Access Rights for Access-Token Objects(访问令牌对象的访问权限)

最新推荐文章于 2020-07-28 14:33:23 发布

weixin_30640291

最新推荐文章于 2020-07-28 14:33:23 发布

阅读量112

点赞数

原文链接：http://www.cnblogs.com/debug-me/p/6947768.html

版权

An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.

（应用程序不能更改对象的ACL，除非应用程序拥有修改对象ACL的权限。这些权限由对象的访问令牌中的一个安全描述符控制。）

To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.

（GetKernelObjectSecurity可以获取访问令牌的安全描述符，SetKernelObjectSecurity函数可以设置安全访问令牌的安全描述符。）

When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.

（当调用OpenProcessToken或者OpenThreadToken函数请求获取访问令牌的句柄时，系统使用访问令牌的安全描述符中的DACL检查该请求的访问权限。）

The following are valid access rights for access-token objects:

The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
The specific access rights for access tokens, which are listed in the following table.

（以下是对于访问令牌对象有效的访问权限：

标准的访问权限，DELETE、READ_CONTROL、WRITE_DAC、WRITE_OWNER。访问令牌不支持SYNCHRONIZE这一标准的访问权限
ACCESS_SYSTEM_SECURITY权限，该权限可以获取或者修改对象的安全描述符中的SACL
访问令牌特定的访问权限，如下表所示）

Value	Meaning
TOKEN_ADJUST_DEFAULT	Required to change the default owner, primary group, or DACL of an access token.
TOKEN_ADJUST_GROUPS	Required to adjust the attributes of the groups in an access token.
TOKEN_ADJUST_PRIVILEGES	Required to enable or disable the privileges in an access token.
TOKEN_ADJUST_SESSIONID	Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
TOKEN_ASSIGN_PRIMARY	Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
TOKEN_DUPLICATE	Required to duplicate an access token.
TOKEN_EXECUTE	Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
TOKEN_IMPERSONATE	Required to attach an impersonation access token to a process.
TOKEN_QUERY	Required to query an access token.
TOKEN_QUERY_SOURCE	Required to query the source of an access token.
TOKEN_READ	Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
TOKEN_WRITE	Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
TOKEN_ALL_ACCESS	Combines all possible access rights for a token.

转载于:https://www.cnblogs.com/debug-me/p/6947768.html

weixin_30640291

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Access Rights for Access-Token Objects(访问令牌对象的访问权限)

An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the ...
复制链接

扫一扫