FIX: GetNamedSecurityInfo() and INHERIT_ONLY_ACE AceFlags

ID: Q230252

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), included with:
- Microsoft Windows NT 4.0 SP4

SYMPTOMS

On Microsoft Windows NT 4.0, Service Pack 4 (SP4), when GetNamedSecurityInfo() is called to obtain a folder's discretionary access-control list (DACL), the API returns only one Access Control Entry (ACE) for a trustee. This ACE has the INHERIT_ONLY_ACE bit set in the AceFlags member of the ACE header.

STATUS

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix. The fix for GetNamedSecurityInfo() API is included along with the GetEffectiveRightsFromAcl() fix, as explained in the knowledge base article below.

For additional information about how to obtain this fix, please see the following article in the Microsoft Knowledge Base:

Q215367 GetEffectiveRightsFromAcl() Returns Incorrect Access Mask Value

MORE INFORMATION

GetNamedSecurityInfo() compresses the ACEs in a DACL based on the same trustee and access mask. The ACE is compressed only in the DACL that is returned to the application and not in the DACL associated with the container object.

On Service Pack 4, GetNamedSecurityInfo() compresses both the inheritance and primary object ACEs based on the same trustee and the access mask without turning off the INHERIT_ONLY_ACE bit. This incorrectly indicates to an application that there are no ACEs corresponding to the primary container object. This occurs only for folder container objects. An application can either use the fix as indicated above, or work around this problem by using GetFileSecurity() or GetKernelObjectSecurity() and GetSecurityDescriptorDacl(), the low level access control functions.

REFERENCES

For additional information about how to obtain this fix, please see the following article in the Microsoft Knowledge Base:

Q215367 GetEffectiveRightsFromAcl() Returns Incorrect Access Mask Value

Additional query words:


Keywords          : kbAccCtrl kbAPI kbKernBase kbSDKPlatform kbSDKWin32 kbSecurity kbNTOS400sp4fix 
Version           : winnt:4.0 SP4
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: May 21, 1999