ACL/ACE ? about Container Inherit / Inherit Only

From: Tom Rodman (Use-Author-Address-Header@[127.1)
Date: 08/14/02

• Next message: karl [x y]: "Re: Syskey prevents dumping of SAM or Active Directory"
• Previous message: Christoph Kaminski: "Re: Syskey prevents dumping of SAM or Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 14 Aug 2002 10:23:47 -0500
From: Tom Rodman <Use-Author-Address-Header@[127.1]>

--------
Is this single directory ACE (as shown by xcacls):

  foobar\joe_user:(CI)R

equivalent to the combination of these 2 directory ACEs?:

  foobar\joe_user:R
  foobar\joe_user:(CI)(IO)R

If not how do they differ?

thanks/regards,

--
Tom Rodman 
perl -e 'print unpack("u", "\.\=\$\!T\<F\]D\;6\%N\+F\-O\;0H\`");'
--v-v------------------C-U-T---H-E-R-E-------------------------v-v--
Notes below mainly from p248+ "Windows NT in a Nutshell":
 ACL == access control list (contains ACEs)
 ACE == access control entry (a single component of an ACL)
 Container == a directory
 Object == a file
 Inherit == take on same rights as parent dir
 CI == container inherit;
       (directory inherit, the right applies to *this* dir AND all 
       *newly* created sub dirs)
 OI == object inherit (*newly* created FILES below this dir inherit this ACE)
 IO == "inherit only"; (modifies "OI" or "CI" on a directory; ie you never
        see IO by itself); this right does *not* apply to this directory,
        but it will be inherited (see example)
   Example: (one ACE in a directory ACL)
     SP.CG.JCI.COM\bld_mgr:(OI)(IO)C
       New files below this directory will inherit this (Change) right, but this
       right does not apply to this directory itself.  
       
       What makes this confusing
       is that often you usually see the same right granted to the directory
       in another ACE within the same ACL. 
          Directory ACL Example/question: 
            Is this single ACE:
              SP.CG.JCI.COM\build:(CI)R
              
            equivalent to the combination of these 2 ACEs?:
              SP.CG.JCI.COM\build:R
              SP.CG.JCI.COM\build:(CI)(IO)R

• Next message: karl [x y]: "Re: Syskey prevents dumping of SAM or Active Directory"
• Previous message: Christoph Kaminski: "Re: Syskey prevents dumping of SAM or Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Verifying if ntfs files/folders rights are inherited or not... ... RE-APPLY the same security (remove the inherit from parent flag from the ... I don't know how to manipulate the ace flags to know if the ... For child objects that are containers, ... (microsoft.public.scripting.vbscript) Re: API to change "Allow inheritable permissions... ... You don't want this ACL to inherit any ... ACEs from the parent, aka. a Protected ACL. ... > What I'm doing at present is constructing a new DACL, with one allowed ACE ... (microsoft.public.win2000.security) Re: Access check for inherited permission ... If the security descriptor on the container object, Users in our case, ... contains an ACE with CIOI (container inherit, ... Users will inherit the ACE and the GUID will be present in the inherited ... Microsoft Online Community Support ... (microsoft.public.platformsdk.security) Re: Access check for inherited permission ... Check if the ACE is CIOI ... Check if the SID in this ACE is Joe, if not check if Joe is member of this SID ... contains an ACE with CIOI (container inherit, ... Microsoft Online Community Support ... (microsoft.public.platformsdk.security) Re: "Specified path does not exist" Error ... Displays or modifies access control lists of files ... /G user:perm Grant specified user access rights. ... CI - Container Inherit. ... The ACE will be inherited by directories. ... (microsoft.public.windowsxp.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint