Re: NULL DACL versis Empty DACL and Owner implcit access
- From: "Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
- Date: Fri, 31 Aug 2007 21:03:04 -0400
Jeffrey,
Thanks. I don't know if I was thinking something different than I was
writing, but I definitely got it backwards somehow. What I am doing is
attempting to find an explanation for what the evidence shows happened to
the poster:
The permissions for the "w32x86" folder were the same as you gave below and
the same as mine. In other words, they were correct.
The permissions for the "w32x86\3" subfolder were screwed up. Rather than
have the poster look in the UI, I asked him to use CACLS and the output
listed nothing! That is what led me to believe it was an empty or NULL DACL.
I am not suggesting there is anything unusual about the default permissions,
so I don't think there's any need for you to go looking for a Windows XP
system. Someone or something must have changed the permissions for the
"w32x86\3" subfolder on his system. BTW, the evidence is destroyed now
because he deleted the partition.
Anyway, when installing the x86 version 3 printer driver in question, it had
to create a subfolder "w32x86\3\New", which succeeded, but access was denied
to create a file in that folder. So how is that possible?
It seems that access to the "w32x86\3" folder should be all granted if it is
a NULL DACL or all denied if it is an empty DACL. So, since it granted
access to create a subfolder, it must be a NULL DACL. In that case, what
DACL does the new child, "w32x86\3\New", get? The answer is not clear to me
from the documentation on MSDN. One answer might be that the new child
object gets a NULL DACL, in which case it should grant access to create a
file in that folder, but it did not. Another answer might be that new child
object gets an empty DACL (as there are no ACEs to inherit) and thus all
access is denied. That could explain it. Or is there another explanation?
Thanks for the KB reference. I knew that article existed, I had seen it
before but I couldn't find it at the time!
Paul
""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ZQ00aO56HHA.5608@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Paul,
I think there is some problem about your following understanding:
"If the DACL were empty, it would grant everyone full access and I would
not expect the access described above to be denied. "
Empty DACL means denying any access request to anyone, instead of granting
everyone full access. While Null DACL means granting full access to
anyone.
It seems that you have a reversal understanding of empty DACL vs null
DACL.
The "Owner of a New Object" MSDN link focuses on stating that the owner
has
the WRITE_DAC permission implicit, but it is not a complete list.
Actually,
the owner of a securable object will have READ_CONTROL and WRITE_DAC
permissions implicit. This is documented in the KB below:
"INFO: Owners Have Special Access to Their Objects"
http://support.microsoft.com/kb/130543
So, your test result is expected.
Since the original thread is a bit long, I am not sure if I understand the
main problem completely. Based on my test, I can create a new file in
"C:\windows\system32\spool\drivers\w32x86\3" folder. Also, by using cacls
with this folder, I did not get an empty or null ACL list(I am testing on
my Win2003 machine now, if you want, I will find a XP machine for
testing):
cacls C:\windows\system32\spool\drivers\w32x86\3
C:\windows\system32\spool\drivers\w32x86\3 Everyone:R
Everyone:(OI)(CI)(IO)(special
access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power
Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT
AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
Can you help to provide some more information regarding this problem? It
would be better I can reproduce this problem, so that I can give it a
local
troubleshooting.
Anyway, I will try to spend more time to read the original thread and try
to understand your confusion completely. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
.
- Follow-Ups:
- Re: NULL DACL versis Empty DACL and Owner implcit access
- From: "Jeffrey Tan[MSFT]"
- Re: NULL DACL versis Empty DACL and Owner implcit access
- Next by Date: Re: NULL DACL versis Empty DACL and Owner implcit access
- Next by thread: Re: NULL DACL versis Empty DACL and Owner implcit access
- Index(es):
Relevant Pages
|
Loading
