My utility extracts ACL from a directory & adds it to another. My issue is this –
While iterating through ACEs, I found that for ACEs with AceFlags value = 0, inherit flags (Applied To) is “Folder, subfolders & directories”. When I apply the same ACL to another directory, in Windows 7 it works fine. However, in Windows XP, the inherit flags changes to “Folder only”. Here is the code –
BOOL SetNonInheritedAceToTarget(LPWSTR pszSource, LPWSTR pszDestination)
{
BOOL bRetVal = FALSE;
DWORD dwRes = 0;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pacl = NULL;
if( ERROR_SUCCESS == GetNamedSecurityInfo(pszSource, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pacl, NULL, &pSD) )
{
if(pacl)
{
for (USHORT i = 0; i < pacl->AceCount; i++)
{
ACCESS_DENIED_ACE * PACE = NULL;
if (!GetAce(pacl, i,(LPVOID*) &PACE))
continue;
if(PACE->Header.AceFlags & INHERIT_ONLY_ACE || PACE->Header.AceFlags & INHERITED_ACE)
{
// Delete the ACE
if(!DeleteAce(pacl, i))
{
TCHAR szErrorMsg[300] = {0};
wsprintf(szErrorMsg, L"Unable to delete ACE from DACL of = %ls", pszSource);
OutputDebugString(szErrorMsg);
}
}
}
}
}
if(ERROR_SUCCESS == SetNamedSecurityInfo(pszDestination, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pacl, NULL))
bRetVal = TRUE;
return bRetVal;
}
I don’t know if I am messing up with the code or is it really OS related issue. Help!!!. Again, if it is OS related issue, what do recommend, should I assign AceFlag manually?
—
Varun
Oh… Silly me. I was checking INHERIT_ONLY_ACE to see it the ACE is inhereted… Any ways, as Mox pointed out, with vista (and above), new ACEs have been added to enhance integrity check in windows based objects. However, this does not change the way ACEs are interpreted. My code is fine, I was just checking an extra flag.
Thanks Mox for educating me.
—
Varun