How do the names in the file security dialog map to access control masks?

Raymond Chen

Raymond

When you call up the file security dialog, you’ll see options like “Full Control” and “Read and Execute”. That’s really nice as friendly names go, but when you’re digging into the security descriptor, you may need to know what those permissions really map to when it comes down to bits. First, the summary attributes:

Friendly nameAccess maskInheritance
Full controlFILE_ALL_ACCESSCONTAINER_INHERIT_ACE + OBJECT_INHERIT_ACE
ModifyFILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE | DELETECONTAINER_INHERIT_ACE + OBJECT_INHERIT_ACE
Read and executeFILE_GENERIC_READ | FILE_GENERIC_EXECUTECONTAINER_INHERIT_ACE + OBJECT_INHERIT_ACE
List folder contentsFILE_GENERIC_READ | FILE_GENERIC_EXECUTECONTAINER_INHERIT_ACE
ReadFILE_GENERIC_READCONTAINER_INHERIT_ACE + OBJECT_INHERIT_ACE
WriteFILE_GENERIC_WRITE & ~READ_CONTROLCONTAINER_INHERIT_ACE + OBJECT_INHERIT_ACE

If you go to the Advanced view, then you get much more precise control:

Friendly nameAccess mask
Traverse Folder / Execute FileFILE_TRAVERSE == FILE_EXECUTE
List Folder / Read DataFILE_LIST_DIRECTORY == FILE_READ_DATA
Read AttributesFILE_READ_ATTRIBUTES
Read Extended AttriibutesFILE_READ_EA
Create Files / Write DataFILE_ADD_FILE == FILE_WRITE_DATA
Create Folders / Append DataFILE_ADD_SUBDIRECTORY == FILE_APPEND_DATA
Write AttributesFILE_WRITE_ATTRIBUTES
Write Extended AttributesFILE_WRITE_EA
Delete Subfolders and FilesFILE_DELETE_CHILD
DeleteFILE_DELETE
Read PermissionsREAD_CONTROL
Change PermissionsWRITE_DAC
Take OwnershipWRITE_OWNER

(In the Advanced view, you control inheritance from the “Apply to” drop-down combo box.) Note that the “Delete Subfolders and Files” and “Delete” attributes together determine whether you can delete a file or subdirectory: You can delete an item either if you have DELETE permission on the item or if you have DELETE_CHILD permission on its parent. This “combo” allows you to set up a directory where everybody can create files and can delete files that they have created, while still retaining the ability as the directory’s owner to delete any file in it. You do this by granting yourself DELETE_CHILD permission on the directory and granting DELETE to CREATOR_OWNER as an inheritable attribute. Since you have DELETE_CHILD permission, you can delete anything in the directory. And since the creator/owner has DELETE permission, people can delete the files that they themselves created.

[Update 2pm: INHERIT_ONLY_ACE should be OBJECT_INHERIT_ACE.]

0 comments

Comments are closed.