[AccessControl] Set only file permissions?

Archive: [AccessControl] Set only file permissions?

BSOD2600
29th February 2008 05:45 UTC

[AccessControl] Set only file permissions?
I'm trying to set both folder and file NTFS permissions

This is what I've tried so far:


        AccessControl::GrantOnFile "$INSTDIR\PHP" $WebUser "GenericRead + GenericExecute"
        AccessControl::GrantOnFile "$INSTDIR\PHP" "Everyone" "GenericRead + GenericExecute"   
        AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "GenericRead"
        AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "ReadData + WriteData + Execute"
        AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "GenericRead"
        AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "ReadData + WriteData + Execute"

Unfortunately, the resulting permissions are not what I want. I want the $WebUser / Everyone accounts to have Read access to all folders/files in $INSTDIR\PHP -- this is done properly.

I also want only the $WebUser account (i.e. IUSR_TEST2) to have ONLY have GenericRead permissions to the $INSTDIR\PHP\uploadtemp directory. Additionally, I want it to have Read/Write/Execute rights ONLY on files in that directory. It seems the AccessControl plugin always uses an "Apply To" of This folder, subfolders, and files. For the $INSTDIR\PHP\uploadtemp folder I want an "Apply To" of Files only.

Here is a detailed listing of the relevant applied permissions from the script above [sessiondata omitted] (used Sysinternals Accesschk tool):


c:\php\sessiondata
  RW TEST2\IUSR_TEST2
        FILE_ADD_FILE
        FILE_ADD_SUBDIRECTORY
        FILE_APPEND_DATA
        FILE_EXECUTE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_TRAVERSE
        FILE_WRITE_DATA
        SYNCHRONIZE
        READ_CONTROL
  R  Everyone
        FILE_EXECUTE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_TRAVERSE
        SYNCHRONIZE
        READ_CONTROL

While it's not a really big deal they're not applied as granular as I want, it would be a good idea to apply them correctly for security reasons.

Any ideas on how to accomplish what I'm after?

Anders
29th February 2008 08:35 UTC

from the simple test I did

CreateDirectory "$instdir\uploadtemp"
WriteIniStr "$instdir\uploadtemp\file.ini" a b c
AccessControl::GrantOnFile "$INSTDIR\uploadtemp\" $WebUser "GenericRead|GenericWrite"
pop $0
DetailPrint $0
AccessControl::DenyOnFile /NOINHERIT "$INSTDIR\uploadtemp" $WebUser "DeleteChild|AddFile|AddSubdirectory"
pop $0
DetailPrint $0

seems to work (I can edit file.ini, but not create new files, not sure if this is what you wanted, but you should be able to tweak this a bit, but from what I can tell, you have to specify the permissions for the folder/files first, then strip off permissions for just the parent folder)

BSOD2600
29th February 2008 09:55 UTC

Ah, that /NOINHERIT switch should be documented more. If one doesn't use that, security isn't applied/removed correct at all on single files.

Afrow UK
29th February 2008 10:41 UTC

Use SetOnFile not GrantOnFile to overwrite existing access control entries of a trustee.

Stu

BSOD2600
2nd March 2008 04:26 UTC

Just ran across this for another project... it would be helpful if you referenced this MSDN page in your readme / wiki

SID Strings

Afrow UK
2nd March 2008 17:52 UTC

This page would be a better example:
Well-known security identifiers in Windows operating systems

Stu

BSOD2600
4th March 2008 00:40 UTC

While thats true, in your examples you use "BU". That "Well-known security identifiers in Windows operating systems" page doesn't make any reference to what BU is. The page I linked to explains / lists all the options.