This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 18%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Hi,
By setting , via Win32 API , following permissions on a file
Everyone group : deny GENERIC_READ , GENERIC_WRITE , GENERIC_EXECUTE
Onwer User : allow GENERIC_READ , GENERIC_WRITE , GENERIC_EXECUTE
then , when trying to acces to file ( i.e. for editing ) error coe 05 (access denied) is returned .
It looks like the group permissions has precedence on user permissions.
Is it right ?
(By setting Everyone group : allow GENERIC_READ , GENERIC_WRITE , GENERIC_EXECUTE , error 0x05 disappears)
Thx for help.
Regards,
J.P.
A properly constructed security descriptor contains Access Control Entries (ACEs) in a specified order. This is known as the canonical order. You can see the proper ordering by referring to Order of ACEs in a DACL. Notably, deny ACEs take precedence over allow ACEs.
And as an afterthought, group permissions do not take precedence over user permissions.
What I've checked is :
Everyone group precedes user owner of the file : by disabling permissions for Everyone then file is no more accessible even by the owner of the file .
My understanding is that "EveryOne" group on Windows has not the same meaning as "Others" group in Unix world.
disabling permissions for Everyone then file is no more accessible even by the owner of the file .
I don't know what this means. Be specific. Did you remove permissions from an access allowed ace or use an access denied ace?
Also, read this -- How AccessCheck Works
I did that by using two different ways (result is identical) :
use an access denied ace via win32 API or by right clicking in File Properties and disabling these permissions for Everyone group.
As we've already seen a deny ACE takes precedence over an allow ACE so that is a non-issue.
On the other hand, if the security descriptor includes an ACE that grants access to the file owner then the presence of an ACE for the Everyone group that does not grant any access has no effect.
Security descriptor for a file owned by rlwa32 -
Demonstration of user RLWA32 accessing the file -
So your earlier comment doesn't make sense to me. Perhaps you are doing something different from what I expect from your comment.
Hi,
Thx for explanation.
J.P.
You're welcome. Has my Answer and related comments resolved your question about how Windows uses security descriptors?
I'm not able to get None in the Everyone Access column
On my side , I'm only able to see an Everyone line if I allow Read at least
I'm not able to get None in the Everyone Access column
I wrote a small program that created the security descriptor using the Windows API. Then the program created a new file and specified that it should have that security descriptor.
If the security settings for the file are subsequently edited using the file's properties->security UI then the editor removes the Everyone ace.
O.K.
I'll do it in the same way .
Setting these ACES , in the security descriptor :
grfAccessPermission = GENERIC_ALL , grfAccessMode=SET_ACCESS for the owner
grfAccessPermission =GENERIC_ALL , grfAccessMode=DENY_ACESS for EveryOne
Is it correct ?
Thx
O.K.
I"ll do it in the same way :
Setting these ACES in the file security descriptor
grfAccessPermissions = GENERIC_ALL , grfAccessMode =SET_ACCESS for the owner
grfAccessPermissions =GENERIC_ALL , grfAccessMode =DENY_ACCESS for EveryOner
Am I right ?
Thx
This is what is used in the EXPLICIT_ACCESSW structure for Everyone -
ea[0].grfAccessMode = GRANT_ACCESS;
ea[0].grfAccessPermissions = 0;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.ptstrName = reinterpret_cast<LPWCH>(everyone);
Would you like me to post the sample program for you to reference?
Sure.
It would be great
Thx
Sample code follows -
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#include <AclAPI.h>
#include <stdio.h>
int main()
{
SECURITY_DESCRIPTOR descriptor{};
PACL pDacl{};
PTOKEN_USER ptu{};
BYTE system[SECURITY_MAX_SID_SIZE]{}, everyone[SECURITY_MAX_SID_SIZE]{};
DWORD cbsystem{ SECURITY_MAX_SID_SIZE }, cbeveryone{ SECURITY_MAX_SID_SIZE };
DWORD ReturnLength{}, result{};
EXPLICIT_ACCESSW ea[3]{};
SECURITY_ATTRIBUTES sa{ sizeof sa, &descriptor, FALSE };
HANDLE hFile{}, hHeap{};
hHeap = GetProcessHeap();
GetTokenInformation(GetCurrentProcessToken(), TokenUser, nullptr, 0, &ReturnLength);
ptu = static_cast<PTOKEN_USER>(HeapAlloc(hHeap, HEAP_ZERO_MEMORY, ReturnLength));
if (!ptu)
{
printf_s("Memory allocation failed!");
goto exit;
}
if (!GetTokenInformation(GetCurrentProcessToken(), TokenUser, ptu, ReturnLength, &ReturnLength))
{
printf_s("GetTokenInformation failed with %d\n", GetLastError());
goto exit;
}
if (!CreateWellKnownSid(WinLocalSystemSid, nullptr, system, &cbsystem) ||
!CreateWellKnownSid(WinWorldSid, nullptr, everyone, &cbeveryone))
{
printf_s("CreateWellKnownSid failed with %d\n", GetLastError());
goto exit;
}
ea[0].grfAccessMode = GRANT_ACCESS;
ea[0].grfAccessPermissions = 0;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.ptstrName = reinterpret_cast<LPWCH>(everyone);
ea[1].grfAccessMode = GRANT_ACCESS;
ea[1].grfAccessPermissions = GENERIC_ALL;
ea[1].grfInheritance = NO_INHERITANCE;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.ptstrName = reinterpret_cast<LPWCH>(system);
ea[2].grfAccessMode = GRANT_ACCESS;
ea[2].grfAccessPermissions = GENERIC_ALL;
ea[2].grfInheritance = NO_INHERITANCE;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_USER;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.ptstrName = reinterpret_cast<LPWCH>(ptu->User.Sid);
result = SetEntriesInAclW(ARRAYSIZE(ea), ea, nullptr, &pDacl);
if (result != ERROR_SUCCESS)
{
printf_s("SetEntriesInAclW failed with %d\n", result);
goto exit;
}
if (!InitializeSecurityDescriptor(&descriptor, SECURITY_DESCRIPTOR_REVISION))
{
printf_s("InitializeSecurityDescriptor failed with %d\n", GetLastError());
goto exit;
}
if (!SetSecurityDescriptorDacl(&descriptor, TRUE, pDacl, FALSE))
{
printf_s("SetSecurityDescriptorDacl failed with %d\n", GetLastError());
goto exit;
}
if (!SetSecurityDescriptorOwner(&descriptor, ptu->User.Sid, FALSE))
{
printf_s("SetSecurityDescriptorOwner failed with %d\n", GetLastError());
goto exit;
}
if (!SetSecurityDescriptorControl(&descriptor, SE_DACL_PROTECTED, SE_DACL_PROTECTED))
{
printf_s("SetSecurityDescriptorControl failed with %d\n", GetLastError());
goto exit;
}
hFile = CreateFileW(L"Testfile.txt", GENERIC_ALL, 0, &sa, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
CHAR szText[]{ "This is a test\r\n" };
DWORD written{};
WriteFile(hFile, szText, sizeof szText, &written, nullptr);
CloseHandle(hFile);
}
exit:
if (ptu)
HeapFree(hHeap, 0, ptu);
if (pDacl)
LocalFree(pDacl);
return 0;
}
When you run the sample makes sure that the file does not already exist. The security descriptor is only applied upon new file creation.
Thx a lot for all these infos.
I think I would not have been able to understand how it works without your help.
Up to me to work on that.
Have a good day.
Regards,
J.P.
If your question has been answered and your issue resolved you could accept the answer for the benefit of others that have similar questions about how file permissions work.