Re: Cannot set SE_DACL_AUTO_INHERITED flag

From: Peter Rus (peter_at_rus.cz)
Date: 07/05/05

• Next message: Jody Flett, JMF Computers: "Re: Server Hardening"
• Previous message: Jody Flett, JMF Computers: "Server Hardening"
• In reply to: Peter Rus: "Cannot set SE_DACL_AUTO_INHERITED flag"
• Next in thread: Roger Abell: "Re: Cannot set SE_DACL_AUTO_INHERITED flag"
• Reply: Roger Abell: "Re: Cannot set SE_DACL_AUTO_INHERITED flag"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 5 Jul 2005 13:39:50 +0200

Ok, one step further.

As I started to understand, I must set "SE_DACL_AUTO_INHERITED_REQ" for
PARENT directory to get permissions propagated. But - I loose all my
manually privileges!

So, what I am setting (subinacl output):
==================
+File c:\test\ftp
==================
/control=0x0
/owner =domain\administrator
/primary group =S-1-5-21-1300348001-1521967273-3109074169-513
/audit ace count =0
/perm. ace count =3
/pace =local\dentest1 ACCESS_DENIED_ACE_TYPE-0x1
 CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
    Type of access:
 Special acccess :
    Detailed Access Flags :
 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4 FILE_WRITE_EA-0x10
 FILE_WRITE_ATTRIBUTES-0x100
/pace =local\test1 ACCESS_ALLOWED_ACE_TYPE-0x0
 CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
    Type of access:
 Special acccess : -Read -Execute
    Detailed Access Flags :
 FILE_READ_DATA-0x1 FILE_READ_EA-0x8 FILE_EXECUTE-0x20
 FILE_READ_ATTRIBUTES-0x80 READ_CONTROL-0x20000
SYNCHRONIZE-0x100000
/pace =local\test2 ACCESS_ALLOWED_ACE_TYPE-0x0
 CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
    Type of access:
 Special acccess : -Read -Write -Execute -Delete -Change
ermissions -Take Ownership
    Detailed Access Flags :
 FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2
FILE_APPEND_DATA-0x4
 FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20
FILE_DELETE_CHILD-0x40
 FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000
READ_CONTROL-0x20000
 WRITE_DAC-0x40000 WRITE_OWNER-0x80000
SYNCHRONIZE-0x100000

And what I get after I set SE_DACL_AUTO_INHERITED_REQ to parent folder
(exactly the parent's permissions, but without mine, see above):
==================
+File c:\test\ftp
==================
/control=0x0
/owner =domain\administrator
/primary group =S-1-5-21-1300348001-1521967273-3109074169-513
/audit ace count =0
/perm. ace count =7
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
INHERITED_ACE-0x10
    Type of access:
        Special acccess : -Read -Write -Execute -Delete -Change
Permissions -Take Ownership
    Detailed Access Flags :
        FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2
FILE_APPEND_DATA-0x4
        FILE_READ_EA-0x8 FILE_WRITE_EA-0x10
FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
        FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100
DELETE-0x10000 READ_CONTROL-0x20000
        WRITE_DAC-0x40000 WRITE_OWNER-0x80000
SYNCHRONIZE-0x100000
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
INHERITED_ACE-0x10
    Type of access:
        Special acccess : -Read -Write -Execute -Delete -Change
Permissions -Take Ownership
    Detailed Access Flags :
        FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2
FILE_APPEND_DATA-0x4
        FILE_READ_EA-0x8 FILE_WRITE_EA-0x10
FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
        FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100
DELETE-0x10000 READ_CONTROL-0x20000
        WRITE_DAC-0x40000 WRITE_OWNER-0x80000
SYNCHRONIZE-0x100000
/pace =domain\administrator ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Special acccess : -Read -Write -Execute -Delete -Change
Permissions -Take Ownership
    Detailed Access Flags :
        FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2
FILE_APPEND_DATA-0x4
        FILE_READ_EA-0x8 FILE_WRITE_EA-0x10
FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
        FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100
DELETE-0x10000 READ_CONTROL-0x20000
        WRITE_DAC-0x40000 WRITE_OWNER-0x80000
SYNCHRONIZE-0x100000
/pace =creator owner ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 INHERIT_ONLY_ACE-0x8
OBJECT_INHERIT_ACE-0x1 INHERITED_ACE-0x10

    Type of access:
        Special acccess :
    Detailed Access Flags :

/pace =builtin\users ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
INHERITED_ACE-0x10
    Type of access:
        Special acccess : -Read -Execute
    Detailed Access Flags :
        FILE_READ_DATA-0x1 FILE_READ_EA-0x8
FILE_EXECUTE-0x20
        FILE_READ_ATTRIBUTES-0x80 READ_CONTROL-0x20000
SYNCHRONIZE-0x100000
/pace =builtin\users ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 INHERITED_ACE-0x10
    Type of access:
        Special acccess :
    Detailed Access Flags :
        FILE_APPEND_DATA-0x4
/pace =builtin\users ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2 INHERITED_ACE-0x10
    Type of access:
        Special acccess :
    Detailed Access Flags :
        FILE_WRITE_DATA-0x2

Thank you for help and best regards,

Peter

"Peter Rus" <peter@rus.cz> wrote in message
news:OlDTOnHgFHA.3232@TK2MSFTNGP15.phx.gbl...
>
> Hello all,
>
> I am going to be mad out of this - sitting over it whole day :-(
>
> I am using below listed code to set access permissions for a directory.
> After some hours of work it is now setting the permissions, but for some
> reason the directory is not taking inherited ACEs from parent.
>
> !HELP HELP HELP HELP HELP! PLEASE HELP!
>
> After script completes, SecurityDescriptor.ControlFlag = 32772
> (SE_SELF_RELATIVE & SE_DACL_PRESENT). Doesn't matter what I change, it is
> still 32772. Even before script it was 33796 (SE_SELF_RELATIVE &
> SE_DACL_PRESENT & SE_DACL_AUTO_INHERITED).
> Last try was 34052 (SE_SELF_RELATIVE & SE_DACL_PRESENT &
> SE_DACL_AUTO_INHERITED & SE_DACL_AUTO_INHERITED_REQ)... no luck :-(
>
> Thank you very much and best regards,
>
> (... soon to be mad out of this) Peter
>
>
>
> Code listing (may wrap):
>
>
> 'Const
> Const CHANGE_DACL_SECURITY_INFORMATION = 4
> '---
> Const OBJECT_INHERIT_ACE = 1
> Const CONTAINER_INHERIT_ACE = 2
> Const CUSTCON_ACE_INHERIT = 3
> '---
> Const SE_DACL_PRESENT = 4
> Const SE_DACL_AUTO_INHERITED = 1024
> Const SE_SELF_RELATIVE = 32768
> Const CUSTCON_ALLOW_INHERIT = 33796
>
> Set objWMIService =
>
GetObject("winmgmts:{impersonationlevel=impersonate,(security)}!\\.\root\cim
> v2")
> if Err.Number <> 0 then
> WScript.Echo "0;" & strComputer & ";Error;" & Err.Number & ";" &
> Err.Description
> WScript.Quit(2)
> end If
>
> 'On error resume next
>
> Set oDir = objWMIService.Get("Win32_Directory.Name='c:\test\csw'")
>
> Set ace1 = GetAccessEntry(278,3,1,getGroupTrustee("W2kEp1", "DenTest1"))
> Set ace2 = GetAccessEntry(1179817,3,0,getGroupTrustee("W2kEp1", "Test1"))
> Set ace3 = GetAccessEntry(2032127,3,0,getGroupTrustee("W2kEp1", "Test2"))
>
> myArr = Array(ace1, ace2, ace3)
>
> retVal = oDir.ChangeSecurityPermissions (GetSecDescriptor(myArr),
> CHANGE_DACL_SECURITY_INFORMATION)
>
>
> Set oDir = nothing
> Wscript.Quit(0)
>
>
> Function GetSecDescriptor(aACEs)
> Dim oSecDescriptor
>
> Set oSecDescriptor =
> objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
> oSecDescriptor.Properties_.Item("DACL") = aACEs 'Must be array!
> oSecDescriptor.Properties_.Item("ControlFlags") = 34052
>
> Set GetSecDescriptor = oSecDescriptor
>
> Set oSecDescriptor = nothing
> End Function
>
>
> Function GetAccessEntry(fAMask, fAFlags, fAType, fATrustee)
> Dim oAce
>
> Set oAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
> oAce.Properties_.Item("AccessMask") = fAMask
> oAce.Properties_.Item("AceFlags") = fAFlags
> oAce.Properties_.Item("AceType") = fAType
> oAce.Properties_.Item("Trustee") = fATrustee
>
> Set GetAccessEntry = oAce
>
> Set oAce = nothing
> End Function
>
> Function GetUserTrustee(sDomain, sUser)
> Dim oUA, oSid, oTrustee
> Dim sSid
>
> Set oUA = objWMIService.Get("Win32_UserAccount.Domain='" & sDomain &
> "',Name='" & sUser & "'")
> sSID = oUA.Properties_.Item("SID")
> Set oUA = nothing
> Set oSid = objWMIService.Get("Win32_SID.SID='" & sSID & "'")
> Set oTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
> oTrustee.Properties_.Item("SID") = (oSID.BinaryRepresentation)
> Set oSid = nothing
> Set GetUserTrustee = oTrustee
> Set oTrustee = nothing
> End Function
>
> Function GetGroupTrustee(sDomain, sGroup)
> Dim oGA, oSid, oTrustee
> Dim sSid
>
> Set oGA = objWMIService.Get("Win32_Group.Domain='" & sDomain & "',Name='"
&
> sGroup & "'")
> sSID = oGA.Properties_.Item("SID")
> Set oGA = nothing
> Set oSid = objWMIService.Get("Win32_SID.SID='" & sSID & "'")
> Set oTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
> oTrustee.Properties_.Item("SID") = (oSID.BinaryRepresentation)
> Set oSid = nothing
> Set GetGroupTrustee = oTrustee
> Set oTrustee = nothing
> End Function
>
>
>
>
>
>
>
> --
> Wishing a nice day,
>
> Peter
>
>
>

---

• Next message: Jody Flett, JMF Computers: "Re: Server Hardening"
• Previous message: Jody Flett, JMF Computers: "Server Hardening"
• In reply to: Peter Rus: "Cannot set SE_DACL_AUTO_INHERITED flag"
• Next in thread: Roger Abell: "Re: Cannot set SE_DACL_AUTO_INHERITED flag"
• Reply: Roger Abell: "Re: Cannot set SE_DACL_AUTO_INHERITED flag"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2005-07