No navigation frame on the left?  Click here.

ACLs/ACEs

13 Nov 99: Are you interested in security descriptors and their parts? If yes, you might find the fksec classes to your liking.

Update 25 March 1999: Remember what I said about the NT4 security APIs? You can still read it, two paragraphs down. Well, I should have preached less and typed more; fool that I am, I was dumb enough to rely on those APIs' ability to copy a DWORD from one place to another without totally corrupting it. BZZZZEEEERRRTTT -- wrong! ACCESS_SYSTEM_SECURITY, for example, gets dropped from permission masks. This version now uses low-level functions to pluck apart ACLs. Oh, and I'm including a compiled binary, for when you are in a hurry to look at some ACL.

In the meantime, I am happy to offer a far nicer sample to look at ACLs, and I highly recommend that you look at dumpacl instead of this sample here.

This sample does quite a lot of stuff, but primarily it walks a directory tree, displays security descriptors attached to files, and optionally frobs the inheritance bits on some ACEs.

Some of the things I do would have been simpler using more of the new NT 4.0 security APIs, but alas, they don't work. SP3 fixed a few bugs -- both methods for getting and displaying a file's owner now work, see line 30-40 of function check_acl() -- but the main problems are still there.

You may (or may not) have questions regarding what checkacl.cpp does, and how it does it. If you do, send email and I'll try to help; I will also update this page to include that explanation.