Re: GetNamedSecurityInfo VS GetFileSecurity

From: Pavel Lebedinsky [MSFT] (pavel_at_online.microsoft.com)
Date: 06/30/05


Date: Wed, 29 Jun 2005 21:38:56 -0700

Get/SetFileSecurity (as well as RegSetKeySecurity) are older APIs
that are not aware of ACE inheritance (which was introduced in
Win2K). If you want to work with inherited ACEs you should use
SetSecurityInfo/SetNamedSecurityInfo or their Get counterparts.

-- 
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Frederic P." wrote:
> I am trying to read the security on different files and folders but I am
> getting different results depending on the method I use to get the 
> security
> descriptor:
> "GetFileSecurity", "GetKernelObjectSecurity", and "GetUserObjectSecurity"
> all return the same security descriptor which doesn't have any inherited 
> aces
> in it (INHERITED_ACE is never set on any aces).
>
> On the other hand, if I use "GetNamedSecurityInfo", I get the expected
> results which is a security descriptor containing aces with the 
> INHERITED_ACE
> flag set. Sometimes, even the number of aces are different.
>
> I can get the problem with newly created files/folders with default ACL or
> older files/folders (even c:\CONFIG.sys). Some files work, others don't???
>
> The freeware "SetAcl" also returns explicit aces when listing the security
> descriptor of the files so I don't think the problem is in my code (SetAcl
> uses "GetKernelObjectSecurity" to access the security descriptors).
>
> If I call "ConvertToAutoInheritPrivateObjectSecurity" on the files/folders
> with the problem, everythings goes back to normal; all 4 methods return 
> the
> same security descriptor.
>
> Questions:
> What is the difference behind "GetNamedSecurityInfo" and 
> "GetFileSecurity"?
> Why am I getting only explicit aces on certain files/folders when using
> "GetFileSecurity"? 


Relevant Pages

  • Re: GetAce API in VB.Net
    ... 'SetFileSecurity' is now 'obsolete'. ... > I want to create a new file security descriptor exactly like the old one ... > the old SD DACL aces and placing them in a new SD DACL. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: GetAce API in VB.Net
    ... the old SD DACL aces and placing them in a new SD DACL. ... have left to do is to initialize a new Security Descriptor, ... >> End Enum ...
    (microsoft.public.dotnet.languages.vb)
  • Re: GetAce API in VB.Net
    ... Imran. ... >> I want to create a new file security descriptor exactly like the old one ... >> the old SD DACL aces and placing them in a new SD DACL. ...
    (microsoft.public.dotnet.languages.vb)
  • GetNamedSecurityInfo VS GetFileSecurity
    ... I am trying to read the security on different files and folders but I am ... in it (INHERITED_ACE is never set on any aces). ... results which is a security descriptor containing aces with the INHERITED_ACE ... older files/folders. ...
    (microsoft.public.platformsdk.security)
  • Re: Confusion over IO (Inherit Only) ACE on Vista
    ... Note that the output from icacls does not agree with the output from cacls. ... @echo off ... Earlier we discussed how default folder permissions created by FORMAT.EXE consist of two ACEs per group - one to set the explicit ACE, and one to control the inheritance of child objects. ...
    (microsoft.public.platformsdk.security)