MAKEMSI quickly and reliably creates MSI files in a non-programmatic way
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
[Bottom][Contents][Prev]: regperm.exe[Next]: SIDLookup.zip
Have your say! Join the MAKEMSI discussion list or view archive! Suggest improvements. No question too simple or too complex.
\->Tips and Tricks->Tools->Security Related Tools->SetACL.EXE

SetACL.EXE

This tool is a good general purpose tool which does about anything, but its command line is very cryptic. The setacl web site ("http://setacl.sourceforge.net/") has some examples of use.

Note that this tool doesn't work if the filename is relative.

This tool takes a bit of getting used to and the SETACL GUI tool "ACLEASY" can make this easier.

My Example #1 - Display Service permissions

Display the current permisions on a particular service ("ServiceAlias"):

setacl.exe -ot srv -on ServiceAlias -actn list

As you can see in the example (above and below), we used "-ot" to indicate the type of resource we are changing (service) and "-on" to identify the specific resource.

My Example #2 - Services (allow stop/start)

Allow normal users (members of "BUILTIN\Users") to stop and start a particular service ("ServiceAlias"):

setacl.exe -ot srv -on ServiceAlias -ace "n:users;p:start_stop,read" -actn ace

Example #3 - Change ACL on File (via generic MAKEMSI macros)

The following creates two handy macros best placed into a common header file:

#define? SETACL_SETACL.EXE_BUILD_TIME_NAME       .\SetAcl.EXE    ;;By default it is found in the current directory
#define? SETACL_DEFAULT_INSTALLATION_DIR_ROWKEY  INSTALLDIR      ;;May as well allow you to configure it...
#(
    #define  SETACL

    ;--- First time through add the "SETACL" tool (rename in case installation dir in path) ---
    #ifndef  @@SetAclInit
        ;--- This macro requires "INSTALLDIR" to exist (by default)... ------
        <$File RowKey="?@@SetAclKey" Source="<$SETACL_SETACL.EXE_BUILD_TIME_NAME>" Destination="[{$INSTALLDIR=^<$SETACL_DEFAULT_INSTALLATION_DIR_ROWKEY>^}]\SetAcl_MM.EXE" Comment=^ACL modifying tool used by the "SetACL" macro.^>
        #define @@SetAclInit
    #endif

    ;--- Handle #data -------------------------------------------------------
    #RexxVar '@@Data' = '{$Data=^^}'
    #if [@@Data = '']
        ;--- No data passed, just use the EXE info --------------------------
        #RexxVar '@@Data' = '@@SetAclDefault'
    #elseif
        ;--- User passed #data, need to update this list (once) -------------
        #evaluate ^^ ^<$@@Rexx4SetAclData>^
    #endif

    ;--- Set up the command -------------------------------------------------
    <$RunCmd  {$?} ALIAS="SETACL" Command=^"(*SETACL.EXE*)"^ @="N" DATA=^<??@@Data>^>  ;;Command quotes as name can contain spaces...
#)
#data '@@SetAclDefault' 2
    ;--- Install time name and location of SETACL tool ----------------------
    "SETACL.EXE" "[#<??@@SetAclKey>]"
#data
#DefineRexx '@@Rexx4SetAclData'
    ;--- Add our one entry to it (note: Undocumented mechanism/hack) --------
    @@DataDot = @@Data || '.'
    @@RowCnt  = DataInfo(@@DataDot || '?');
    @@WantN   = DataInfo("@@SetAclDefault.1.1");
    @@WantV   = DataInfo("@@SetAclDefault.1.2");
    if  DataInfo(@@DataDot || @@RowCnt || '.1') <> @@WantN then
    do
        ;--- We haven't already added it... ---------------------------------
        @@RowCnt  = DataInfo(@@DataDot || '?') + 1
        call value @@DataDot || @@RowCnt || '.1', @@WantN;
        call value @@DataDot || @@RowCnt || '.2', @@WantV;
        call value @@DataDot || '0', @@RowCnt;
    end;
#DefineRexx
#define  /SETACL  <$/RunCmd {$?} ALIAS="/SETACL">

The following uses the macros we created above:

;--- Add TEST file ---------------------------------------------------------
<$File RowKey="?@@FileKey" Source="C:\tmp\TestAclChangeOnThis.txt" Destination="[INSTALLDIR]\">

;--- Update ACL on the test file we added above (test macros we created) ---
#data 'CaSetAcl' 2
    "TheFile"    "[#<??@@FileKey>]"     ;;Full install time name of resource we are modifying
#data
<$SETACL CONDITION='<$CONDITION_EXCEPT_UNINSTALL>' DATA='CaSetAcl'>
    ;--- Indicate we are modifying a file -----------------------------------
    -ot file

    ;--- Specify the filename we wish to change ACL on ----------------------
    -on "(*TheFile*)"

    ;--- The action is "change ACL" -----------------------------------------
    -actn ace

    ;--- Try Deny "write" but allow everything else (may not make sence, just a test) ---
    -ace "n:SomeUser;p:full" -ace "n:SomeUser;m:deny;p:write"

