Re: ACL's Security
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/01/04
- Next message: bill: "Which Admin privilege enables use of SPTI ?"
- Previous message: Roger Abell: "Re: Logon Error Msg: local security policy won't permit interactive lo"
- Next in thread: Badri: "Re: ACL's Security"
- Maybe reply: Badri: "Re: ACL's Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 20:36:46 -0700
You should look up the documentation in MSDN for
SDDL (security descriptor definition language).
In particular, in the example you have shown, notice
the OI and the CI, these being object inherit and container
inherit. There is also IO for inherit only (that is, the ACE
does not apply to the location where attached, but only to
children)
For List a CI:GR would mean for this and child container
objects (directories) read is granted (which is a list for dirs)
whereas for Modify a write is set with OICI as the ability
to change is for both files (objects per OI) and dirs (per CI)
As Glenn indicated, just use the cacls commandline utility
to see what results when you set different grants on a test
dir or file. And, read the docs on SDDL to understand where
the syntax you show in the define seems to originate.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message news:c1dd9064.0411300436.249c4a64@posting.google.com... > "Glenn L" <the.only(delete)@gmail.com> wrote in message news:<uvWkXoq1EHA.1564@TK2MSFTNGP09.phx.gbl>... > > set them in the gui like Roger indicates, then go to DOS and run CACLS on > > the folder or file to get the 'under the hood' ACE identifyer. I think this > > is what you are looking for. > > > > > > -- > > Glenn L > > > > CCNA, MCSE (2000,2003) + Security > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > > news:OdZWX8d1EHA.1408@TK2MSFTNGP10.phx.gbl... > > >I do not understand what the problem is. These permissions > > > you mention are generic permissions, listed right there in the > > > NTFS permissions editor (if you are using the UI for this). > > > > > > -- > > > Roger Abell > > > > > > "Sudeep Sachdev" <sudeep_sachdev@yahoo.com> wrote in message > > > news:c1dd9064.0411282241.1677eba6@posting.google.com... > > >> Hi > > >> I am implementing folder security through ACL's. > > >> I need ACE for two standard access rights named 'MODIFY' and 'LIST FOLDER > > > CONTENTS'. > > > > > > > > > Hi > Let's begin with an example .listed below are the ACE strings for > folder which gives all access rights to a folder. > > #define SC_CONFIG_USER_DIR_DACL L"D:"\ > L"(A;OICI;GA;;;SY)"\ > L"(A;OICI;GA;;;BA)"\ > L"(A;OICI;GA;;;%s)"\ > > > "GA" -- GENERIC_ALL > "GR" -- GENERIC_READ > "GW" -- GENERIC_WRITE > "GX" -- GENERIC_EXECUTE > > So i want rights for 'Modify' and 'List Folder Contents' . For this a > need the corresponding ACE.
- Next message: bill: "Which Admin privilege enables use of SPTI ?"
- Previous message: Roger Abell: "Re: Logon Error Msg: local security policy won't permit interactive lo"
- Next in thread: Badri: "Re: ACL's Security"
- Maybe reply: Badri: "Re: ACL's Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
