Stack Overflow
Stack Overflow

Questions tagged [dacl]

For questions about DACLs (Discretionary Access Control List), which is one of the most popular access control list types.

It allows or denies trustees access to computer and network resources.

It identifies group permissions and determines whether to allow access a securable object or process.

If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it.

If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone.

Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs.

Read more

57 questions
2
votes
1 answer

SACL on Services using C# || get a handle to a service that has the ACCESS_SYSTEM_SECURITY rights using C#

Anyone have any idea how to get the SACL's on a remote service using C#? I've tried numerous different methods, and basically nothing works. I can get the DACL's and SACL's on the local machine, but getting either on a remote machine doesn't appear…
Mike Taber
  • 833
  • 6
  • 21
2
votes
1 answer

Copy an object to new object with changed value

In need to get the ACL object and replace an Access.IdentityReference.Value and keep the rest of the object intact so I can apply the Set-Acl to another system. $acl = Get-Acl -Path "C:\Temp" $h = New-Object -TypeName PSObject ForEach-Object…
David C
  • 21
  • 3
2
votes
2 answers

Create file that can be opened only by a Windows Service

Is it possible to select such a security descriptor using a DACL string such that the file can only be opened by a Windows Service, but not by an ordinary process, even if the process is run by the local Administrator account? To clarify, I just…
sashoalm
  • 75,001
  • 122
  • 434
  • 781
2
votes
1 answer

Managing remote DACLs on fileshares: Win32_ACE to Win32_Share

Goal: Add a local user account share-level Read/Write permissions to an existing file share. I'm hitting a roadblock in developing this. Apparently Microsoft wants you to add your user's ACE to the DACL and then back into the security descriptor of…
Christopher W. Moriarty
  • 83
  • 1
  • 6
1
vote
1 answer

How to make container installation behave like host machine installation

I'm working with the following: Docker for Windows v20.10.11 Docker running in Windows container mode mcr.microsoft.com/windows:1903 base image Proprietary application installed on top of this base image Each year we create a Docker image with the…
jrbe228
  • 356
  • 3
  • 11
1
vote
0 answers

how to verify if the group is sucessfully added for a folder in python

I am using below to add a group name in security tab for a folder through and its getting added. However in python how I can verify if the group is added successfully. dacl.AddAccessAllowedAce(win32security.ACL_REVISION,win32con.GENERIC_WRITE,…
goe
  • 337
  • 2
  • 14
1
vote
1 answer

How to check if a process has access to a securable object in windows

Scenario: I have a service that can create, start, stop other services and offers this through IPC to user processes. How can I check in my service if the calling process has permissions to access the SCM? So on a more abstract level I have some…
DavidXanatos
  • 119
  • 1
  • 9
1
vote
1 answer

CreateFileW for READ_CONTROL fails with "Access is denied" despite being owner of the file

On Windows, even if discretionary ACL (DACL) is empty, i.e. no one has permission to the file, file owner can read and write DACL (READ_CONTROL and WRITE_DAC access). So I tried to do the following: Set an empty DACL on a file Obtain a handle to…
Marcin Barczyński
  • 361
  • 1
  • 11
1
vote
0 answers

Windows DACL permissions

I am trying to modify permissions using Windows permissions API. I have a standalone use case code as below, I first revoke all the access and then grant read and write ones. #include #include #include #include…
Recker
  • 1,915
  • 25
  • 55
1
vote
2 answers

How can I edit a DACL in C#?

Is there an analog of the SetFileSecurity function? I need to re-write some tests from Python and I'm stuck on this part. In Python I can freely edit a DACL with pywin32 (modules with a C++ implementation to work with Windows API). I can edit any…
Egor Egorov
  • 313
  • 1
  • 4
  • 19
1
vote
2 answers

How to set DACL of a Windows service so that a normal user can start / stop the service

I have a Windows service application whose installer I am building using install shield. How to set the DACL of the service while installing? I know I can do a "sc sdset" after installing. But I want to set the elevated permissions as part of the…
Arnoj
  • 79
  • 8
1
vote
3 answers

Windows Create File Access that only allows Owner to access the file (Win32)

I'm trying to modify Windows access rights to a file in a way that only the owner (not even other Administrators) can access the file. Somewhat the equivalent of unix chmod 700 file. I've played with denying rights to the general group (EVERYONE,…
Anachronism
  • 408
  • 3
  • 10
1
vote
1 answer

Why am I getting "Access denied" when I have effective read permission?

I can't read a particular file, even though as far as I can tell I have read rights on it. Here is what "Effective Access" shows: Here is what Get-Acl is giving me. PS ...> Get-Acl .\HelloWorld.java | Format-List Path :…
kec
  • 2,099
  • 11
  • 17
1
vote
3 answers

Is it possible to disallow taking ownership of a file?

I'm curious if there's a way to prevent users (including the ones belonging to the admin group) from taking ownership of a file? I originally create such file from my service that is running under Local System account. I then set that file's DACL to…
c00000fd
  • 20,994
  • 29
  • 177
  • 400
1
vote
1 answer

How to turn off Named Pipe security?

I'm trying to create a named pipe between two Windows processes. The server process runs under a normal account, in a UI session. The client process runs in an unknown security context, apparently rather restricted. Initially I called pipe =…
MSalters
  • 173,980
  • 10
  • 155
  • 350
1
2
3 4