[et_pb_section fb_built=”1″ fullwidth=”on” _builder_version=”4.4.1″][et_pb_fullwidth_post_title meta=”off” featured_placement=”background” _builder_version=”4.7.7″ title_font=”||||||||” title_text_color=”#ff6317″ title_font_size=”3.5em” meta_font=”|300|||||||” meta_text_color=”#ffffff” meta_font_size=”1em” background_enable_color=”off” use_background_color_gradient=”on” background_color_gradient_start=”rgba(248,248,248,0.85)” background_color_gradient_end=”rgba(248,248,248,0.75)” background_color_gradient_overlays_image=”on” min_height=”20vh” height=”400px” custom_padding=”6vh||6vh||false|false” global_module=”403″ locked=”off”][\/et_pb_fullwidth_post_title][\/et_pb_section][et_pb_section fb_built=”1″ admin_label=”intro” _builder_version=”4.4.6″ custom_padding=”|||0px||” locked=”off”][et_pb_row use_custom_gutter=”on” _builder_version=”4.4.6″ custom_margin=”||||false|false” custom_padding=”6vh||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”||||false|false” border_color_left=”#ff6317″]<\/p>\n
When manipulating files and\/or folders, it is not only the content that matters. The files\/folders could also carry other valuable information that needs to be treated carefully. One discovers this (hopefully not the painful way) when restoring files, especially when ACLs need to be copied. Or it can hit during check-ups on an entity\u2019s access to files\/folders, or a file\u2019s\/folder\u2019s permissions.<\/p>\n
When looking for ready-made solutions to solve our internal ACL-related tasks, we discovered that there\u2019s not a single app to do what we need. We have, therefore, developed a set of mechanisms that allow us to read the original file\u2019s\/folder\u2019s access rights and replicate them on the copy file\/folder. Although this is not a tool that we can just put on the market, the set of principles and the work mode should help if you have the same struggles.<\/p>\n
If you are a sysadmin, security manager, backup personnel, or just struggle with a high volume\/high complexity system of files\/folders that\u2019s accessed by an ever-changing pool of users \u2013 welcome to our club! and read on.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” admin_label=”intro” _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”6vh||0px||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n
What are the ACLs? In shared environments, where many users and groups are allowed access to files\/folders, defining the specific rights can be pretty challenging.<\/p>\n
In the Windows ecosystem, the file\/folder rights have a generic name: ACL \/ Access Control Lists. They are actually not just lists but entire trees of rights that inherit from a group to its members (who could be individual users or groups).<\/p>\n
Here<\/a>\u2019s how the Microsoft documentation defines the various ACL-related elements:<\/p>\n If this looks complicated, let\u2019s simplify: \u201cACE defines who<\/strong> has what type<\/strong> of access to a file\/folder.<\/em>\u201d<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” admin_label=”who” _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”6vh||0px||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n So, let\u2019s talk about \u201cwho\u201d. For a home user, usually \u201cwho\u201d = \u201cme\u201d. But for shared environments, where specific information should only be visible\/editable to specific users, it can get complicated:<\/p>\n In Windows OS there are no restrictions on how groups and hierarchies of groups can be defined, so just be aware of circular indexing.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” admin_label=”what type of access” _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”6vh||0px||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n The \u201cwhat type of access\u201d part is more complicated. At first sight, it is about the access to read, access to write, etc. \u2013 but it gets more detailed than that.<\/p>\n First, here<\/a>\u2019s the Windows documentation again: “The system compares the trustee in each ACE to the trustees identified in the thread’s access token<\/a>. An access token contains security identifiers<\/a> (SIDs) that identify the user and the group accounts to which the user belongs.<\/em>“<\/p>\n So, \u201cwhat\u201d the user or group is allowed to do with the file\/folder is either defined on file\/folder level, or inherited from the parent folder, or both. For example, if we have some rights on a parent folder, and its child file\u2019s ACL is not modified to change these rights, then we will preserve the same rights on both the folder and the file. However, if the file has a different set of rights (i.e., \u201cbroken inheritance\u201d), then we will obey the new rights.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” admin_label=”what type of access” _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”6vh||0px||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text admin_label=”ACL rights” _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n Here\u2019s the list of rights at granular level:<\/p>\n FILE_READ_DATA = 0x00000001; \/\/ 1 List Folder\/Read Data \u2026And the inheritance flags:<\/p>\n FLAGS_OBJECT_INHERIT = 0x01; \u2026And finally, here are the individual permissions, grouped in a more user-friendly manner:<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” admin_label=”what type of access” _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”6vh||0px||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_gallery gallery_ids=”7443″ fullwidth=”on” hover_icon=”%%186%%” _builder_version=”4.7.7″ _module_preset=”default” max_width=”65%” module_alignment=”left”][\/et_pb_gallery][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.7.7″ custom_margin=”||||false|false” custom_padding=”||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text _builder_version=”4.7.7″ _module_preset=”default” custom_margin=”30px||||false|false”]We, therefore, have a simple set of rights (Full Control, Modify, Read\/Execute, List, Read, Write) with simple definitions (Allowed, Not Allowed, Not defined \u2013 where Not Allowed is always stronger than Allowed).