FIX: GetNamedSecurityInfo() and INHERIT_ONLY_ACE AceFlags (230252)
The information in this article applies to:
- Microsoft Win32 Application Programming Interface (API), when used with:
- the operating system: Microsoft Windows NT 4.0 SP4
This article was previously published under Q230252 SYMPTOMS
On Microsoft Windows NT 4.0, Service Pack 4 (SP4), when GetNamedSecurityInfo() is called to obtain a folder's discretionary access-control list (DACL), the API returns only one Access Control Entry (ACE) for a trustee. This ACE has the INHERIT_ONLY_ACE bit set in the AceFlags member of the ACE header.
STATUS
A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix. The fix for GetNamedSecurityInfo() API is included along with the GetEffectiveRightsFromAcl() fix, as explained in the knowledge base article below.
For additional information about how to obtain this fix, please see the following article in the Microsoft Knowledge Base:
215367 GetEffectiveRightsFromAcl() Returns Incorrect Access Mask Value MORE INFORMATION
GetNamedSecurityInfo() compresses the ACEs in a DACL based on the same trustee and access mask. The ACE is compressed only in the DACL that is returned to the application and not in the DACL associated with the container object.
On Service Pack 4, GetNamedSecurityInfo() compresses both the inheritance and primary object ACEs based on the same trustee and the access mask without turning off the INHERIT_ONLY_ACE bit. This incorrectly indicates to an application that there are no ACEs corresponding to the primary container object. This occurs only for folder container objects. An application can either use the fix as indicated above, or work around this problem by using GetFileSecurity() or GetKernelObjectSecurity() and GetSecurityDescriptorDacl(), the low level access control functions.
REFERENCES
For additional information about how to obtain this fix, please see the following article in the Microsoft Knowledge Base:
215367 GetEffectiveRightsFromAcl() Returns Incorrect Access Mask Value
| Modification Type: | Major | Last Reviewed: | 10/27/2003 |
|---|
| Keywords: | kbACL kbAPI kbbug kbFAQ kbfix kbKernBase kbOSWinNT400sp4fix kbSecurity KB230252 |
|---|
|