How to create an empty, inherit-only DACL
Stefan Falk
i have used BuildExplicitAccessWithName, SetEntriesInAcl and
SetNamedSecurityInfo successfully to set NTFS permissions from VB, including
turning on or off inheritance from parent folders. However, what do i have
to do if i want a file or folder to only inherit permissions from the
parent? The net effect should be the same as if i removed all explicit
permissions from within explorer and turn inheritance from parent on there.
As far as i read MSDN Library, i have to create an empty DACL. However, how
do i do that? Having a null DACL pointer returns in a null DACL, giving
everyone full control.
Thanks in advance for any insights here.
Greetings,
Stefan
Slava M. Usov
news:uoLln1JzCHA.2916@TK2MSFTNGP09...
> Hello everybody,
>
> i have used BuildExplicitAccessWithName, SetEntriesInAcl and
> SetNamedSecurityInfo successfully to set NTFS permissions from VB,
> including turning on or off inheritance from parent folders. However, what
> do i have to do if i want a file or folder to only inherit permissions
> from the parent? The net effect should be the same as if i removed all
> explicit permissions from within explorer and turn inheritance from parent
> on there.
What is your goal here? Do you want to create a file that only has inherited
permissions? Then it is really simple, you just specify zero pointer to
SECURITY_ATTRIBUTES when calling CreateFile() or CreateDirectory().
Or do you want to modify the security descriptor of an existing file? Then
you get the security descriptor, and remove all of the non-inherited
permissions, and assign that descriptor to the file. But I recommend that
you use the so-called "low level security API", because the high level
security API has a number of problems, especially concerning inheritance.
S
Stefan Falk
thanks for your answer.
I want to reset the permissions of all existing files and subfolders of a
folder to only inherit form that parent folder.
Since i have to do that from VBA (from an Access 2002 application), i would
like to stuck with the higher-level APIs. What are the problems you
mentioned those APIs have with inheritance? Isn't it possible to create an
empty DACL using them?
Thanks again,
Stefan
Slava M. Usov
> Hello Slava,
>
> thanks for your answer.
>
> I want to reset the permissions of all existing files and subfolders of a
> folder to only inherit form that parent folder.
Then you need to do that manually. Using the low level security API :-) That
is not very hard. You just get the security descriptor by calling
GetFileSecurity(), then you get the DACL from the current security
descriptor, by calling GetSecurityDescriptorDacl(), then you enumerate all
the ACEs in the ACL by calling GetAce(), looking at the "flags" field of
each ACE: if it does not contain the bit INHERITED_ACE, you call DeleteAce()
and so on. In the end you have a security descriptor without any
non-inherited ACEs, and you just assign it back to the file or directory,
using SetFileSecurity().
> Since i have to do that from VBA (from an Access 2002 application), i
> would like to stuck with the higher-level APIs. What are the problems you
> mentioned those APIs have with inheritance?
My standard reply is:
Go to groups.google.com and query it for "GetNamedSecurityInfo broken"
I actually copied and pasted that one from the result of this query. Or you
can try "SetEntriesInAcl broken". Or "EXPLICIT_ACCESS broken". I think I can
enter any of the high level routines in conjunction with "broken" and that
will turn up some amusing reading.
> Isn't it possible to create an empty DACL using them?
An empty DACL, perhaps, but I would not expect more than that. But you need
to modify a DACL, and all bets are off.
S
Stefan Falk
delete an inherited ACE from an ACL by calling DeleteAce()? That should not
be, should it?
Greetings,
Stefan
Chuck Chopp
> Ok, Slava, many thanks for your answer. One last question: Could anyone
> delete an inherited ACE from an ACL by calling DeleteAce()? That should not
> be, should it?
There is absolutely nothing to prevent you from butchering a DACL on Win2K/XP. You can easily remove inherited ACEs from the DACL using DeleteAce(). You can also mix up the order of the ACEs in the DACL so that they are no longer in the proper order. Any attempts to read the security or modify it via the Windows Explorer might get you some unexpected results, or at least a warning that the ACEs in the DACL are not ordered properly. Also, access checks made against a folder or file that has a "corrupted" DACL may result in improper access or denial of access depending on exactly how the DACL was messed up.
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
ICQ # 22321532
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651 800 774 0718 pager
8007740718 (at) skytel (dot) com
Do not send me unsolicited commercial email.
Slava M. Usov
> Ok, Slava, many thanks for your answer. One last question: Could anyone
> delete an inherited ACE from an ACL by calling DeleteAce()? That should
> not be, should it?
It will delete it just fine. Furthermore, you can then set that security
descriptor to the file and it will be accepted just fine. The only automatic
thing about "automatic inheritance" is that the new files and directories
receive the inherited settings, but that has worked since NT 3.1. The rest
of the "automatism" exists in the user-mode code that implements the high
level security APIs, which is so good that even Windows Explorer does not
use it.
S