    ;--- Make sure admins have full access ----------------------------------
    -ace "n:Administrators;p:full"
<$/SETACL>

Example #4 - Change ACL on Directory and Stop Propagation of Parent ACLs

The following code reuses the macros defined above:

#data 'CaSetAclDir' 2
    "TheFolder"    "[INSTALLDIR]"     ;;Full install directory
#data
<$SETACL CONDITION='<$CONDITION_EXCEPT_UNINSTALL>' DATA='CaSetAclDir'>
    ;--- Indicate we are modifying a directory ------------------------------
    -ot file

    ;--- Specify the directory we wish to change ACL on ---------------------
    -on "(*TheFolder*)"

    ;--- The action is "change ACL" -----------------------------------------
    -actn ace

    ;--- Authenticated users need full access -------------------------------
    -ace "n:Authenticated Users;p:full"

    ;--- Make sure admins have full access (play safe) ----------------------
    -ace "n:Administrators;p:full"
    -ace "n:SYSTEM;p:full"

    ;--- dis-allow inheritable permissions from the parent object to propagate to this object ---
    -actn setprot
          -op "dacl:p_c"              ;;Copy existing permissions but don't propagate from parent.
         ;-op "dacl:p_c;sacl:p_c"     ;;Didn't have enough permissions to change "sacl"... Don't care in any case...
<$/SETACL>

SetACL.EXE -help

SetACL by Helge Klein

Homepage:        http://setacl.sourceforge.net
Version:         2.0.2.0
Copyright:       Helge Klein
License:         GPL

-O-P-T-I-O-N-S--------------------------------------------------------

-on    ObjectName

-ot    ObjectType

-actn  Action

-ace   "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"

-trst  "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"

-dom   "n1:Domain;n2:Domain;da:DomainAction;w:Where"

-ownr  "n:Trustee;s:IsSID"

-grp   "n:Trustee;s:IsSID"

-rec   Recursion

-op    "dacl:Protection;sacl:Protection"

-rst   Where

-lst   "f:Format;w:What;i:ListInherited;s:DisplaySID"

-bckp  Filename

-log   Filename

-fltr  Keyword

-clr   Where

-silent

-ignoreerr

-P-A-R-A-M-E-T-E-R-S-------------------------------------------------

ObjectName:      Name of the object to process (e.g. 'c:\mydir')

ObjectType:      Type of object:

                 file:       Directory/file
                 reg:        Registry key
                 srv:        Service
                 prn:        Printer
                 shr:        Network share

Action:          Action(s) to perform:

                 ace:        Process ACEs specified by parameter(s) '-ace'
                 trustee:    Process trustee(s) specified by parameter(s)
                             '-trst'.
                 domain:     Process domain(s) specified by parameter(s)
                             '-dom'.
                 list:       List permissions. A backup file can be
                             specified by parameter '-bckp'. Controlled by
                             parameter '-lst'.
                 restore:    Restore entire security descriptors backed up
                             using the list function. A file containing the
                             backup has to be specified using the parameter
                             '-bckp'. The listing has to be in SDDL format.
                 setowner:   Set the owner to trustee specified by parameter
                             '-ownr'.
                 setgroup:   Set the primary group to trustee specified by
                             parameter '-grp'.
                 clear:      Clear the ACL of any non-inherited ACEs. The
                             parameter '-clr' controls whether to do this for
                             the DACL, the SACL, or both.
                 setprot:    Set the flag 'allow inheritable permissions from
                             the parent object to propagate to this object' to
                             the value specified by parameter '-op'.
                 rstchldrn:  Reset permissions on all sub-objects and enable
                             propagation of inherited permissions. The
                             parameter '-rst' controls whether to do this for
                             the DACL, the SACL, or both.

TrusteeAction:   Action to perform on trustee specified:

                 remtrst:    Remove all ACEs belonging to trustee specified.
                 repltrst:   Replace trustee 'n1' by 'n2' in all ACEs.
                 cpytrst:    Copy the permissions for trustee 'n1' to 'n2'.

DomainAction:    Action to perform on domain specified:

                 remdom:     Remove all ACEs belonging to trustees of domain
                             specified.
                 repldom:    Replace trustees from domain 'n1' by trustees with
                             same name from domain 'n2' in all ACEs.
                 cpydom:     Copy permissions from trustees from domain 'n1' to
                             trustees with same name from domain 'n2' in all
                             ACEs.

Trustee:         Name or SID of trustee (user or group). Format:

                 a) [(computer | domain)\]name

                 Where:

                 computer:   DNS or NetBIOS name of a computer -> 'name' must
                             be a local account on that computer.
                 domain:     DNS or NetBIOS name of a domain -> 'name' must
                             be a domain user or group.
                 name:       user or group name

                 If no computer or domain name is given, SetACL tries to find
                 a SID for 'name' in the following order:

                 1. built-in accounts and well-known SIDs
                 2. local accounts
                 3. primary domain
                 4. trusted domains

                 b) SID string

Domain:          Name of a domain (NetBIOS or DNS name).

Permission:      Permission to set. Validity of permissions depends on the
                 object type (see below). Comma separated list.

