permission types:
- share permissions
- access control list permissions
- access control list permission inheritance
Share Permissions
share permission options:
- full control
- change
- read
Access Control List (ACL) Permissions (cacls - icacls)
https://ss64.com/nt/icacls.html
a sequence of simple rights:
- N (deny access) - deny all access
- F (full access) - allows users to read, write, change, and delete files and subfolders. In addition, users can change permissions settings for all files and subdirectories
- M (modify access) - allows users to read and write of files and subfolders; also allows deletion of the folder
- RX (read and execute access) - allows users to view and run executable files, including scripts
- list folder contents - permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only
- R (read-only access) - allows users to view the folder and subfolder contents
- W (write-only access) - allows users to add files and subfolders, allows you to write to a file
- D - remove user or group for no access
icacls “full path of file” /grant “user name or group”:switch
a comma-separated list in parenthesis of specific rights:
- D (delete) -
- RC (read control) -
- WDAC (write DAC) -
- WO (write owner) -
- S (synchronize) -
- AS (access system security) -
- MA (maximum allowed) -
- GR (generic read) -
- GW (generic write) -
- GE (generic execute) -
- GA (generic all) -
- RD (read data/list directory) -
- WD (write data/add file) -
- AD (append data/add subdirectory) -
- REA (read extended attributes) -
- WEA (write extended attributes) -
- X (execute/traverse) -
- DC (delete child) -
- RA (read attributes) -
- WA (write attributes) -
example commands
grant John Full access to a file named “test”
icacls “D:\test” /grant John:F
grant User1 Delete and Write DAC permissions to a file named “Test1”
icacls test1 /grant User1:(d,wdac)
Access Control List (ACL) Permissions Inheritance (cacls - icacls)
the Access Control List (ACL) flags have the following meanings:
- IO: Inherit Only - this flag indicates that this Access Control Entry (ACE) does not apply to the current object (both containers/directories and files)
- CI: Container Inherit - this flag indicates that subordinate containers/directories will inherit this ACE
- OI: Object Inherit - this flag indicates that subordinate files will inherit the ACE
- NP: Non-Propagate - this flag indicates that the subordinate objects (both directories/containers and files) will not propagate the inherited ACE any further
- I: Inherited - this flag indicates that this Access Control Entry (ACE) was inherited from parent container/directory
When an administrator adds a new ACE to the access control list, he or she can select the scope of the entry’s inheritance. The following are specific to the NTFS file system:
|
Flag Combinations |
Propagation Results | |||
|---|---|---|---|---|
|
IO |
CI |
OI |
NP | |
|
Target folder | ||||
|
✔ |
N/A | |||
|
✔ |
Target folder, child object (file), grandchild object (file) | |||
|
✔ |
✔ |
Target folder, child object (file) | ||
|
✔ |
Target folder, child folder, grandchild folder | |||
|
✔ |
✔ |
Target folder, child folder | ||
|
✔ |
✔ |
Target folder, child folder, child object (file), grandchild folder, grandchild object (file) | ||
|
✔ |
✔ |
✔ |
Target folder, child folder, child object (file) | |
|
✔ |
N/A | |||
|
✔ |
✔ |
N/A | ||
|
✔ |
✔ |
Child object (file), grandchild object (file) | ||
|
✔ |
✔ |
✔ |
Child object (file) | |
|
✔ |
✔ |
Child folder, grandchild folder | ||
|
✔ |
✔ |
✔ |
Child folder | |
|
✔ |
✔ |
✔ |
Child folder, child object (file), grandchild folder, grandchild object (file) | |
|
✔ |
✔ |
✔ |
✔ |
Child folder, child object (file) |
icacls command
icacls “D:\test” /grant John:(OI)(CI)F /T