Jump to content

cacls

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Jon Kolbert (talk | contribs) at 06:18, 26 August 2017 (Updating links from HTTP→HTTPS for Microsoft TechNet). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In computing, cacls and its replacement, icacls, are Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.

cacls

The cacls.exe utility is a deprecated command line editor of directory and file security descriptors in Windows NT 3.5 and later operating systems of the Windows NT family. Microsoft has produced the following newer utilities, some also subsequently deprecated, that offer enhancements to support changes introduced with version 3.0 of the NTFS filesystem:

  • xcacls.exe[1][2][3][4] is supported by Windows 2000 and later and adds new features like setting Execute, Delete and Take Ownership permissions
  • xcacls.vbs[5][6]
  • fileacl.exe [7]
  • icacls.exe (included in Windows Server 2003 SP2 and later)[8][9]
  • SubInAcl.exe - Resource Kit utility to set and replace permissions on various type of objects including files, services and registry keys
  • Windows PowerShell (Get-Acl[10] and Set-Acl[11] cmdlets)

icacls

Stands for Integrity Control Access Control List. Windows Server 2003 Service Pack 2 and later include icacls, an in-box command-line utility that can display, modify, backup and restore ACLs for files and folders, as well as to set integrity levels and ownership in Vista and later versions. It is not a complete replacement for cacls, however. For example, it does not support Security Descriptor Definition Language (SDDL) syntax directly via command line parameters (only via the /restore option).

Problems

All known versions of icacls have a serious bug:[12] on objects with protected ACLs, icacls

  • ignores this protection,
  • resets/destroys the protection and
  • applies/propagates the inheritable permissions from the parent to the object and its children.

See also

References

  1. ^ "How to use Xcacls.exe to modify NTFS permissions (Revision: 4.5)". Microsoft Support. Microsoft Corporation. 2 March 2007. Retrieved 24 December 2011.
  2. ^ "Xcacls syntax". Microsoft TechNet. Microsoft Corporation. 28 March 2003. Retrieved 30 October 2012.
  3. ^ "Windows 2000 Resource Kit Tool: Xcacls.exe". Microsoft Download Center. Microsoft Corporation. 15 May 2002. Retrieved 24 December 2011.
  4. ^ "Windows XP Service Pack 2 Support Tools". Microsoft Download Center. Microsoft Corporation. 10 August 2004. Retrieved 24 December 2011.
  5. ^ "How to use Xcacls.vbs to modify NTFS permissions (Revision: 2.4)". Microsoft Support. Microsoft Corporation. 30 October 2006. Retrieved 24 December 2011.
  6. ^ "Extended Change Access Control List Tool (Xcacls)" (2 July 2004). Microsoft Download Center. Microsoft Corporation. Retrieved 24 December 2011. Xcacls.vbs is an unsupported tool that provides additional capabilities not provided with the supported utility, Xcacls.exe.
  7. ^ "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on March 22, 2009. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  8. ^ "The Icacls.exe utility is available for Windows Server 2003 with Service Pack 2 (Revision: 4.0)". Microsoft Support. Microsoft Corporation. 9 October 2011. Retrieved 24 December 2011.
  9. ^ "Icacls". Microsoft TechNet. Microsoft Corporation. 28 September 2007. Retrieved 24 December 2011.
  10. ^ "Get-Acl". Microsoft TechNet. Microsoft Corporation. 21 April 2010. Retrieved 31 October 2012.
  11. ^ "Set-Acl". Microsoft TechNet. Microsoft Corporation. 21 April 2010. Retrieved 31 October 2012.
  12. ^ ICACLS.EXE ignores and destroys SE_DACL_PROTECTED/SE_SACL_PROTECTED

Further reading