[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” _builder_version=”4.4.6″ custom_margin=”||||false|false” custom_padding=”6vh||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text admin_label=”ACL rights” _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n Let\u2019s assume a user of both Group1 and Group2:<\/p>\n (Now imagine this simple scenario for an entire company hierarchy with hundreds\/thousands of users on a shared structure that includes Accounting, Marketing, Technical documentation, etc., and assume that individuals regularly move from a group to another based on work needs. Can you assess the work of Sysadmins to add\/delete individuals to\/from groups? The slightest imperfection in rights allocation can generate unwanted permissions to access secure information.)<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” _builder_version=”4.4.6″ custom_margin=”||||false|false” custom_padding=”6vh||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text admin_label=”ACL rights” _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n Back to our example: the user needs to restore a previously deleted file. Although we have the original file within a backup, just copying it will not be enough because the ACLs will not be preserved in their initial form.<\/p>\n We, therefore, need to read the ACLs from the source file and restore them on destination. It is not the simplest thing to do, because the mechanism is a security breach. Therefore, writing ACLs is not possible using common libraries. (Oh well, just imagine a tool that can change ACLs for any file\/folder you want \u2013 possibly allowing access to the entire file system.)<\/p>\n What we did was to use a forked version of JCIFS (an open-source library for manipulating files), which we patched (\/expanded) to read\/write ACLs according to our needs:<\/p>\n Because the Active Directory elements are not embedded (like .Net libraries), our using of a Linux machine got us into minor complications. For example, each SID translation was made by query to the LDAP server, instead of using direct calls. Then in order to minimize the load when solving thousands of ACLs, we have used a second-level cache. (We\u2019ll not go into further details \u2013 the library is public, and we\u2019re happy to support, should you need it.)<\/p>\n So, yes! we reached our goal to put back the proper ACL for the restored files\/folders. But then, we achieved something more: because we implemented an ACL-reading mechanism, we were able to generate reports for the system administrators, such as:<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” _builder_version=”4.4.6″ custom_margin=”||||false|false” custom_padding=”6vh||||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.1″][et_pb_text admin_label=”ACL rights” _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”|20px|||false|false” border_color_left=”#ff6317″]<\/p>\n We are sure that every sysadmin has his\/her own tools to maintain the trustee hierarchies (either own build or provided directly by Microsoft). But then, who can 100% swear by their own system? So, by sharing our experiences, principles and work mode, we can hopefully make your life easier \u2013 at least when it comes to ACLs.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” gutter_width=”3″ admin_label=”\uff3f” _builder_version=”4.4.6″ custom_margin=”||||false|false” custom_padding=”4vh||8vh||false|false” border_color_left=”rgba(0,0,0,0)”][et_pb_column type=”4_4″ _builder_version=”4.4.6″][et_pb_text _builder_version=”4.7.7″ text_font=”||||||||” text_font_size=”1.1em” text_line_height=”1.6em” quote_font=”|700|||||||” quote_text_align=”left” quote_font_size=”16px” header_2_text_color=”#ff6317″ header_2_font_size=”1.5em” header_2_line_height=”0.9em” header_3_font_size=”23px” header_4_font=”||||||||” header_4_font_size=”16px” header_4_line_height=”1.5em” header_5_font_size=”14px” custom_margin=”||||false|false” custom_padding=”||||false|false” hover_enabled=”0″ border_color_left=”#ff6317″ sticky_enabled=”0″]<\/p>\n\n
ACLs: Who has access?<\/h2>\n
\n
ACLs: What type of access?<\/h2>\n
The specific ACL rights<\/h2>\n
FILE_WRITE_DATA = 0x00000002; \/\/ 2 Create Files\/Write Data
FILE_APPEND_DATA = 0x00000004; \/\/ 3 Create Folders\/Append Data
FILE_READ_EA = 0x00000008; \/\/ 4 Read Extended Attributes
FILE_WRITE_EA = 0x00000010; \/\/ 5 Write Extended Attributes
FILE_EXECUTE = 0x00000020; \/\/ 6 Traverse Folder\/Execute File
FILE_DELETE = 0x00000040; \/\/ 7 Delete Subfolders and Files
FILE_READ_ATTRIBUTES = 0x00000080; \/\/ 8 Read Attributes
FILE_WRITE_ATTRIBUTES = 0x00000100; \/\/ 9 Write Attributes
DELETE = 0x00010000; \/\/ 16 Delete
READ_CONTROL = 0x00020000; \/\/ 17 Read Permissions
WRITE_DAC = 0x00040000; \/\/ 18 Change Permissions
WRITE_OWNER = 0x00080000; \/\/ 19 Take Ownership
SYSTEM_SECURITY = 0x01000000; \/\/ 19
SYNCHRONIZE = 0x00100000; \/\/ 20 Synchronize
GENERIC_ALL = 0x10000000; \/\/ 28
GENERIC_EXECUTE = 0x20000000; \/\/ 29
GENERIC_WRITE = 0x40000000; \/\/ 30
GENERIC_READ = 0x80000000; \/\/ 31<\/p>\n
FLAGS_CONTAINER_INHERIT = 0x02;
FLAGS_NO_PROPAGATE = 0x04;
FLAGS_INHERIT_ONLY = 0x08;
FLAGS_INHERITED = 0x10;<\/p>\nACL example<\/h2>\n
\n
ACL restoring: \u201chow to\u201d<\/h2>\n
\n
\n
Conclusion<\/h2>\n
\uff3f<\/h2>\n