Well,
D:\test\dst_rdo has above mentioned permissions (do not inherit, only three users allowed: All, Users - read-only, Admins - full),
D:\test\dst has inherited permissions (something like SYSTEM, Admins, Domain users - full, Users - read-only).
I think it doesn't matter since major permissions I've listed in previous post. Main trouble - TC doesn't copy 'inherited' flag, if source file have this flag unchecked, target has it checked. And, if source have no some rights, theese rights being added because of inheritance so target have much more access rights - e.g. if source can be accessed by admins only, target may be accessed by much larger group of users that is quite unsafe.
I checked, TC 7.50a works in same way (strange that I've missed this earlier). Tested on Windows XP and 7.
TC admin tool doesn't copies access rights
Moderators: white, Hacker, petermad, Stefan2
-
ghisler(Author)
- Site Admin
- Posts: 48083
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
TC 7.5 and 7.55 both use GetNamedSecurityInfoW and SetNamedSecurityInfoW to copy permissons on Windows 2000 or newer. These functions do copy inherintance. In earlier versions I used GetFileSecurityW and SetFileSecurityW, but that didn't copy inheritance.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
-
ghisler(Author)
- Site Admin
- Posts: 48083
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
2MVV
I think that I found a solution now! unfortunately it hasn't made it into RC2 yet. What I'm doing now is calling GetSecurityDescriptorControl on the source security descriptor. This allows to check whether the source inherits from the parent or not. Then I copy this flag to the target by setting either UNPROTECTED_DACL_SECURITY_INFORMATION or PROTECTED_DACL_SECURITY_INFORMATION.
So far this seems to work here with my test cases. The source and target permissions are not always the same, e.g. if the copied file/folder inherits rights from the parent, and the target parent has other rights. But xcopy with /o switch seems to behave the same way.
Please contact me by e-mail to beta at ghisler dot com if you would like to test this change.
I think that I found a solution now! unfortunately it hasn't made it into RC2 yet. What I'm doing now is calling GetSecurityDescriptorControl on the source security descriptor. This allows to check whether the source inherits from the parent or not. Then I copy this flag to the target by setting either UNPROTECTED_DACL_SECURITY_INFORMATION or PROTECTED_DACL_SECURITY_INFORMATION.
So far this seems to work here with my test cases. The source and target permissions are not always the same, e.g. if the copied file/folder inherits rights from the parent, and the target parent has other rights. But xcopy with /o switch seems to behave the same way.
Please contact me by e-mail to beta at ghisler dot com if you would like to test this change.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Well, inherited permisssions may be not the same if object inherits permissions from parent - it is logical. But non-inherited permissions and inherit flag should be copied for both files and folders.ghisler(Author) wrote:So far this seems to work here with my test cases. The source and target permissions are not always the same, e.g. if the copied file/folder inherits rights from the parent, and the target parent has other rights. But xcopy with /o switch seems to behave the same way.
I'm not familiar with ACL copy functions but I hope your solution will work fine!
Wow, I didn't know that xcopy allows to copy permissions:)
That's perfect! New method (in private TC version) works perfectly!
In my test described above all targets have expected permissions!
-
ghisler(Author)
- Site Admin
- Posts: 48083
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact: