Anti-Spyware Forums


Reply
Thread Tools Display Modes

some unexpected acl inheritances? output of cacls

 
 
john.ruckstuhl
Guest
Posts: n/a

 
      29-08-2011, 05:11 PM
I make a dir "c:\zoo" and I'm surprised by two of the ACLs as reported
by cacls.

1. Where does the 3rd ACL "BUILTIN\Adminstrators:F" come from? It
isn't inherited, it's not present on the parent dir.
2. Why does the 4th ACL "CREATOR OWNEROI)(CI)(IO)" still have
"(IO)"? That is, the "(IO)" is on the ACL for the parent dir, but
when it's inherited, shouldn't it lose the "(IO)"?
I'm misunderstanding something...

This on Windows Server 2003. The user making "c:\zoo" is in the
"Administrators" group.
Thanks for any guidance
John R.

C:\>cacls c:\
c:\ BUILTIN\AdministratorsOI)(CI)F
NT AUTHORITY\SYSTEMOI)(CI)F
CREATOR OWNEROI)(CI)(IO)F
BUILTIN\UsersOI)(CI)R
BUILTIN\UsersCI)(special access
FILE_APPEND_DATA

BUILTIN\UsersCI)(IO)(special access
FILE_WRITE_DATA

Everyone:R


C:\>mkdir c:\zoo

C:\>cacls c:\zoo
1. c:\zoo BUILTIN\AdministratorsOI)(CI)F
2. NT AUTHORITY\SYSTEMOI)(CI)F
3. BUILTIN\Administrators:F
4. CREATOR OWNEROI)(CI)(IO)F
5. BUILTIN\UsersOI)(CI)R
6. BUILTIN\UsersCI)(special access
FILE_APPEND_DATA

7. BUILTIN\UsersCI)(special access
FILE_WRITE_DATA



C:\>
 
Reply With Quote
 
 
 
 
FromTheRafters
Guest
Posts: n/a

 
      29-08-2011, 07:08 PM
john.ruckstuhl wrote:
> I make a dir "c:\zoo" and I'm surprised by two of the ACLs as reported
> by cacls.
>
> 1. Where does the 3rd ACL "BUILTIN\Adminstrators:F" come from? It
> isn't inherited, it's not present on the parent dir.
> 2. Why does the 4th ACL "CREATOR OWNEROI)(CI)(IO)" still have
> "(IO)"? That is, the "(IO)" is on the ACL for the parent dir, but
> when it's inherited, shouldn't it lose the "(IO)"?
> I'm misunderstanding something...
>
> This on Windows Server 2003. The user making "c:\zoo" is in the
> "Administrators" group.
> Thanks for any guidance
> John R.
>
> C:\>cacls c:\
> c:\ BUILTIN\AdministratorsOI)(CI)F
> NT AUTHORITY\SYSTEMOI)(CI)F
> CREATOR OWNEROI)(CI)(IO)F
> BUILTIN\UsersOI)(CI)R
> BUILTIN\UsersCI)(special access
> FILE_APPEND_DATA
>
> BUILTIN\UsersCI)(IO)(special access
> FILE_WRITE_DATA
>
> Everyone:R
>
>
> C:\>mkdir c:\zoo
>
> C:\>cacls c:\zoo
> 1. c:\zoo BUILTIN\AdministratorsOI)(CI)F
> 2. NT AUTHORITY\SYSTEMOI)(CI)F
> 3. BUILTIN\Administrators:F
> 4. CREATOR OWNEROI)(CI)(IO)F
> 5. BUILTIN\UsersOI)(CI)R
> 6. BUILTIN\UsersCI)(special access
> FILE_APPEND_DATA
>
> 7. BUILTIN\UsersCI)(special access
> FILE_WRITE_DATA
>
>
>
> C:\>


From:

http://technet.microsoft.com/en-us/l.../bb457115.aspx

How Access Control Is Applied to New Objects

[...]

If the parent object has no inheritable ACEs—for example, if the file is
being created in the root directory—the operating system asks the object
manager to provide a default DACL.

If the object manager does not provide a default DACL, the operating
system checks for a default DACL in the access token belonging to the
subject (the user, for example).

If the subject’s access token does not have a default DACL, the new
object is assigned no DACL, which allows Everyone unconditional access.

Warning Failure to set DACLs or setting DACLs improperly might have
undesirable consequences. For example, an empty DACL, where neither
Allow nor Deny has been configured, denies access to all accounts. On
the other hand, if there is no DACL then all accounts have full access.


 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
CACLS to remove security Gis Bun Security Software 2 17-06-2008 07:45 PM
Using Cacls mwcanton Security Software 1 09-06-2005 07:34 PM
CACLS - Assistance John Sargent Security Software 0 19-05-2004 08:21 PM
unexpected user account malcolm` Security Software 1 15-08-2003 12:27 PM
dx upgrade - unexpected network connection Stephen Bell Security Software 3 26-07-2003 07:37 AM


All times are GMT. The time now is 09:00 AM.