An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.
(应用程序不能更改对象的ACL,除非应用程序拥有修改对象ACL的权限。这些权限由对象的访问令牌中的一个安全描述符控制。)
To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.
(GetKernelObjectSecurity可以获取访问令牌的安全描述符,SetKernelObjectSecurity函数可以设置安全访问令牌的安全描述符。)
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.
(当调用OpenProcessToken或者OpenThreadToken函数请求获取访问令牌的句柄时,系统使用访问令牌的安全描述符中的DACL检查该请求的访问权限。)
The following are valid access rights for access-token objects:
- The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
- The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
- The specific access rights for access tokens, which are listed in the following table.
(以下是对于访问令牌对象有效的访问权限:
- 标准的访问权限,DELETE、READ_CONTROL、WRITE_DAC、WRITE_OWNER。访问令牌不支持SYNCHRONIZE这一标准的访问权限
- ACCESS_SYSTEM_SECURITY权限,该权限可以获取或者修改对象的安全描述符中的SACL
- 访问令牌特定的访问权限,如下表所示)
| Value | Meaning |
|---|---|
| TOKEN_ADJUST_DEFAULT | Required to change the default owner, primary group, or DACL of an access token. |
| TOKEN_ADJUST_GROUPS | Required to adjust the attributes of the groups in an access token. |
| TOKEN_ADJUST_PRIVILEGES | Required to enable or disable the privileges in an access token. |
| TOKEN_ADJUST_SESSIONID | Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required. |
| TOKEN_ASSIGN_PRIMARY | Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. |
| TOKEN_DUPLICATE | Required to duplicate an access token. |
| TOKEN_EXECUTE | Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE. |
| TOKEN_IMPERSONATE | Required to attach an impersonation access token to a process. |
| TOKEN_QUERY | Required to query an access token. |
| TOKEN_QUERY_SOURCE | Required to query the source of an access token. |
| TOKEN_READ | Combines STANDARD_RIGHTS_READ and TOKEN_QUERY. |
| TOKEN_WRITE | Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT. |
| TOKEN_ALL_ACCESS | Combines all possible access rights for a token. |