CHOWN: change file owner for Windows NT, version 1.1, October 1998

Alexander Frink
Hermann Schauss Str. 8
65232 Taunusstein
Germany
Alexander.Frink@Uni-Mainz.DE

This program is free software under the GNU General Public License. See the file LICENSE for details. The latest version of CHOWN can be found at http://wwwthep.physik.uni-mainz.de/~frink/nt.html.

Introduction
Legal stuff
Concept
Usage

Parameters
Examples

Files
Changes
Feedback/possible improvements

1. Introduction

Let us start with a cite from Microsoft's knowledge base article Q102099:

If an administrator wants to access a file that he or she is not granted access to, the administrator must first take ownership of that file. Once ownership is taken, the administrator will have full access to the file. It is important to note that administrator cannot give ownership back to the original owner. If this were so, the administrator could take ownership of a file, examine it, and then assign it back to the original owner without that owner's knowledge.

Many people believe in this statement, and it gives a feeling of security that administrators cannot view users' files if the permissions are set properly. However, it is simply not correct, as has been demonstrated by several utilities floating around. Unfortunately (to my knowledge), none of these comes with source. Therefore I decided to write my own implementation and publish it with source, so everybody may verify that there is no mystery how it is possible to change the ownership of a file to somebody else.

With administrative privileges (Backup, Restore and Take Ownership) it is always possible to change the owner of a file (without destroying the Access Control List!), even if administrators have explicit No Access to the file.

2. Legal stuff

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

For short, the main aspects of the GNU General Public License are in my personal interpretation which may not be 100% accurate (I am a physicist, not a lawyer):

Everybody (private or commercial users) can use this program freely. However, there is no warranty of any kind, since this is free software. Use it at your own risk!
Everybody may copy and distribute it, as long as you include the copyright notice, a disclaimer of warranty, the GNU License, and the source code (or make it freely available).
You may modify the program or use parts of it in own programs, as long as you distribute it under this license as well (included, but not limited to making the source code available). Further include appropriate copyright notices and take responsibility for ALL bugs in this modified version.

3. Concept

To set a new owner of a file, only ordinary Win32 API calls are needed. All you have to do is

enable the Backup, Restore and Take Ownership privileges (with AdjustTokenPrivileges()). These are usually granted to Administrators. I also enable the Bypass Traverse Checking privilege, but I have not yet fully investigated if this is really necessary.
find the SID for the new owner with GetAccountSid()
create an empty Security Descriptor with InitializeSecurityDescriptor()
fill the owner of the Security Descriptor with SetSecurityDescriptorOwner(), ignore group, DACL and SACL
apply this SD to the file you want to modify with SetFileSecurity(szCurrentFile,(SECURITY_INFORMATION)(OWNER_SECURITY_INFORMATION),...)

4. Usage

Copy CHOWN.EXE to a directory in your path or call it with full path. No further installation is necessary, no other files than the executable itself are needed, nothing is written to the registry.

If you type CHOWN without parameters on the command line, or with wrong parameters, the following help text will appear:

Usage: chown [-r] [-q] [-v] [-s] [-d domain] owner files
       change the owner of selected files
       -r (recursive)  recurse subdirectories
       -q (quiet)      no output except fatal errors
       -v (verbose)    print information about actions
       -s (skip)       skip directories
       -d (domain)     domain or machine the new owner belongs to
       owner           new owner of files
       files           files to be modified (may contain wildcards * and ?)
                       owner and files must be at the end of the command line

       Copyright (C) 1998 by Alexander Frink (Alexander.Frink@Uni-Mainz.DE)

       This program is free software; you can redistribute it and/or modify
       it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or
       (at your option) any later version.

       This program is distributed in the hope that it will be useful,
       but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       GNU General Public License for more details.

Parameters

owner: Name of the new owner, e.g. Administrator. owner can also be a group like Administrators or Users. Note that it is possible to assign the ownership explicitly to a single member of the Administrators group. This parameter is mandatory and must the the last but one on the command line.
files: (path and) files to change, may contain wildcards (*, ?), e.g. c:\temp\*.txt (more examples see below). This parameter is mandatory as well and must be the last on the command line.
-r: Also change matching files in all subdirectories.
-q: No output except fatal errors. Default is to list the processed files and a final Done., or No matching files found.. The new owner is set for all matching files, regardless whether the ownership was already correct.
-v: Print a lot of information about what is going on (useful for debugging purposes).
-s: Change only files and skip directories.
-d domain: By default, the name of the new owner is first looked up on the local computer, and afterwards, if not found, in the primary domain. With the -d switch you can force the lookup in the given domain (e.g. if the same name is used for a local and a domain account). It may also work to specify accounts from other, trusted domains, but this is untested.

