetEffectiveRightsFromAcl needs
to enumerate these groups in the active directory and this is failing
because the account is local. That would explain why you can read the
DACL but not determine the effective access.
-Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/nio-dev/attachments/20110809/09e007db/attachment.html
More information about the nio-dev
mailing list