Tuesday, January 31, 2012

icacls gripes and moaning

icacls is quite useful for setting permissions. Its save and restore feature is almost very useful. I say “almost” because it is annoyingly narrow; it is not possible to directly transfer permissions from one file to another differently-named file. The saved permissions specify the exact file name in addition to the permission string.

This makes sense for making bulk permission copies from one source to another. However, it’s annoying if your goal is to use one file as a “template” for the permissions of another file.

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    stores the DACLs for the files and folders that match the name
    into aclfile for later use with /restore. Note that SACLs,
    owner, or integrity labels are not saved.

The documentation is also erroneous. It claims that saved permissions do not include integrity level information. This is false.

C:TempIntegrityTest>copy con low
 ^Z
        1 file(s) copied.

C:TempIntegrityTest>dir
 Volume in drive C has no label.
 Volume Serial Number is 3A16-AD98

 Directory of C:TempIntegrityTest

31/01/2012  04:00    <DIR>          .
31/01/2012  04:00    <DIR>          ..
31/01/2012  04:00                 0 low
               1 File(s)              0 bytes
               2 Dir(s)  534,558,851,072 bytes free

C:TempIntegrityTest>icacls low
low BUILTINAdministrators:(I)(F)
    NT AUTHORITYSYSTEM:(I)(F)
    BUILTINUsers:(I)(RX)
    NT AUTHORITYAuthenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>icacls low /setintegritylevel l
processed file: low
Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>icacls low
low BUILTINAdministrators:(I)(F)
    NT AUTHORITYSYSTEM:(I)(F)
    BUILTINUsers:(I)(RX)
    NT AUTHORITYAuthenticated Users:(I)(M)
    Mandatory LabelLow Mandatory Level:(NW)

Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>copy con destination
^Z
        1 file(s) copied.

C:TempIntegrityTest>icacls destination
destination BUILTINAdministrators:(I)(F)
            NT AUTHORITYSYSTEM:(I)(F)
            BUILTINUsers:(I)(RX)
            NT AUTHORITYAuthenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>icacls low /save acl.txt
processed file: low
Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>type acl.txt
  o w
 D : A I ( A ; I D ; F A ; ; ; B A ) ( A ; I D ; F A ; ; ; S Y ) ( A ; I D ; 0 x 1 2 0 0 a 9 ; ; ; B U ) ( A ; I D ; 0 x 1 3 0 1 b f
 ; ; ; A U ) S : ( M L ; ; N W ; ; ; L W )

C:TempIntegrityTest>notepad acl.txt

C:TempIntegrityTest>type acl.txt
destination
D:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)S:(ML;;NW;;;LW)

C:TempIntegrityTest>icacls . /restore acl.txt
processed file: .destination
Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>icacls destination
destination BUILTINAdministrators:(I)(F)
            NT AUTHORITYSYSTEM:(I)(F)
            BUILTINUsers:(I)(RX)
            NT AUTHORITYAuthenticated Users:(I)(M)
            Mandatory LabelLow Mandatory Level:(NW)

Successfully processed 1 files; Failed processing 0 files

C:TempIntegrityTest>