Examples

Assume we have the following directory structure:

C:\>tree c:\test /f /a
Directory PATH listing
Volume serial number is 0012FC94 3C90:C65C
C:\TEST
|   file1.xxx
|   file2.xxx
|   file3.yyy
|
+---sub1
|   |   file4.zzz
|   |
|   +---subsub1
|   |       file5.xxx
|   |       file6.yyy
|   |
|   \---subsub2
|           file7.xxx
|
\---sub2
        file8.xxx
        file9.zzz
        file9a.xxx

As a general rule, the last argument files is always converted to a full, absolute path name first, i.e. relative directories, . or .. are converted to drive:\path\file (with GetFullPathName()). The part after the last backslash is considered as the file(s) to change, the part up to there as the starting directory.

Example 1

C:\test>chown administrator .
Changed C:\test
Done.

. is converted to c:\test, which is interpreted as file test in directory c:\ should be modified. A directory is just a special file.

Example 2

C:\test>chown administrator .\*
Changed C:\test\.
Changed C:\test\file1.xxx
Changed C:\test\file2.xxx
Changed C:\test\file3.yyy
Changed C:\test\sub1
Changed C:\test\sub2
Done.

.\* is converted to c:\test\*, which is interpreted as all files matching * in directory c:\test should be modified. In turn, the directory itself (.) and the subdirectories sub1 and sub2 are modified, but not the files in these subdirectories. chown administrator * would do exactly the same.

Example 3

C:\test>chown -s administrator .\*
Changed C:\test\file1.xxx
Changed C:\test\file2.xxx
Changed C:\test\file3.yyy
Done.

Similar to above, but this time only genuine files are modified, due to the -s switch which skips the directories ., sub1 and sub2.

Example 4

C:\test>chown -r administrator *
Changed C:\test\.
Changed C:\test\file1.xxx
Changed C:\test\file2.xxx
Changed C:\test\file3.yyy
Changed C:\test\sub1
Changed C:\test\sub2
Changed C:\test\sub1\.
Changed C:\test\sub1\file4.zzz
Changed C:\test\sub1\subsub1
Changed C:\test\sub1\subsub2
Changed C:\test\sub1\subsub1\.
Changed C:\test\sub1\subsub1\file5.xxx
Changed C:\test\sub1\subsub1\file6.yyy
Changed C:\test\sub1\subsub2\.
Changed C:\test\sub1\subsub2\file7.xxx
Changed C:\test\sub2\.
Changed C:\test\sub2\file8.xxx
Changed C:\test\sub2\file9.zzz
Changed C:\test\sub2\file9a.xxx
Done.

This time all files and directories in and below c:\test are changed.

Example 5

C:\test>chown -r administrator file?.xxx
Changed C:\test\file1.xxx
Changed C:\test\file2.xxx
Changed C:\test\sub1\subsub1\file5.xxx
Changed C:\test\sub1\subsub2\file7.xxx
Changed C:\test\sub2\file8.xxx
Done.

Demonstrates the employment of wildcards.

Example 6

C:\test>chown administrator foo.bar
No matching files found.

This file does not exist.

Example 7

C:\test>chown foobar file1.xxx
Unknown local user foobar.

C:\test>chown -d mydomain foobar file1.xxx
Unknown user foobar from domain mydomain.

These users do not exist.

Example 8

C:\test>chown Everyone file1.xxx
Changed C:\test\file1.xxx
Done.

Now file1.xxx is owned by everyone on the system. I do not know if there are any serious applications for this, but it works.

5. Files

Files included in my distribution:

LICENSE	GNU General Public License
readme.html	this documentation
chown.exe	precompiled binary for Intel x86
chown.c	source file
chown.mak	Makefile (for Visual C++ 4.2)

To compile CHOWN for other platforms like AXP Alpha, replace all occurences of i386 with alpha or the appropriate system in chown.mak.

I am not sure if CHOWN runs on NT 3.51, since it uses the relatively new FindFirstFileEx() API, which might be included in late Service Packs (SP 5?).

6. Changes

Version 1.1, October 1998
- To change the owner of files with wildcards in directories where the Administrator has no access, the Backup privilege must be enabled. To be on the safe side, I now also enable the Bypass Traverse Checking privilege.
- In V1.0, I tried to set the current directory to the directory where recursion starts. This is not necessary, but gave a fatal error if the Administrator has no access to this directory.
- In the documentation for V1.0, I claimed that it is possible for ordinary users to change the ownership if they have full control over the files. This statement is wrong, I messed around with the privileges of my test accounts.
Version 1.0, September 1998, first release

7. Feedback/possible improvements

If you have any suggestions, ideas for improvements, problems or anything else concerning the program or the documentation, send an e-mail to Alexander.Frink@Uni-Mainz.DE or snailmail to Alexander Frink, Hermann Schauss Str. 8, D-65232 Taunusstein, Germany.

A short list of bugs and possible improvements I have collected:

Changing the ownership of the root directory does not work.