Jump to content

[Question] - File/Folder Permissions


Maelstorm

Recommended Posts


CACLS.EXE

This is a tool that comes with both Windows 2000 and Windows XP (as well as Server 2003). There is an extended version called XCACLS that you can grab from the MS site.

C:\>CACLS /?
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.

Link to comment
Share on other sites

you can use takeown too (if I remember, from kit of windows 2k), it will allow to "retake" the owner attribute to admin ... and you can re-configure rights without problems ... I use xcacls & takeown and never problem and great for sharing data !

Goodbye.

Link to comment
Share on other sites

I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties).

Link to comment
Share on other sites

I use XCACLS during my Unattended installations. It took some doing but I kinda figured out a way to keep some of the more known SpyWare and AnnoyingWare off of our PCs (we aren't allowed to run AntiSpyware software). What I do is create the folder structure where these applications normally install themselves...then I use XCACLS to remove permissions from those folders. I know it's a kludge...but it works. No more annoying WebShots installed everywhere (still not sure why they were installing that since we force the screensaver in the logon script and hide the screensaver tab on the display properties).

Because Webshots is more than a screen saver. It's a image manager that works with their website and can set the background image on the desktop. I use it on my home machines. It's pretty nice for free software.

Edited by Maelstorm
Link to comment
Share on other sites

I have another issue dealing with filesystem permissions and ACLs. The problem is that I have a directory which every user has write access. The file heirarchy is as follows:

\Program Files
User Installed Software
Software Archive
Adabas
StarOffice
Winamp
User ID #1
Adabas
StarOffice
Winamp
Some other user installed program
User ID #2
Adabas
StarOffice
Winamp
Some other user installed program
User ID #3
Adabas
StarOffice
Winamp
Some other user installed program

This is for programs that must be installed on a per-user basis. That's why this directory exists. Now the problem is all users must have write access to the User Installed Software directory in order for the initial logon script to create their directory and take ownership of it. They also have read only access to the Software Archive directory. I'm sure that you can see the security implications of this arrangement.

I've been thinking of a solution to this problem, but I'm not coming up with anything. The main problems seems to be that the User Account management interface in the Control Panel does not offer any "hooks" so after it creates an account, it then calls a specified script to perform user specific functions before their initial logon. That would be ideal, because then the initial logon script could then just ask the user if they want to install the software.

I have thought about using a command-line script to create the user id, create their software directory, set them as the owner, and give them full control of it. But the problem here is that I cannot set the owner to anyone except myself as the administrator. This means that the initial login script will have to take ownership of the directory when it runs.

My questions are as follows:

1) After I create the user program directory, how do I set the ownership to that user?

2) Is there a way to tell the user accounts applet in the control panel to execute a script when a user is created? This should perferably work with the old Win2K user management interface.

3) Is there a better way of doing this? Am I barking up the wrong tree here?

Link to comment
Share on other sites

If you need finer control of permissions and ownership check out SubInACL. It's another utility from MS that gives you more options. It has a steep learning curve compared to CACLS/XCACLS though.

As for the other issue with write access in a subfolder where they only have read to the parent...this is very much possible. Just make sure that either "Everyone" or "Authenticated Users" (preferably) is in the "Bypass traverse checking" security option of gpedit.msc.

Link to comment
Share on other sites

I'll check that tool out. Turns out that I have the SOURCE CODE for the takeown tool. It was in the Platform SDK that I have loaded on my machine for my software development stuff. I went through the source code, and it doesn't really do what I want it to do. All it does is set the owner to the Administrator and allows everyone full control over the filesystem opbject.

Link to comment
Share on other sites

TAKEOWN only gives ownership to the Administrators group or the current user. You can specify a user, but you have to know that user's password. Ths is perfect for your own account, but I believe he wants to give ownership of certain directories to the user the directory belongs to and I doubt he knows all of his users' passwords. :)

SubInACL allows you to specify who you are giving ownership to, which I believe is what he wants to do.

As an aside...if you're using Quota Management directory/file ownership management is a must. The quotas are determined by which directories/files the user is an owner of.

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...