Menu
I'm impersonating a user until Windows 2008 with UAC enabled. I'm trying to write some files to a temp directory. But even if a user has write access to a directory, when I impersonate that user, I'm unable to write to that directory (I get an Access Denied error). Apparently, this is due to UAC blocking me.
This is related to a post on a microsoft forum: http://forums.iis.net/t/1149793.aspx But that forum got no response other than a microsoft employee repeatedly asking the same question and being silent when he got the info he asked for.
I've been able to get around this by not impersonating while writing to the temp file, but I have a few questions:
Why does UAC not allow writing to files when impersonated?
Is there any place I can put temp files while impersonated?
Is there some better solution? What's the "right" way to handle this?
Is there a source of documentation for what all the restrictions are for UAC & impersonated users?
698
Select the Impersonate user menu item. In the Select a user to impersonate dialog, enter the name of the user to impersonate in the Search for a user field. Select the user from the list and click Impersonate user. ServiceNow reloads using the permissions of the impersonated user.
To impersonate another user you must first retrieve the security information of the user you want to impersonate, cache that information in a security context structure, and then later use the information in the security context structure to send the impersonated messages.
Vista introduced integrity levels in addition to the standard permissions. Perhaps the integrity level your application is running as is lower than that required to write to the location/file.
Windows comes with a built in tool "cacls.exe", but I suggest chml from http://www.minasi.com/apps/ which makes it easier to view & edit them. See also http://msdn.microsoft.com/en-us/library/bb625964.aspx for more information.
65
I think NuSkooler's answer is probably correct. The documentation he links to (specifically, this page) gives the following while talking about the root folder:
By setting a mandatory label with a high integrity level that applies to child objects, but not to child containers, the default security for the root folder meets this policy. Standard users that run programs at the medium integrity level cannot modify files created by administrators in the root folder, even if the ACL grants users modify access. The root folder has an inheritable mandatory label at high integrity that is object inherit and that does not propagate to subfolders.
I don't know the specifics of your situation, but that sounds like the same thing you are running into - not being able to write to the folder even though there is an explicit allow entry in the ACL.
You should try using Process Explorer and Process Monitor to see what exactly is happening, but it definitely sounds like it could be the integrity levels.
Also, you should run icacls instead of just cacls; this will show you the integrity levels in the ACL.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