                 Example:    'read,write_ea,write_dacl'

IsSID:           Is the trustee name a SID?

                 y:          Yes
                 n:          No

DisplaySID:      Display trustee names as SIDs?

                 y:          Yes
                 n:          No
                 b:          Both (names and SIDs)

Inheritance:     Inheritance flags for the ACE. This may be a comma separated
                 list containing the following:

                 so:         sub-objects
                 sc:         sub-containers
                 np:         no propagation
                 io:         inherit only

                 Example:    'io,so'

Mode:            Access mode of this ACE:

                 a) DACL:

                 set:        Replace all permissions for given trustee by
                             those specified.
                 grant:      Add permissions specified to existing permissions
                             for given trustee.
                 deny:       Deny permissions specified.
                 revoke:     Remove permissions specified from existing
                             permissions for given trustee.

                 b) SACL:

                 aud_succ:   Add an audit success ACE.
                 aud_fail:   Add an audit failure ACE.
                 revoke:     Remove permissions specified from existing
                             permissions for given trustee.

Where:           Apply settings to DACL, SACL, or both (comma separated list):

                 dacl
                 sacl
                 dacl,sacl

Recursion:       Recursion settings, depends on object type:

                 a) file:

                 no:         No recursion.
                 cont:       Recurse, and process directories only.
                 obj:        Recurse, and process files only.
                 cont_obj:   Recurse, and process directories and files.

                 b) reg:

                 no:         Do not recurse.
                 yes:        Do Recurse.

Protection:      Controls the flag 'allow inheritable permissions from the
                 parent object to propagate to this object':

                 nc:         Do not change the current setting.
                 np:         Object is not protected, i.e. inherits from
                             parent.
                 p_c:        Object is protected, ACEs from parent are
                             copied.
                 p_nc:       Object is protected, ACEs from parent are not
                             copied.

Format:          Which list format to use:

                 sddl:       Standardized SDDL format. Only listings in this
                             format can be restored.
                 csv:        SetACL's csv format.
                 tab:        SetACL's tabular format.

What:            Which components of security descriptors to include in the
                 listing. (comma separated list):

                 d:          DACL
                 s:          SACL
                 o:          Owner
                 g:          Primary group

                 Example:    'd,s'

ListInherited:   List inherited permissions?

                 y:          Yes
                 n:          No

Filename:        Name of a (unicode) file used for list/backup/restore
                 operations or logging.

Keyword:         Keyword to filter object names by. Names containing this
                 keyword are not processed.

-R-E-M-A-R-K-S--------------------------------------------------------

Required parameters (all others are optional):

                 -on         (Object name)
                 -ot         (Object type)

Parameters that may be specified more than once:

                 -actn       (Action)
                 -ace        (Access control entry)
                 -trst       (Trustee)
                 -dom        (Domain)
                 -fltr       (Filter keyword)

Only actions specified by parameter(s) '-actn' are actually performed,
regardless of the other options set.

Order in which multiple actions are processed:

                 1.          restore
                 2.          clear
                 3.          trustee
                 4.          domain
                 5.          ace, setowner, setgroup, setprot
                 6.          rstchldrn
                 7.          list

-V-A-L-I-D--P-E-R-M-I-S-S-I-O-N-S-------------------------------------

a) Standard permission sets (combinations of specific permissions)

Files / Directories:

              read:          Read
              write:         Write
              list_folder:   List folder
              read_ex:       Read, execute
              change:        Change
              profile:       = change + write_dacl
              full:          Full access

Printers:

              print:         Print
              man_printer:   Manage printer
              man_docs:      Manage documents
              full:          Full access

Registry:

              read:          Read
              full:          Full access

Service:

              read:          Read
              start_stop:    Start / Stop
              full:          Full access

Share:

              read:          Read
              change:        Change
              full:          Full access

b) Specific permissions

Files / Directories:

              traverse:      Traverse folder / execute file
              list_dir:      List folder / read data
              read_attr:     Read attributes
              read_ea:       Read extended attributes
              add_file:      Create files / write data
              add_subdir:    Create folders / append data
              write_attr:    Write attributes
              write_ea:      Write extended attributes
              del_child:     Delete subfolders and files
              delete:        Delete
              read_dacl:     Read permissions
              write_dacl:    Write permissions
              write_owner:   Take ownership

Registry:

              query_val:     Query value
              set_val:       Set value
              create_subkey: Create subkeys
              enum_subkeys:  Enumerate subkeys
              notify:        Notify
              create_link:   Create link
              delete:        Delete
              write_dacl:    Write permissions
              write_owner:   Take ownership
              read_access:   Read control


Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.Please email me any feedback, additional information or corrections.
See this page online (look for updates)

[Top][Contents][Prev]: regperm.exe[Next]: SIDLookup.zip


MAKEMSI© is (C)opyright Dennis Bareis 2003-2008 (All rights reserved).
Saturday May 28 2022 at 3:11pm
Visit MAKEMSI's Home Page
Microsoft awarded me an MVP (Most Valuable Professional award) in 2004, 2005, 2006, 2007, 2008 & 2009 for the Windows SDK (Windows Installer) area.