Looks like we do not have self-tests for smbcacls
Noel Power
nopower at suse.com
Thu Aug 3 16:07:49 UTC 2017
On 03/08/17 14:09, Noel Power wrote:
>> 3. Assuming this *is* a Windows Explorer look-alike, Windows >> Explorer pops up a message if it fails to set the ACL of a file, >>
allowing the user to continue or abort. IMHO that would be useful >>
here, because changing a large tree without the option to continue >>
would be difficult. The program can output messages on files which >>
failed. > see above, smbcacls like icacls is a power tool, you can shoot
> yourself in the foot royally, I can't recall whether an icacls >
failure is reported and it continues on or not. My gut feeling is we >
should do as icacls does (where possible) I'll look into what it > does
What appears to happen is that although inheritable aces are propagated
to all child containers and files icalcs only reports that it is
processing a single file. Any access errors (or failure to apply
inhertitable aces) appear to be squashed and icacls.exe continues best
effort. smbcacls doesn't behave like this, I believe it should (good
call to make me check this behavour)
Here is a sample run from windows.
icacls is operating on the top level 'oi_dir' directory, however there
is a lower level directory 'oi_dir/other' that is inaccessible
+-test_dir/
+-oi_dir/ <= (not accessible)
| +-file-1
| +-pfile.txt
| +-nested/
| +-file-2
| +-other/
Note: icacls.exe /T switch effectively operates recursively
c:\Temp>icacls oi_dir/ /grant Administrator:(OI)(CI)(R)
processed file: oi_dir/
Successfully processed 1 files; Failed processing 0 files
c:\Temp>icacls oi_dir /T
oi_dir TESTDOMAIN1\Administrator:(OI)(CI)(R)
TESTDOMAIN1\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
oi_dir\file-1 TESTDOMAIN1\Administrator:(I)(R)
TESTDOMAIN1\Administrator:(I)(F)
BUILTIN\Administrators:(I)(F)
Everyone:(I)(F)
oi_dir\nested TESTDOMAIN1\Administrator:(I)(OI)(CI)(R)
TESTDOMAIN1\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
oi_dir\other: Access is denied.
Successfully processed 3 files; Failed processing 1 files
Note:: Failure above prevented icacls from displaying the ACL for
pfile.txt (but it was modified with the propagated ace(s))
c:\Temp>icacls oi_dir/pfile.txt /T
oi_dir/pfile.txt TESTDOMAIN1\Administrator:(I)(R)
TESTDOMAIN1\Administrator:(I)(F)
BUILTIN\Administrators:(I)(F)
Everyone:(I)(F)
oi_dir\other\*: Access is denied.
Successfully processed 1 files; Failed processing 1 files
c:\Temp>icacls oi_dir/other
oi_dir/other: Access is denied.
Successfully processed 0 files; Failed processing 1 files
c:\Temp>icacls oi_dir/other /grant Administrator:(OI)(F)
oi_dir/other: Access is denied.
Successfully processed 0 files; Failed processing 1 files
More information about the samba-technical
mailing list