I need to be able to force an empty DACL on an object under Windows ...

Richard Sharpe realrichardsharpe at gmail.com
Wed Mar 28 13:40:48 MDT 2012

On 3/28/12, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:
> On Wed, Mar 28, 2012 at 11:18:24AM -0700, Richard Sharpe wrote:
>> Hi folks,
>> I needed to force an empty DACL on files on Windows, so I created this
>> small patch to smbcacls.
>> Is it of use to anyone else? If so, I could push it to the master
>> branch after any cleanups suggested by people.
> Can you do the same for sacls?

Sure, but what is the meaning of a NULL SACL with the SACL_PRESENT bit
set in the SD?

Also, there is a bug in my change. It will not let you delete the last
ACE in a DACL if you do not use the -F flag, and thus gives you the
wrong semantics. A DACL that is marked as being present present and
contains 0 entries means that no one has access (except the owner who
always has READ_CONTROL and WRITE_DAC in that case, I believe),
however, A DACL that is marked as being present but is NULL means
everyone has all access.

I will have to rework my patch a little. Probably tonight now, because
what I have is enough to test the problem I am chasing and was quicker
than writing something in Visual Studio.

Richard Sharpe

More information about the samba-technical mailing list