I need to be able to force an empty DACL on an object under Windows ...

[Richard Sharpe]

On 3/28/12, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:
> On Wed, Mar 28, 2012 at 11:18:24AM -0700, Richard Sharpe wrote:
>> Hi folks,
>>
>> I needed to force an empty DACL on files on Windows, so I created this
>> small patch to smbcacls.
>>
>> Is it of use to anyone else? If so, I could push it to the master
>> branch after any cleanups suggested by people.
>
> Can you do the same for sacls?

Sure, but what is the meaning of a NULL SACL with the SACL_PRESENT bit
set in the SD?

Also, there is a bug in my change. It will not let you delete the last
ACE in a DACL if you do not use the -F flag, and thus gives you the
wrong semantics. A DACL that is marked as being present present and
contains 0 entries means that no one has access (except the owner who
always has READ_CONTROL and WRITE_DAC in that case, I believe),
however, A DACL that is marked as being present but is NULL means
everyone has all access.

I will have to rework my patch a little. Probably tonight now, because
what I have is enough to test the problem I am chasing and was quicker
than writing something in Visual Studio.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)