RE: NULL DACL versis Empty DACL and Owner implcit access
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Fri, 31 Aug 2007 05:55:30 GMT
Hi Paul,
I think there is some problem about your following understanding:
"If the DACL were empty, it would grant everyone full access and I would
not expect the access described above to be denied. "
Empty DACL means denying any access request to anyone, instead of granting
everyone full access. While Null DACL means granting full access to anyone.
It seems that you have a reversal understanding of empty DACL vs null DACL.
The "Owner of a New Object" MSDN link focuses on stating that the owner has
the WRITE_DAC permission implicit, but it is not a complete list. Actually,
the owner of a securable object will have READ_CONTROL and WRITE_DAC
permissions implicit. This is documented in the KB below:
"INFO: Owners Have Special Access to Their Objects"
http://support.microsoft.com/kb/130543
So, your test result is expected.
Since the original thread is a bit long, I am not sure if I understand the
main problem completely. Based on my test, I can create a new file in
"C:\windows\system32\spool\drivers\w32x86\3" folder. Also, by using cacls
with this folder, I did not get an empty or null ACL list(I am testing on
my Win2003 machine now, if you want, I will find a XP machine for testing):
cacls C:\windows\system32\spool\drivers\w32x86\3
C:\windows\system32\spool\drivers\w32x86\3 Everyone:R
Everyone:(OI)(CI)(IO)(special
access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
Can you help to provide some more information regarding this problem? It
would be better I can reproduce this problem, so that I can give it a local
troubleshooting.
Anyway, I will try to spend more time to read the original thread and try
to understand your confusion completely. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: NULL DACL versis Empty DACL and Owner implcit access
- From: Chuck Chopp
- Re: NULL DACL versis Empty DACL and Owner implcit access
- References:
- NULL DACL versis Empty DACL and Owner implcit access
- From: Paul Baker [MVP, Windows - SDK]
- NULL DACL versis Empty DACL and Owner implcit access
- Prev by Date: Re: Help with CryptAcquireContext and Mandatory Profiles!
- Next by Date: RE: cryptdecrypt failed with an error 0x80090020 when using with a
- Previous by thread: NULL DACL versis Empty DACL and Owner implcit access
- Next by thread: Re: NULL DACL versis Empty DACL and Owner implcit access
- Index(es):
Relevant Pages
|
