Wednesday, March 16, 2016

Even enabling SeBackupPrivilege is not enough

SeBackupPrivilege gives one the ability to bypass object ACLs to read those objects. Having a privilege available, however, is not the same thing as having it enabled. For instance, creating symbolic links is a privilege that administrators usually have, but attempting to use the link creation API without first enabling SeCreateSymbolicLinkPrivilege will fail. The mklink tool enables that privilege to do its job.

Interestingly, enabling SeBackupPrivilege does not give the process read authority everywhere. Doing that only allows the use of the FILE_FLAG_BACKUP_SEMANTICS option in the CreateFile function, which is what actually leverages the power. Therefore, one can't just switch on the privilege and run programs that don't try anything special; programs not in the know will request normal access and fail if the ACL denies the requested access.

No comments:

Post a Comment