Tools DB




Aktuellster Screen
86.96 KB

Tooldeteils: FILEACL


Dateiname: fileacl.rar

Size: 38.82 kb

FILEACL, Copyright Guillaume Bordier 1999, gbordier@gbordier.com or g_bordier@hotmail.com
Display/Modify File permissions (local and remote)
Running Windows NT 5.1 Service Pack 1
usage : 
fileacl.exe <File/Directory> [/{S|G|R|T|O} {trustee}:[!][mask][/[!]mask][/[!]mask] [options]
or : 
fileacl.exe <File/Directory> [/{S|G|R|T|O} {trustee}:[mask][:Inheritance[/Inheritance]...] [options]
mask = {U,R,Rr,Re,Ra,W,Ww,We,Wa,A,P,p,X,Dc,D,F}|0xXXXXXX}
inheritance can be given using XCALCS style : IO,OI,NP,CI,FO
 or explorer like abbreviations  : F,FF,FSF,FSFF,SFF,SF,NP
/G=Grant /S=Set	/R=Revoke /T=Suppress DENY Aces /O change owner /D Deny
U=Unspecified	R=Read	W=Write	X=Execute	F=Full Control	D=Delete	Dc=Delete Child	O=Take Ownership	P=Set Permissions
Warning : for same inheritance, Grant is additive, Set is not (better use /S).
 Mask can be a letter-coded permissions string or an Hexadecimal mask

Display mode Options
/ADVANCED		Show detailled right 
/LINE		operate in single-line mode display all ACEs on a file or directory on One row
/OWNER		Get the owner name as well 
/NOINHERITED	 do not print inherited rights
/SIMPLE	 Merge inherited and direct ACL
/BATCH	 Generate a batch file for reapplying the same permissions, use with /SUB
/BATCHREAL	 Same as /BATCH, generate a protected ACL for the given root dir 
/RAW[SID|MASK]	Show the RAW ACE SID and/or Mask
/RAWSECDESC	[WIN2K] Show the RAW Security Descriptor 
		with Textual Form ou may use this to generate Win2K 
		securitytemplates and apply them with secedit
/QUOTE	add quotes to file and directory names

Change mode options
/PROTECT	 This permissions will be protected from upper levels permissions propagation [WIN2K]
/INHERIT	 Force Propagation from upper levels [WIN2K]
/REMOVEDENY	 Remove all DENY Aces
/NOROOT	 use with /SUB, apply rights to all subdirs/subfile except the root dir
/REPLACE	deletes existing ACL and replace with specified (SET )

Both mode options
/SUB[:n] 	treats n levels of subdirectories as well
/FILES		treats files in directories as well
/NODIRS		treats files only (/FILES implicit)
/FORCE		uses SeBackupPrivilege and SeRestorePrivilege to Treat Objects without any rights nor ownership
/NT4	 Enforce NT 4.0 compatibility for Write Masks later version will test dest computer
 Rarely used :
/DEBUG	 give debug information
/VERBOSE	 give [many] debug information
/MANUALACE	 Create Ace manually (do not use SetEntriesinACL, default for NT4)
/USEOLDSEC	 Use SetFileSecurity instead of SetNamedSecurity, default for NT4
 Warning REPLACE deletes existent ACL on file !

For Directories, permissions can be written with 3 different format 

Let's first define "inheriting" :
  -Inheriting files are files that will be created in the future in that directory
  -Inheriting directories are sub directories that will be created in the future in that directory
  -After W2K inheriting also means permissions applied to existing files and directories
Moreover, If you ask fileacl to apply to all existing files and subdirectories 
it will use  these inheriting Rights to apply to all subdirectories and files
XXXX means XXXX is the permissions for the directory, the inheriting Files and Sub-directories
XXXX/YYYY means as usual : XXXX is the permissions for the directory and 
inheriting Sub-directories, YYYY for the permissions on inheriting files.
XXXX/YYYY/ZZZZ means : XXXX is the permissions for the directory, YYYY is the 
permission for inheriting files (files that will be created later), and ZZZZ is the permission for inheriting 
to put non heritable permissions, use XXXX/U/U, to put inherit-only permissions, use U/XXX/ZZZ

Adding '!' before permissions will prevent them to propagate beyond the first 
level like checking the "apply permissions to objects and containers in this 
folder only"
you also can give one mask and set the inheritance you want using to ways
1) a combination of XCACLS style keywords
	CI : Container Inherit
	OI : Object Inherit
	IO : Inherit Only
	NP : Non propagation beyond first level
2)an abbreviation of explorer inheritance selection box terms
	FO : Folder only (no inheritance)
	F : Files only (inherited to files)
	FF : Folder and files
	SF : SubFolders 
	SFF : SubFolders and files 
	FSFF : Folder and subfolders and files (default)
	FSF : Folder and subfolders
	NP : Non propagation beyond first level
Those should be placed after the access mask separated by a colon ":" 
and separatedfrom other inheritance flags with a slash "/"
example : 
	FILEACL c:\temp /s user:R:OI/NP
	FILEACL c:\temp /s user:R:FF/NP
	FILEACL c:\temp /s user:R/!R/U
NOTE: inheriting items are items created under the current directory
AFTER the application of new permissions
With W2K and later, this permissions also propagate to the existing items also

Ex: FILEACL \\testsrv\d$\testacl /S domain\user1:RWXD/W/RX /S administrators:F 
will set Full right and inheritance on \\testsrv\d$\testacl for administrators
and Modify right on the directory, write only on created files, and RX on created directories
NOTE for v2.4 and above : To use the /FORCE directive, the user need SeRestorePrivilege, SeBackupPrivilege and SeTakeOwnershipPrivilege from the user manager for the server 
New with 2.5, you can now give a TEXTUAL SID instead of the username and an Hexa mask (0x1000000) instead of a text mask
2.6 is W2K compatible it checks local machine for W2K, when you set perms from a
W2K Workstation to an NT4 server, be sure to use /NT4 otherwise, WRITE masks 
may not show In NT4 GUI
WIN2K : Autopropagation feature : keep the protected/unprotected (agains propagation) status of the permission
unless /PROTECT or /INHERIT is given

d:\test;Administrators:F[I]	 Administrators have Full Control from Autopropagation([I]) 
d:\test;Everyone:F/RW	Everyone has Full Control over this directory and future sub-directories and RW on future Files
d:\test;Guest:F/W/R	Guest has Full Control in the dir, W on future files, and Read on future subdirs

Detailed Permissions Mapping
U	:no right, use to set permissions with special inheritance
Rr	: Read Data / List Directory (FILE_READ_DATA)
Ww	: Write Data / Add Files to directory (FILE_WRITE_DATA )
Ra/Wa	: Read / Write Attributes  (file or dir, Read-only, Hidden ...)
Re/We	: Read / Write Extended Attributes (compressed, encrypted ..)
p/P	: Read / Write Permissions
A	: Append data to file / Add subdir  to directory
D	: Delete File / Delete Dir 
Dc	: Delete Child (sub file/sub dir)
X	Execute File/ CD to dir

R = Rr+Ra+Re+p 
W = Ww+A+Wa+We (NT4 : W=Ww+A+Wa+We+P+p
 File Deletion is performed if : 
Parent dir has Rr and Dc access OR file has D (not Dc)
Minimum Access for reading a file is Rr on parent dir and RrRep on file
Minimum Access for saving an open file is Rr on parent and RrRepW on file 
Minimum Access for creating new file is Ww on parent dir
Minimum Access for creating new dir is A on parent dir

MySQL error!
SQL query:

MySQL error:

-> Script beendet.