ACL's Security

Archived from groups: microsoft.public.win2000.security (More info?)

Hi
I am implementing folder security through ACL's.
I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER CONTENTS'.
8 answers Last reply
More about security
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I do not understand what the problem is. These permissions
    you mention are generic permissions, listed right there in the
    NTFS permissions editor (if you are using the UI for this).

    --
    Roger Abell

    "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    news:c1dd9064.0411282241.1677eba6@posting.google.com...
    > Hi
    > I am implementing folder security through ACL's.
    > I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
    CONTENTS'.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    set them in the gui like Roger indicates, then go to DOS and run CACLS on
    the folder or file to get the 'under the hood' ACE identifyer. I think this
    is what you are looking for.


    --
    Glenn L

    CCNA, MCSE (2000,2003) + Security
    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
    >I do not understand what the problem is. These permissions
    > you mention are generic permissions, listed right there in the
    > NTFS permissions editor (if you are using the UI for this).
    >
    > --
    > Roger Abell
    >
    > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    > news:c1dd9064.0411282241.1677eba6@posting.google.com...
    >> Hi
    >> I am implementing folder security through ACL's.
    >> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
    > CONTENTS'.
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Glenn L" <the.only(delete)@gmail.com> wrote in message news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
    > set them in the gui like Roger indicates, then go to DOS and run CACLS on
    > the folder or file to get the 'under the hood' ACE identifyer. I think this
    > is what you are looking for.
    >
    >
    > --
    > Glenn L
    >
    > CCNA, MCSE (2000,2003) + Security
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
    > >I do not understand what the problem is. These permissions
    > > you mention are generic permissions, listed right there in the
    > > NTFS permissions editor (if you are using the UI for this).
    > >
    > > --
    > > Roger Abell
    > >
    > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
    > >> Hi
    > >> I am implementing folder security through ACL's.
    > >> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
    > > CONTENTS'.
    > >
    > >


    Hi
    Let's begin with an example .listed below are the ACE strings for
    folder which gives all access rights to a folder.

    #define SC_CONFIG_USER_DIR_DACL L"D:"\
    L"(A;OICI;GA;;;SY)"\
    L"(A;OICI;GA;;;BA)"\
    L"(A;OICI;GA;;;%s)"\


    "GA" -- GENERIC_ALL
    "GR" -- GENERIC_READ
    "GW" -- GENERIC_WRITE
    "GX" -- GENERIC_EXECUTE

    So i want rights for 'Modify' and 'List Folder Contents' . For this a
    need the corresponding ACE.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    You should look up the documentation in MSDN for
    SDDL (security descriptor definition language).
    In particular, in the example you have shown, notice
    the OI and the CI, these being object inherit and container
    inherit. There is also IO for inherit only (that is, the ACE
    does not apply to the location where attached, but only to
    children)
    For List a CI:GR would mean for this and child container
    objects (directories) read is granted (which is a list for dirs)
    whereas for Modify a write is set with OICI as the ability
    to change is for both files (objects per OI) and dirs (per CI)

    As Glenn indicated, just use the cacls commandline utility
    to see what results when you set different grants on a test
    dir or file. And, read the docs on SDDL to understand where
    the syntax you show in the define seems to originate.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    news:c1dd9064.0411300436.249c4a64@posting.google.com...
    > "Glenn L" <the.only(delete)@gmail.com> wrote in message
    news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
    > > set them in the gui like Roger indicates, then go to DOS and run CACLS
    on
    > > the folder or file to get the 'under the hood' ACE identifyer. I think
    this
    > > is what you are looking for.
    > >
    > >
    > > --
    > > Glenn L
    > >
    > > CCNA, MCSE (2000,2003) + Security
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
    > > >I do not understand what the problem is. These permissions
    > > > you mention are generic permissions, listed right there in the
    > > > NTFS permissions editor (if you are using the UI for this).
    > > >
    > > > --
    > > > Roger Abell
    > > >
    > > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    > > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
    > > >> Hi
    > > >> I am implementing folder security through ACL's.
    > > >> I need ACE for two standard access rights named 'MODIFY' and 'LIST
    FOLDER
    > > > CONTENTS'.
    > > >
    > > >
    >
    >
    > Hi
    > Let's begin with an example .listed below are the ACE strings for
    > folder which gives all access rights to a folder.
    >
    > #define SC_CONFIG_USER_DIR_DACL L"D:"\
    > L"(A;OICI;GA;;;SY)"\
    > L"(A;OICI;GA;;;BA)"\
    > L"(A;OICI;GA;;;%s)"\
    >
    >
    > "GA" -- GENERIC_ALL
    > "GR" -- GENERIC_READ
    > "GW" -- GENERIC_WRITE
    > "GX" -- GENERIC_EXECUTE
    >
    > So i want rights for 'Modify' and 'List Folder Contents' . For this a
    > need the corresponding ACE.
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I am also facing same problem
    I have already tried thr' cacls
    Any folder having only List folder containts rights for a group shows
    following output for CACLS
    <Group Name>:(CI)R
    Now how to specify this in the ACE string. There is no rights for "R"
    with ace_flag as "CI"

    Also i have noticed following things by right cliking and setting the
    permission on the folder
    List Folder Contain shows Read and Excecute in the Advanced Tab. And
    Detailed Permissions for "List folder containts" and combination of
    "Read, Read and Excecute, List Folder Containts" is the same.

    The Detail permissions are

    Traverse Folder/Excecute File
    List Folder/ Read Data
    Read attributes
    Read Extended Attributes
    REad Permissions

    corresponding access right values shown by Cacls are
    FILE_EXCECUTE
    FILE_READ
    FILE_READ_ATTRIBUTE
    FILE_READ_EA
    READ_CONTROL

    Now problem is how can i specify this in ACE String. i am able to get
    ACE for READ_CONTROL which is "RC"


    Badrinath


    Sudeep Sachdev wrote:
    > "Glenn L" <the.only(delete)@gmail.com> wrote in message
    news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
    > > set them in the gui like Roger indicates, then go to DOS and run
    CACLS on
    > > the folder or file to get the 'under the hood' ACE identifyer. I
    think this
    > > is what you are looking for.
    > >
    > >
    > > --
    > > Glenn L
    > >
    > > CCNA, MCSE (2000,2003) + Security
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
    > > >I do not understand what the problem is. These permissions
    > > > you mention are generic permissions, listed right there in the
    > > > NTFS permissions editor (if you are using the UI for this).
    > > >
    > > > --
    > > > Roger Abell
    > > >
    > > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    > > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
    > > >> Hi
    > > >> I am implementing folder security through ACL's.
    > > >> I need ACE for two standard access rights named 'MODIFY' and
    'LIST FOLDER
    > > > CONTENTS'.
    > > >
    > > >
    >
    >
    > Hi
    > Let's begin with an example .listed below are the ACE strings for
    > folder which gives all access rights to a folder.
    >
    > #define SC_CONFIG_USER_DIR_DACL L"D:"\
    > L"(A;OICI;GA;;;SY)"\
    > L"(A;OICI;GA;;;BA)"\
    > L"(A;OICI;GA;;;%s)"\
    >
    >
    > "GA" -- GENERIC_ALL
    > "GR" -- GENERIC_READ
    > "GW" -- GENERIC_WRITE
    > "GX" -- GENERIC_EXECUTE
    >
    > So i want rights for 'Modify' and 'List Folder Contents' . For this a
    > need the corresponding ACE.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    If you need to set more explicit permissions from
    the command line (than CACLS) you can use XCACLs,
    or even more explitic than XCalcs or even the Special
    Permissions of the GUI offer, then you can use
    SetACL.exe (Free) from SourceForge.net.

    Warning: SetAcl will set almost anything on almost
    any object (shares and registry included) but it has
    one of the most annoyingly tedious command line
    interfaces every devised.

    (That being said by someone who loves command
    line tools.)

    --
    Herb Martin


    "Badri" <badrinathmodale@gmail.com> wrote in message
    news:1104334049.209080.188650@z14g2000cwz.googlegroups.com...
    > I am also facing same problem
    > I have already tried thr' cacls
    > Any folder having only List folder containts rights for a group shows
    > following output for CACLS
    > <Group Name>:(CI)R
    > Now how to specify this in the ACE string. There is no rights for "R"
    > with ace_flag as "CI"
    >
    > Also i have noticed following things by right cliking and setting the
    > permission on the folder
    > List Folder Contain shows Read and Excecute in the Advanced Tab. And
    > Detailed Permissions for "List folder containts" and combination of
    > "Read, Read and Excecute, List Folder Containts" is the same.
    >
    > The Detail permissions are
    >
    > Traverse Folder/Excecute File
    > List Folder/ Read Data
    > Read attributes
    > Read Extended Attributes
    > REad Permissions
    >
    > corresponding access right values shown by Cacls are
    > FILE_EXCECUTE
    > FILE_READ
    > FILE_READ_ATTRIBUTE
    > FILE_READ_EA
    > READ_CONTROL
    >
    > Now problem is how can i specify this in ACE String. i am able to get
    > ACE for READ_CONTROL which is "RC"
    >
    >
    > Badrinath
    >
    >
    > Sudeep Sachdev wrote:
    > > "Glenn L" <the.only(delete)@gmail.com> wrote in message
    > news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
    > > > set them in the gui like Roger indicates, then go to DOS and run
    > CACLS on
    > > > the folder or file to get the 'under the hood' ACE identifyer. I
    > think this
    > > > is what you are looking for.
    > > >
    > > >
    > > > --
    > > > Glenn L
    > > >
    > > > CCNA, MCSE (2000,2003) + Security
    > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
    > > > >I do not understand what the problem is. These permissions
    > > > > you mention are generic permissions, listed right there in the
    > > > > NTFS permissions editor (if you are using the UI for this).
    > > > >
    > > > > --
    > > > > Roger Abell
    > > > >
    > > > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
    > > > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
    > > > >> Hi
    > > > >> I am implementing folder security through ACL's.
    > > > >> I need ACE for two standard access rights named 'MODIFY' and
    > 'LIST FOLDER
    > > > > CONTENTS'.
    > > > >
    > > > >
    > >
    > >
    > > Hi
    > > Let's begin with an example .listed below are the ACE strings for
    > > folder which gives all access rights to a folder.
    > >
    > > #define SC_CONFIG_USER_DIR_DACL L"D:"\
    > > L"(A;OICI;GA;;;SY)"\
    > > L"(A;OICI;GA;;;BA)"\
    > > L"(A;OICI;GA;;;%s)"\
    > >
    > >
    > > "GA" -- GENERIC_ALL
    > > "GR" -- GENERIC_READ
    > > "GW" -- GENERIC_WRITE
    > > "GX" -- GENERIC_EXECUTE
    > >
    > > So i want rights for 'Modify' and 'List Folder Contents' . For this a
    > > need the corresponding ACE.
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    I want to set permission thr' C++. So i will require to define the ACE
    string. Now i want to give "List Folder Contents" permissions not any
    other. I am not able to get the ACE string for "List Folder Contents".
    If i give Generic read and excecute GR and GX , the permissions will be
    "List Folder contents" , Read , read and excecute. Here i want only
    List Folder Contents. And contraint is i should not any other tool such
    as Cacls.

    Can anybody suggest me ACE string?
    The sample for Generic read and excecute is below

    #define SC_CONFIG_USER_DIR_DACL L"D:"\

    L"(A;OICI;GRGX;;;SY)"\
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    "Badri" <badrinathmodale@gmail.com> wrote in message
    news:1104471066.551704.77190@z14g2000cwz.googlegroups.com...
    > I want to set permission thr' C++. So i will require to define the ACE
    > string. Now i want to give "List Folder Contents" permissions not any
    > other. I am not able to get the ACE string for "List Folder Contents".
    > If i give Generic read and excecute GR and GX , the permissions will be
    > "List Folder contents" , Read , read and excecute. Here i want only
    > List Folder Contents. And contraint is i should not any other tool such
    > as Cacls.

    It's been ages since I did this -- this is not a programming
    list of course.

    > Can anybody suggest me ACE string?
    > The sample for Generic read and excecute is below
    >
    > #define SC_CONFIG_USER_DIR_DACL L"D:"\
    > L"(A;OICI;GRGX;;;SY)"\

    You need to find the constants for the actual or individual
    permissions -- what the GUI calls "special permissions".

    This should be precisely one bit and it will be the same
    value as the Read File Contents (not the generic one of
    course with the execute and read attributes but just the
    read of the file or list of the directory.)

    You might also need the read attributes and extended
    attributes however. Try searching the header files
    for some of these words to find the correct set of
    "special" constants.

    --
    Herb Martin


    >
Ask a new question

Read More

Security Microsoft Windows