23

What does this mean: 

C:\foo\> icacls .
. NT AUTHORITY\IUSR:(M)
  BUILTIN\IIS_IUSRS:(M)
  BUILTIN\IIS_IUSRS:(OI)(CI)(M)
  NT AUTHORITY\IUSR:(OI)(CI)(M)
  BUILTIN\IIS_IUSRS:(I)(OI)(CI)(RX)
  NT AUTHORITY\IUSR:(I)(OI)(CI)(RX)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)

I think the first one means that userid gets Modify permissions on the directory - which means that user can create files, or update files, or delete files. Right? What is the "NT AUTHORITY\IUSR" user? Is that really a single user ID? Is it the default IIS user ID?

ok, the second line I think refers to a group. It gets the same permissions.

What about all those lines with (I) and (OI) and so on. Please explain.

Cheeso
  • 2,159

1 Answers1

31

From the Microsoft Article on ICACLS

The entries are users and groups specific to that file (DOMAIN\USER or GROUP), the permissions listed are as follows:

SIDs may be in either numerical or friendly name form. If you use a numerical form, affix the wildcard character * to the beginning of the SID.

icacls preserves the canonical order of ACE (Access Control Entries) entries as:

  • Explicit denials
  • Explicit grants
  • Inherited denials
  • Inherited grants

Perm is a permission mask that can be specified in one of the following forms:

  1. A sequence of simple rights:
  • F (full access)
  • M (modify access)
  • RX (read and execute access)
  • R (read-only access)
  • W (write-only access)
  1. A comma-separated list in parenthesis of specific rights:
  • D (delete)
  • RC (read control)
  • WDAC (write DAC)
  • WO (write owner)
  • S (synchronize)
  • AS (access system security)
  • MA (maximum allowed)
  • GR (generic read)
  • GW (generic write)
  • GE (generic execute)
  • GA (generic all)
  • RD (read data/list directory)
  • WD (write data/add file)
  • AD (append data/add subdirectory)
  • REA (read extended attributes)
  • WEA (write extended attributes)
  • X (execute/traverse)
  • DC (delete child)
  • RA (read attributes)
  • WA (write attributes)

Inheritance rights may precede either Perm form, and they are applied only to directories:

  • (OI): object inherit
  • (CI): container inherit
  • (IO): inherit only
  • (NP): do not propagate inherit
  • (I): permission inherited from parent container

For files, the permission masks are more or less self-explanatory: R means you can read the file, X allows it to be executed (as a program), and so on.

For other kinds of objects, you will have to browse MSDN:

Inheritance rights in English:

  • (I) "Inherited": This ACE was inherited from the parent container.
  • (OI) "Object inherit": This ACE will be inherited by objects placed in this container.
  • (CI) "Container inherit": This ACE will be inherited by subcontainers placed in this container.
  • (IO) "Inherit only": This ACE will be inherited (see OI and CI), but does not apply to this object itself.
  • (NP) "Do not propagate": This ACE will be inherited by objects and subcontainers one level deep – it will not apply to things inside subcontainers.

For the file system, "container" means a folder and "object" means a file, but remember that ACLs can be set on many other kinds of objects, not all of which have a concept of "containers".

Shrout1
  • 1,114
MaQleod
  • 13,258