[ Index ] |
PHP Cross Reference of Unnamed Project |
[Summary view] [Print] [Text view]
1 SetACL by Helge Klein 2 3 Homepage: http://setacl.sourceforge.net 4 Version: 2.0.2.0 5 Copyright: Helge Klein 6 License: GPL 7 8 -V-E-R-S-I-O-N--2.0.2.0----------------------------------------------------------------------- 9 10 a) New features: 11 12 - Added a parameter "-ignoreerr" which causes SetACL to ignore errors when reading/setting 13 the security descriptor of an object. This can be useful when recursively working with 14 large directory trees, but please use this feature only after thorough consideration. 15 16 - The list function now displays control information from the security descriptor in CSV 17 and TAB formats, too. Specifically, the auto_inherited and protected flags are displayed 18 for DACL and SACL. 19 20 - SetACL now supports very long paths, specifically paths longer than MAX_PATH which is 260 21 characters. This is done by prepending the following to the path: 22 23 - "\\?\" for local paths 24 - "\\?\UNC\" for UNC paths 25 26 This can be seen when listing permissions. 27 28 - SetACL now always disticts correctly between "c:" and "c:\". The former is called a 29 "local file system root" while the latter is the directory "\" on drive c:. List 30 permissions for both and you will see the difference. The latter corresponds to what you 31 get when you right click on c: in Explorer and select Properties -> Security. I am not 32 too sure what the former actually represents, but the documentation states that 33 permissions set on such a local file system root are discarded upon the next reboot. 34 35 b) Changed features: 36 37 - The log function (invoked with the parameter -log) now checks whether the log file already 38 exists. If yes, SetACL appends to the log instead of replacing it. This makes it easier 39 to use SetACL in a loop or batch file. 40 41 - Restore: When a file or directory does not exist any more, SetACL logs this and continues 42 with the next file/dir. 43 44 - The list function now only lists a directory name, if there is something to see. Before, 45 the typical large directory tree with permissions set only on a few dirs would amount to 46 a large listing only showing dirs without any permissions. Now these dirs are not shown 47 any more and the listing is much easier to read. 48 49 c) Bugfixes: 50 51 - NULL SDs are now handled correctly: 52 53 According to MS's documentation NULL security descriptors (meaning there is no security on 54 the object) _should_ not exist on W2k and newer, except for the admin shares (ie. c$). 55 One way of creating an object without a SD is to use tools that use the old low-end 56 security API, like "net share". This creates a share with a NULL SD. SetACL now handles 57 these cases in the following way: 58 59 - When listing permissions, a line like the following is displayed (SetACL continues 60 after that: 61 62 ERROR reading SD from <\\server\c$>: The object has a NULL security descriptor 63 64 - When setting permissions, above error message is displayed, too, but SetACL creates a 65 new empty SD and proceeds as specified. 66 67 - Fixed bug 867350: The actions 'trustee' and 'domain' now only read the SACL if SACL 68 processing has been implicitly specified. This means that the privilege SE_SECURITY_NAME is 69 only needed when you want the SACL to be processed. Previously the SACL was always read 70 (even if no processing was necessary) resulting in the need for abovementioned privilege. 71 72 -V-E-R-S-I-O-N--2.0.1.0----------------------------------------------------------------------- 73 74 a) Bugfixes: 75 76 - Fixed bug 794820: If a trustee did not exist in the domain specified, but in a trusted 77 domain, the account from the trusted domain was used. Now, only accounts from the domain 78 or computer specified are used. 79 80 - Fixed bug 800866: Listing admin shares (e.g. c$) caused an access violation. This 81 was probably due to the fact that these shares have no security descriptor. SetACL does 82 not crash any more, but accessing admin shares still is not possible. 83 84 - Fixed bug 801189: Access violation with nonexistent user and logging enabled. 85 86 - Fixed bug 805067: Object paths only one character long were not supported. 87 88 b) New features: 89 90 - Added an action 'domain' similar to 'trustee': With it you can copy permissions from one 91 domain to another, replace permissions from domainA by permissions from domainB, or 92 remove all permissions from a certain domain. This should make domain migrations a lot 93 easier. 94 95 c) User interface: 96 97 - Two new default values for action 'ace': You do not have to specify the mode (set, grant, 98 ...) or whether to apply to DACL or SACL any more, if you simply want to set permissions 99 in the DACL. Thus simple ACE strings can now be shortened from: 100 101 -ace "n:domain\user;p:read;m:set;w:dacl" 102 103 to 104 105 -ace "n:domain\user;p:read" 106 107 -V-E-R-S-I-O-N--2.0.0.6----------------------------------------------------------------------- 108 109 a) Bugfixes: 110 111 - Fixed bug 783703: Compiler warning with VC++ 7.1 due to signed/unsigned mismatch. 112 113 - Fixed bug 787612: SetACL could crash under certain circumstances (for example, when setting 114 the owner) due to incorrect pointer handling / freeing memory. 115 116 -V-E-R-S-I-O-N--2.0.0.5----------------------------------------------------------------------- 117 118 a) Bugfixes: 119 120 - Fixed a bug with action "reset children" which was introduced in 2.0.0.3: the object itself 121 was also reset, not only it's children. 122 123 - Fixed bug 776277: when using one of the three trustee actions (remove/replace/copy trustee) 124 with more than one trustee (ie. remove all ACEs belonging to two different trustees) it 125 could happen that too many ACEs were affected by the operation. 