ACL's Security

[Sudeep Sachdev]

Hi
I am implementing folder security through ACL's.
I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER CONTENTS'.

 

[Roger Abell]

I do not understand what the problem is. These permissions
you mention are generic permissions, listed right there in the
NTFS permissions editor (if you are using the UI for this).

--
Roger Abell

Hi
I am implementing folder security through ACL's.
I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER

CONTENTS'.

 

[Glenn L]

set them in the gui like Roger indicates, then go to DOS and run CACLS on
the folder or file to get the 'under the hood' ACE identifyer. I think this
is what you are looking for.

 

[Sudeep Sachdev]

set them in the gui like Roger indicates, then go to DOS and run CACLS on
the folder or file to get the 'under the hood' ACE identifyer. I think this
is what you are looking for.

Hi
Let's begin with an example .listed below are the ACE strings for
folder which gives all access rights to a folder.

#define SC_CONFIG_USER_DIR_DACL L"D:"\
L"(A;OICI;GA;;;SY)"\
L"(A;OICI;GA;;;BA)"\
L"(A;OICI;GA;;;%s)"\


"GA" -- GENERIC_ALL
"GR" -- GENERIC_READ
"GW" -- GENERIC_WRITE
"GX" -- GENERIC_EXECUTE

So i want rights for 'Modify' and 'List Folder Contents' . For this a
need the corresponding ACE.

 

[Roger Abell]

You should look up the documentation in MSDN for
SDDL (security descriptor definition language).
In particular, in the example you have shown, notice
the OI and the CI, these being object inherit and container
inherit. There is also IO for inherit only (that is, the ACE
does not apply to the location where attached, but only to
children)
For List a CI:GR would mean for this and child container
objects (directories) read is granted (which is a list for dirs)
whereas for Modify a write is set with OICI as the ability
to change is for both files (objects per OI) and dirs (per CI)

As Glenn indicated, just use the cacls commandline utility
to see what results when you set different grants on a test
dir or file. And, read the docs on SDDL to understand where
the syntax you show in the define seems to originate.

 

[Badri]

I am also facing same problem
I have already tried thr' cacls
Any folder having only List folder containts rights for a group shows
following output for CACLS
<Group NameCI)R
Now how to specify this in the ACE string. There is no rights for "R"
with ace_flag as "CI"

Also i have noticed following things by right cliking and setting the
permission on the folder
List Folder Contain shows Read and Excecute in the Advanced Tab. And
Detailed Permissions for "List folder containts" and combination of
"Read, Read and Excecute, List Folder Containts" is the same.

The Detail permissions are

Traverse Folder/Excecute File
List Folder/ Read Data
Read attributes
Read Extended Attributes
REad Permissions

corresponding access right values shown by Cacls are
FILE_EXCECUTE
FILE_READ
FILE_READ_ATTRIBUTE
FILE_READ_EA
READ_CONTROL

Now problem is how can i specify this in ACE String. i am able to get
ACE for READ_CONTROL which is "RC"


Badrinath

 

[Herb Martin]

If you need to set more explicit permissions from
the command line (than CACLS) you can use XCACLs,
or even more explitic than XCalcs or even the Special
Permissions of the GUI offer, then you can use
SetACL.exe (Free) from SourceForge.net.

Warning: SetAcl will set almost anything on almost
any object (shares and registry included) but it has
one of the most annoyingly tedious command line
interfaces every devised.

(That being said by someone who loves command
line tools.)

 

[Badri]

I want to set permission thr' C++. So i will require to define the ACE
string. Now i want to give "List Folder Contents" permissions not any
other. I am not able to get the ACE string for "List Folder Contents".
If i give Generic read and excecute GR and GX , the permissions will be
"List Folder contents" , Read , read and excecute. Here i want only
List Folder Contents. And contraint is i should not any other tool such
as Cacls.

Can anybody suggest me ACE string?
The sample for Generic read and excecute is below

#define SC_CONFIG_USER_DIR_DACL L"D:"\

L"(A;OICI;GRGX;;;SY)"\

 

[Herb Martin]

I want to set permission thr' C++. So i will require to define the ACE
string. Now i want to give "List Folder Contents" permissions not any
other. I am not able to get the ACE string for "List Folder Contents".
If i give Generic read and excecute GR and GX , the permissions will be
"List Folder contents" , Read , read and excecute. Here i want only
List Folder Contents. And contraint is i should not any other tool such
as Cacls.

It's been ages since I did this -- this is not a programming
list of course.

Can anybody suggest me ACE string?
The sample for Generic read and excecute is below

#define SC_CONFIG_USER_DIR_DACL L"D:"\
L"(A;OICI;GRGX;;;SY)"\

You need to find the constants for the actual or individual
permissions -- what the GUI calls "special permissions".

This should be precisely one bit and it will be the same
value as the Read File Contents (not the generic one of
course with the execute and read attributes but just the
read of the file or list of the directory.)

You might also need the read attributes and extended
attributes however. Try searching the header files
for some of these words to find the correct set of
"special" constants.
[/QUOTE]