[Box Backup-dev] Windows ACLs

Chris Wilson boxbackup-dev@fluffy.co.uk
Sun, 26 Feb 2006 23:32:44 +0000 (GMT) 

Hi Charles,

>> Doesn't it make sense to try to back up and restore that DACL, just as 
>> we back up and restore file permissions on Unix?
>
> No:
>
> 1) He was restoring onto a new machine, so none of the raw SIDs would 
>    match. If we stored the names it would only work if he used the same 
>    username on the new machine.

I was considering using names instead of SIDs. If the specified user does 
not exist on the new machine, we can always report the problem to the user 
doing the restore, who presumably will know what a sensible mapping would 
be.

I also imagine that in many cases (admittedly not all), the old and new 
machines would be members of the same domain, and thus it's likely that 
most of the SIDs of files that we would consider restoring would be domain 
SIDs rather than local ones, and still valid on the new machine.

> 2) The files will automatically get their permissions from the directory 
>    they're restored into. Because of the way ACL inheritance works from 
>    Win2k onwards it's quite hard to change them to what's stored without 
>    breaking things quite badly. It's surprisingly easy to get a null 
>    DACL, which in contrast to a NULL SD actually denies access to 
>    everyone....

Sorry, what is a null DACL? Is it a DACL with no EXPLICIT_ACCESS entries? 
How does one avoid creating one?

> 3) SIDs can become orphaned - usually when users are deleted, but also 
>    temporarily if no domain controller is available. I suppose we could 
>    store a textual representation of them, but that starts getting 
>    pretty nasty.

Thanks for reminding me of this. If the SID doesn't have a user name 
mapping, could we not back up the SID, on the assumption that it may be 
restored to the same machine, and in that case we would want to restore 
the original SID, orphaned or not? If restored to a different machine, it 
would seem to make sense to warn the user, as above, and let them take 
appropriate action.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |