Sign in with
Sign up | Sign in
Your question

ACL's Security

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 29, 2004 1:41:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi
I am implementing folder security through ACL's.
I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER CONTENTS'.

More about : acl security

Anonymous
a b 8 Security
November 29, 2004 2:48:40 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I do not understand what the problem is. These permissions
you mention are generic permissions, listed right there in the
NTFS permissions editor (if you are using the UI for this).

--
Roger Abell

"Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
news:c1dd9064.0411282241.1677eba6@posting.google.com...
> Hi
> I am implementing folder security through ACL's.
> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
CONTENTS'.
Anonymous
a b 8 Security
November 30, 2004 2:03:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

set them in the gui like Roger indicates, then go to DOS and run CACLS on
the folder or file to get the 'under the hood' ACE identifyer. I think this
is what you are looking for.


--
Glenn L

CCNA, MCSE (2000,2003) + Security
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o dZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
>I do not understand what the problem is. These permissions
> you mention are generic permissions, listed right there in the
> NTFS permissions editor (if you are using the UI for this).
>
> --
> Roger Abell
>
> "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
> news:c1dd9064.0411282241.1677eba6@posting.google.com...
>> Hi
>> I am implementing folder security through ACL's.
>> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
> CONTENTS'.
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
a b 8 Security
November 30, 2004 7:36:35 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Glenn L" <the.only(delete)@gmail.com> wrote in message news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
> set them in the gui like Roger indicates, then go to DOS and run CACLS on
> the folder or file to get the 'under the hood' ACE identifyer. I think this
> is what you are looking for.
>
>
> --
> Glenn L
>
> CCNA, MCSE (2000,2003) + Security
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o dZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
> >I do not understand what the problem is. These permissions
> > you mention are generic permissions, listed right there in the
> > NTFS permissions editor (if you are using the UI for this).
> >
> > --
> > Roger Abell
> >
> > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
> > news:c1dd9064.0411282241.1677eba6@posting.google.com...
> >> Hi
> >> I am implementing folder security through ACL's.
> >> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER
> > CONTENTS'.
> >
> >


Hi
Let's begin with an example .listed below are the ACE strings for
folder which gives all access rights to a folder.

#define SC_CONFIG_USER_DIR_DACL L"D:"\
L"(A;OICI;GA;;;SY)"\
L"(A;OICI;GA;;;BA)"\
L"(A;OICI;GA;;;%s)"\


"GA" -- GENERIC_ALL
"GR" -- GENERIC_READ
"GW" -- GENERIC_WRITE
"GX" -- GENERIC_EXECUTE

So i want rights for 'Modify' and 'List Folder Contents' . For this a
need the corresponding ACE.
Anonymous
a b 8 Security
November 30, 2004 11:36:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You should look up the documentation in MSDN for
SDDL (security descriptor definition language).
In particular, in the example you have shown, notice
the OI and the CI, these being object inherit and container
inherit. There is also IO for inherit only (that is, the ACE
does not apply to the location where attached, but only to
children)
For List a CI:GR would mean for this and child container
objects (directories) read is granted (which is a list for dirs)
whereas for Modify a write is set with OICI as the ability
to change is for both files (objects per OI) and dirs (per CI)

As Glenn indicated, just use the cacls commandline utility
to see what results when you set different grants on a test
dir or file. And, read the docs on SDDL to understand where
the syntax you show in the define seems to originate.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
news:c1dd9064.0411300436.249c4a64@posting.google.com...
> "Glenn L" <the.only(delete)@gmail.com> wrote in message
news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
> > set them in the gui like Roger indicates, then go to DOS and run CACLS
on
> > the folder or file to get the 'under the hood' ACE identifyer. I think
this
> > is what you are looking for.
> >
> >
> > --
> > Glenn L
> >
> > CCNA, MCSE (2000,2003) + Security
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:o dZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
> > >I do not understand what the problem is. These permissions
> > > you mention are generic permissions, listed right there in the
> > > NTFS permissions editor (if you are using the UI for this).
> > >
> > > --
> > > Roger Abell
> > >
> > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
> > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
> > >> Hi
> > >> I am implementing folder security through ACL's.
> > >> I need ACE for two standard access rights named 'MODIFY' and 'LIST
FOLDER
> > > CONTENTS'.
> > >
> > >
>
>
> Hi
> Let's begin with an example .listed below are the ACE strings for
> folder which gives all access rights to a folder.
>
> #define SC_CONFIG_USER_DIR_DACL L"D:"\
> L"(A;OICI;GA;;;SY)"\
> L"(A;OICI;GA;;;BA)"\
> L"(A;OICI;GA;;;%s)"\
>
>
> "GA" -- GENERIC_ALL
> "GR" -- GENERIC_READ
> "GW" -- GENERIC_WRITE
> "GX" -- GENERIC_EXECUTE
>
> So i want rights for 'Modify' and 'List Folder Contents' . For this a
> need the corresponding ACE.
Anonymous
a b 8 Security
December 29, 2004 10:27:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am also facing same problem
I have already tried thr' cacls
Any folder having only List folder containts rights for a group shows
following output for CACLS
<Group Name>:( CI)R
Now how to specify this in the ACE string. There is no rights for "R"
with ace_flag as "CI"

Also i have noticed following things by right cliking and setting the
permission on the folder
List Folder Contain shows Read and Excecute in the Advanced Tab. And
Detailed Permissions for "List folder containts" and combination of
"Read, Read and Excecute, List Folder Containts" is the same.

The Detail permissions are

Traverse Folder/Excecute File
List Folder/ Read Data
Read attributes
Read Extended Attributes
REad Permissions

corresponding access right values shown by Cacls are
FILE_EXCECUTE
FILE_READ
FILE_READ_ATTRIBUTE
FILE_READ_EA
READ_CONTROL

Now problem is how can i specify this in ACE String. i am able to get
ACE for READ_CONTROL which is "RC"


Badrinath


Sudeep Sachdev wrote:
> "Glenn L" <the.only(delete)@gmail.com> wrote in message
news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
> > set them in the gui like Roger indicates, then go to DOS and run
CACLS on
> > the folder or file to get the 'under the hood' ACE identifyer. I
think this
> > is what you are looking for.
> >
> >
> > --
> > Glenn L
> >
> > CCNA, MCSE (2000,2003) + Security
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:o dZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
> > >I do not understand what the problem is. These permissions
> > > you mention are generic permissions, listed right there in the
> > > NTFS permissions editor (if you are using the UI for this).
> > >
> > > --
> > > Roger Abell
> > >
> > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
> > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
> > >> Hi
> > >> I am implementing folder security through ACL's.
> > >> I need ACE for two standard access rights named 'MODIFY' and
'LIST FOLDER
> > > CONTENTS'.
> > >
> > >
>
>
> Hi
> Let's begin with an example .listed below are the ACE strings for
> folder which gives all access rights to a folder.
>
> #define SC_CONFIG_USER_DIR_DACL L"D:"\
> L"(A;OICI;GA;;;SY)"\
> L"(A;OICI;GA;;;BA)"\
> L"(A;OICI;GA;;;%s)"\
>
>
> "GA" -- GENERIC_ALL
> "GR" -- GENERIC_READ
> "GW" -- GENERIC_WRITE
> "GX" -- GENERIC_EXECUTE
>
> So i want rights for 'Modify' and 'List Folder Contents' . For this a
> need the corresponding ACE.
Anonymous
a b 8 Security
December 30, 2004 6:16:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you need to set more explicit permissions from
the command line (than CACLS) you can use XCACLs,
or even more explitic than XCalcs or even the Special
Permissions of the GUI offer, then you can use
SetACL.exe (Free) from SourceForge.net.

Warning: SetAcl will set almost anything on almost
any object (shares and registry included) but it has
one of the most annoyingly tedious command line
interfaces every devised.

(That being said by someone who loves command
line tools.)

--
Herb Martin


"Badri" <badrinathmodale@gmail.com> wrote in message
news:1104334049.209080.188650@z14g2000cwz.googlegroups.com...
> I am also facing same problem
> I have already tried thr' cacls
> Any folder having only List folder containts rights for a group shows
> following output for CACLS
> <Group Name>:( CI)R
> Now how to specify this in the ACE string. There is no rights for "R"
> with ace_flag as "CI"
>
> Also i have noticed following things by right cliking and setting the
> permission on the folder
> List Folder Contain shows Read and Excecute in the Advanced Tab. And
> Detailed Permissions for "List folder containts" and combination of
> "Read, Read and Excecute, List Folder Containts" is the same.
>
> The Detail permissions are
>
> Traverse Folder/Excecute File
> List Folder/ Read Data
> Read attributes
> Read Extended Attributes
> REad Permissions
>
> corresponding access right values shown by Cacls are
> FILE_EXCECUTE
> FILE_READ
> FILE_READ_ATTRIBUTE
> FILE_READ_EA
> READ_CONTROL
>
> Now problem is how can i specify this in ACE String. i am able to get
> ACE for READ_CONTROL which is "RC"
>
>
> Badrinath
>
>
> Sudeep Sachdev wrote:
> > "Glenn L" <the.only(delete)@gmail.com> wrote in message
> news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>...
> > > set them in the gui like Roger indicates, then go to DOS and run
> CACLS on
> > > the folder or file to get the 'under the hood' ACE identifyer. I
> think this
> > > is what you are looking for.
> > >
> > >
> > > --
> > > Glenn L
> > >
> > > CCNA, MCSE (2000,2003) + Security
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:o dZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl...
> > > >I do not understand what the problem is. These permissions
> > > > you mention are generic permissions, listed right there in the
> > > > NTFS permissions editor (if you are using the UI for this).
> > > >
> > > > --
> > > > Roger Abell
> > > >
> > > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message
> > > > news:c1dd9064.0411282241.1677eba6@posting.google.com...
> > > >> Hi
> > > >> I am implementing folder security through ACL's.
> > > >> I need ACE for two standard access rights named 'MODIFY' and
> 'LIST FOLDER
> > > > CONTENTS'.
> > > >
> > > >
> >
> >
> > Hi
> > Let's begin with an example .listed below are the ACE strings for
> > folder which gives all access rights to a folder.
> >
> > #define SC_CONFIG_USER_DIR_DACL L"D:"\
> > L"(A;OICI;GA;;;SY)"\
> > L"(A;OICI;GA;;;BA)"\
> > L"(A;OICI;GA;;;%s)"\
> >
> >
> > "GA" -- GENERIC_ALL
> > "GR" -- GENERIC_READ
> > "GW" -- GENERIC_WRITE
> > "GX" -- GENERIC_EXECUTE
> >
> > So i want rights for 'Modify' and 'List Folder Contents' . For this a
> > need the corresponding ACE.
>
Anonymous
a b 8 Security
December 31, 2004 12:31:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I want to set permission thr' C++. So i will require to define the ACE
string. Now i want to give "List Folder Contents" permissions not any
other. I am not able to get the ACE string for "List Folder Contents".
If i give Generic read and excecute GR and GX , the permissions will be
"List Folder contents" , Read , read and excecute. Here i want only
List Folder Contents. And contraint is i should not any other tool such
as Cacls.

Can anybody suggest me ACE string?
The sample for Generic read and excecute is below

#define SC_CONFIG_USER_DIR_DACL L"D:"\

L"(A;OICI;GRGX;;;SY)"\
Anonymous
a b 8 Security
December 31, 2004 4:37:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Badri" <badrinathmodale@gmail.com> wrote in message
news:1104471066.551704.77190@z14g2000cwz.googlegroups.com...
> I want to set permission thr' C++. So i will require to define the ACE
> string. Now i want to give "List Folder Contents" permissions not any
> other. I am not able to get the ACE string for "List Folder Contents".
> If i give Generic read and excecute GR and GX , the permissions will be
> "List Folder contents" , Read , read and excecute. Here i want only
> List Folder Contents. And contraint is i should not any other tool such
> as Cacls.

It's been ages since I did this -- this is not a programming
list of course.

> Can anybody suggest me ACE string?
> The sample for Generic read and excecute is below
>
> #define SC_CONFIG_USER_DIR_DACL L"D:"\
> L"(A;OICI;GRGX;;;SY)"\

You need to find the constants for the actual or individual
permissions -- what the GUI calls "special permissions".

This should be precisely one bit and it will be the same
value as the Read File Contents (not the generic one of
course with the execute and read attributes but just the
read of the file or list of the directory.)

You might also need the read attributes and extended
attributes however. Try searching the header files
for some of these words to find the correct set of
"special" constants.

--
Herb Martin


>
!