126 127 - Fixed bug 778943: When using a command like: 'SetACL -on c:\test -ot file -actn ace -ace 128 "n:everyone;p:read;m:set;w:dacl" -rec cont_obj' SetACL correctly walked down the tree and 129 displayed the objects it should be processing, but permissions were applied to the base 130 object only. 131 132 - Fixed bug 780246: This is related to bug #778943. Due to recursion not working correctly 133 resetting child objects took very (!) long and did not process all child objects. 134 Additionally the parameter "-rst <Where> was partly ignored. 135 136 -V-E-R-S-I-O-N--2.0.0.4----------------------------------------------------------------------- 137 138 a) Setting permissions: 139 140 - Disabled a new "feature" I introduced in version 2.0.0.3 regarding the use of restore 141 privileges: 142 143 All read/write operations from/to the ACL/security descriptor were moved to the new class 144 CSD in 2.0.0.3. The function CSD::SetSD () is now the single spot where write operations to 145 the SD are performed. In SetSD () I first tried to set the SD via SetKernelObjectSecurity() 146 which can write the SD without performing access checks, i.e. you could set permissions 147 on objects you have no access to and do not own. The BIG disadvantage of 148 SetKernelObjectSecurity() is that it is a low-level security API function and therefore does 149 not handle inheritance at all: permissions are not propagated to sub-objects, and the 150 "inherited" flag of the object's ACEs is not set/cleared as necessary. Since SetACL does 151 not do this either, this normally results in incorrect ACLs. 152 153 SetKernelObjectSecurity () is not used any more; SDs are set the way they were before 154 version 2.0.0.3. 155 156 b) Bugfixes: 157 158 - Fixed Bug 773933: The exception handling in Split () was incompatible with Visual C++ 7.1. 159 This has been corrected. 160 161 - Fixed a bug: the security descriptor is now only written to the object if there have been 162 actual changes. Before, it could happen that by writing to the SD the SD's control bits 163 were cleared, resulting in the deletion of the "auto inherited" bit. This was a minor bug 164 which had no severe consequences and occured only under special circumstances. An example 165 that invoked the bug follows here: 166 167 SetACL.exe -on c:\temp\test1 -ot file -actn setprot -op "dacl:nc" 168 169 -V-E-R-S-I-O-N--2.0--f-i-n-a-l-(2-0-0-3)------------------------------------------------------ 170 171 a) Listing permissions 172 173 - Use of privileges: permissions are displayed even if access is denied to the object in 174 question. This works in the (local and remote) file system and in the local registry. 175 The privilege "SeBackupPrivilege" is needed for this. 176 177 - If access to an object is denied and the "SeBackupPrivilege" is not held, the object in 178 question is ignored and SetACL proceeds with the next object. 179 180 b) Setting permissions 181 182 - Use of privileges: permissions are set even if access is denied to the object in 183 question. This works in the (local and remote) file system and in the local registry. 184 The privilege "SeRestorePrivilege" is needed for this. 185 186 - If access to an object is denied and the "SeRestorePrivilege" is not held, the object in 187 question is ignored and SetACL proceeds with the next object. 188 189 c) Various changes 190 191 - Fixed bug 738227: A missing section ("Where") on the help page (printed when 192 "setacl -help" is typed) has been added. 193 194 - Fixed bug 745861: The SYNCHRONIZE flag was set on auditing ACEs, too, which resulted in 195 all kinds of access being audited, not only the type specified. 196 197 - Fixed bug 739013: If enabling the backup and restore privileges failed, the program would 198 exit with an error. This effectively limited the use of SetACL to administrators. 199 Now, if these privileges cannot be enabled, only an info message is displayed. 200 201 - Fixed a bug: When resetting permissions using action -rstchldrn the parameter "-rst Where" 202 was ignored. 203 204 - Fixed bug 761666: When setting "man_docs" or "full" permissions on printers a third, 205 unnecessary ACE (which had no effect) was generated. 206 207 - If SetACL is run on an unsupported OS version an error message is displayed and the program 208 exits cleanly. 209 210 -V-E-R-S-I-O-N--2.0--B-e-t-a--2--------------------------------------------------------------- 211 212 a) Listing permissions 213 214 - The listing is written to the screen, too, if not in silent mode. 215 - If a backup file is specified, a listing in UNICODE format will be written there. If not, 216 the listing is written to the screen only. In other words, the parameter '-bckp' is 217 optional. 218 - List options need only be set if the default values (csv format, list only DACL, do not 219 list inherited permissions) are not suitable. In other words, the parameter '-lst' is 220 optional. 221 - Inherited permissions are listed only if explicitly specified in the list options (e.g.: 222 -lst "f:own;w:d;i:y"). 223 - Owner and primary group are now listed in own format, too, if requested. 224 - The "own" list format has been renamed to "csv". 225 - A third, tabular, list format has been added: "tab". 226 - Trustees can now be listed using their names, SIDs, or both. 227 228 b) Various changes 229 230 - Several unnecessary newlines removed from output. 231 - Standard permission "list_folder" (file system) was not implemented correctly. Now it works 232 as expected. This bug with the ID 737212 has been fixed. 233 234 -V-E-R-S-I-O-N--2.0--B-e-t-a--1--------------------------------------------------------------- 235 236 This is the first public beta version of SetACL version 2. Please visit the program's homepage 237 for information, bug reports, feature requests, and general discussion.
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Tue Mar 17 22:47:18 2015 | Cross-referenced by PHPXref 0.7.1 |