January 10th, 2014

How do I manually recalculate ACLs on a file based on the containing directory?

Raymond Chen
Raymond Chen

A customer wanted to move a file and have it forget all its old ACLs and instead inherit its ACLs from its new location. They found an old article of mine that said

If you use SH­File­Operation to move a file and pass the FOF_NO­COPY­SECURITY­ATTRIBUTES flag, then it will not preserve the original ACLs on the moved files but will rather recalculate them from the destination’s inheritable properties. (If you want to do the same thing in your own code, you can call the Set­Named­Security­Info function, specifying that you want an empty, unprotected DACL.)

They were having trouble implementing the recommendation in parentheses.

We set the file to have an SDDL of D:S: in order to give it an empty DACL and SACL, but instead of inheriting its ACL from the container, that gave nobody any permissions at all! How do I get this to work?

The customer was halfway there. D:S: is an empty DACL. Now they need to make it unprotected.

UNPROTECTED_DACL_SECURITY_INFORMATION The DACL inherits ACEs from the parent object.

The customer confirmed that passing that flag to Set­Named­Security­Info did the trick.

Category
Old New Thing
Topics
Code

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.

Read next