Question about DACL inheritance in multilevel directory structure

  acl, dacl, inheritance, ntfs, windows

I have a directory structure like this:

dir1 -> dir2 -> dir3 -> dir4

dir2 is inside directory dir1, dir3 is inside directory dir2 etc.

‘dir1’ has its own set of DACL. They are explicit. Inheritance is enabled on DACLs of ‘dir1’ – (OI) and (CI).
In same way inheritance is enabled on directories dir2, dir3 and dir4.

Initially dir2, dir3 and dir4 have their own set of DACLs, which are explicit. None of the DACLs is inherited but they are inheritable.

e.g.
Each directory dir1, dir2, dir3 and dir4 has DACL ‘Allow Full control to use SYSTEM’ and inherited from column shows None in GUI.

I’ve a function setAcl(char* path). This function does following things:

Calls AllocateAndInitializeSid for Administrators group.

  1. Creates ACL and calls InitializeAcl
  2. Calls AddAccessAllowedAce. This ACE is not inheritable.
  3. Calls SetNamedSecurityInfo on passed argument ‘path’.
    These flags are passed: DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION.

setAcl() is called on the above directories, in this order:

  1. dir3
  2. dir2
  3. dir4

When it is first called on directory ‘dir3’, it adds an explicit DACL for administrators group ( added due to setAcl function ).
Also as the flag PROTECTED_DACL_SECURITY_INFORMATION is not set, it also adds DACLs which from the parent which are inheritable.
So now dir3 directory has one explicit DACL and other ‘allow Full control to System’ DACL inherited from the parent folder, ‘dir2’. Initially it had all explicit DACLs.

When setAcl is called on directory ‘dir2’, same thing happens with it. It adds one explicit DACL for administrators group and it inherits other DACLs from parent folder. ‘allow Full control to System’ is now marked inherited from directory ‘dir1’.
As SetNamedSecurityInfo also updated child object DACLs, it updates DACL of directory ‘dir3’ ( child of dir2 ). As now ‘dir2’ doesn’t have explicit DACL ‘allow Full control to System’, this DACl of dir3 is inherited from directory ‘dir1’, while before the function call it was inherited from directory ‘dir2’.

I think the rule of inheritance come into picture here, first a object
inherits DACLs from parent. If none are inheritable, it inherits from
grandparents. Am I correct?

So far I can make sense of everything, problem starts when I call setAcl("dir4").
After setAcl("dir4"), the ‘dir4’ directory has only one explicit DACL. It doesn’t inherit any from it’s grandparents.

Why it didn’t inherit permissions from its grandparents when I called
‘SetNamedSecurityInfo’?

My expectation was, after calling SetNamedSecurityInfo, it should
merge inheritable DACLs from directory ‘dir1’ as it did when I called
setAcl("dir3"). But it doesn’t happen. Can you explain why?

Source: Windows Questions

LEAVE A COMMENT