Win32::FileSecurity doesn't show all perms?

P

perl coder

I'm trying to use Win32::FileSecurity to view file permissions on a
Windows XP machine. Here's my code:

use Win32::FileSecurity;
use Data::Dumper;

$file = shift @ARGV or die "Usage: $0 <filename>\n";

%perms = ();
Win32::FileSecurity::Get($file, \%perms) or die $!;
print "NTFS DACLS:\n";
print Dumper(\%perms);
foreach $user (keys %perms) {
@rights = ();
Win32::FileSecurity::EnumerateRights($perms{$user}, \@rights);
print " *** $user : ", join(' ', @rights), "\n";
}

The script runs without errors, but it only shows permissions for 3
users. It doesn't show any perms for 'Everyone' and 'Power Users'. I
have no idea why... Here's some sample output:

NTFS DACLS:
$VAR1 = {
'BUILTIN\\Administrators' => 2032127,
'NT AUTHORITY\\SYSTEM' => 2032127,
'CRASHME\\mm' => 2032127
};
*** BUILTIN\Administrators : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER
SYNCHRONIZE STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ
STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL
READ CHANGE ADD FULL
*** NT AUTHORITY\SYSTEM : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER
SYNCHRONIZE STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ
STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL READ
CHANGE ADD FULL
*** CRASHME\mm : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ STANDARD_RIGHTS_WRITE
STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL READ CHANGE ADD FULL

Ultimately I want to use this code to find out if a given user has read
access to a given file. For instance, I may wish to know if user 'fred'
can read the file "C:\Documents and Settings\joe\my_precious.txt", and
with the above code I won't be able to know because 'fred' would fall in
the 'Everyone' group, which isn't listed. :-(

Oh, one last question, while I'm on a roll. ;-) I'm very new to the
Windows world, and have almost zero understanding of the ACL system.
I've tried reading various docs and googling around but haven't found
much good info. But what I understand so far is that if someone has
READ access to a file, they can view the data inside. Is this correct?
Or do they also need GENERIC_READ access as well?
 
B

Bill

perl said:
I'm trying to use Win32::FileSecurity to view file permissions on a
Windows XP machine. Here's my code:

use Win32::FileSecurity;
use Data::Dumper;

$file = shift @ARGV or die "Usage: $0 <filename>\n";

%perms = ();
Win32::FileSecurity::Get($file, \%perms) or die $!;
print "NTFS DACLS:\n";
print Dumper(\%perms);
foreach $user (keys %perms) {
@rights = ();
Win32::FileSecurity::EnumerateRights($perms{$user}, \@rights);
print " *** $user : ", join(' ', @rights), "\n";
}

The script runs without errors, but it only shows permissions for 3
users. It doesn't show any perms for 'Everyone' and 'Power Users'. I
have no idea why... Here's some sample output:

NTFS DACLS:
$VAR1 = {
'BUILTIN\\Administrators' => 2032127,
'NT AUTHORITY\\SYSTEM' => 2032127,
'CRASHME\\mm' => 2032127
};
*** BUILTIN\Administrators : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER
SYNCHRONIZE STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ
STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL
READ CHANGE ADD FULL
*** NT AUTHORITY\SYSTEM : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER
SYNCHRONIZE STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ
STANDARD_RIGHTS_WRITE STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL READ
CHANGE ADD FULL
*** CRASHME\mm : DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED STANDARD_RIGHTS_READ STANDARD_RIGHTS_WRITE
STANDARD_RIGHTS_EXECUTE STANDARD_RIGHTS_ALL READ CHANGE ADD FULL

Ultimately I want to use this code to find out if a given user has read
access to a given file. For instance, I may wish to know if user 'fred'
can read the file "C:\Documents and Settings\joe\my_precious.txt", and
with the above code I won't be able to know because 'fred' would fall in
the 'Everyone' group, which isn't listed. :-(

Oh, one last question, while I'm on a roll. ;-) I'm very new to the
Windows world, and have almost zero understanding of the ACL system.
I've tried reading various docs and googling around but haven't found
much good info. But what I understand so far is that if someone has
READ access to a file, they can view the data inside. Is this correct?
Or do they also need GENERIC_READ access as well?

GENERIC_READ is just the logical or mask of all the Win32 read
permissions types, sort of :).

see this:

http://www.develop.com/kbrown/book/html/whatis_permission.html
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top