Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello All, I'm trying to set the NTFS permission on a file. Here is the code I have but it doesn't seem to work. What am I doing wrong? 
use Win32::FileSecurity qw(Set MakeMask);

my $dir = 'c:/temp/test.txt';
#Set($dir, { 'Everyone' => MakeMask( qw( READ GENERIC_READ GENERIC_EXE
+CUTE ) ) });
my %permissions;
Win32::FileSecurity::Get($dir, \%permissions);
$permissions{ 'Everyone' } = '1180095';
Win32::FileSecurity::Set($dir, \%permissions);

[download]
By the way, the "set" line that is remarked above works fine. However, it resets all permissions. I just want to add the Everyone permission. One last note. I tried Win32::Perms and got nowhere with it. No errors, it just didnt' work so I would rather use Win32::FileSecurity as I feel I am at least close with it.

Any help would be greatly appreciated. Thank you.

Replies are listed 'Best First'.
Re: Modifying NTFS File Permissions
by ikegami (Patriarch) on May 21, 2009 at 00:29 UTC

    Shouldn't that be 

    Win32::FileSecurity::Get($dir, \%permissions) or die $!;
$permissions{ 'Everyone' } =
   MakeMask( qw( READ GENERIC_READ GENERIC_EXECUTE ) );
Win32::FileSecurity::Set($dir, \%permissions) or die $!;

    [download]

    I get a mask of -1609432919. Where did you get 1180095 from?

[reply]
[d/l]
      Thank you for the idea. However, I started out with something similar. It hangs for about 15 seconds and then spits out "Error handling error: 1722, LookupAccountName at noname3.pl line 10". So, still no go. Any other ideas?
[reply]
Re: Modifying NTFS File Permissions
by BrowserUk (Patriarch) on May 21, 2009 at 01:08 UTC
[reply]
[d/l]
      I completely agree. However, this is a perl CGI script running on IIS and it won't let me do that for security reasons. Therefore, I need to do it through Perl. Can this be done?
[reply]
        However, this is a perl CGI script running on IIS and it won't let me do that for security reasons. Therefore, I need to do it through Perl. Can this be done?

        What makes you think that a Perl script would be able to do it, if the system utilities can not? The Perl script would be running under the same user ID and so be subject to the same restrictions.

        Let me say that having your webserver grant Everyone execute permissions on (presumably uploaded) files seems like a recipe for disaster. If you do this, and get hacked as a result, be it on your own head. You are warned!

        Like you, I've had trouble with both the modules you tried. They do not preserve the explicit ordering of ACLs. Ie: 

        Explicit denials
Explicit grants
Inherited denials
Inherited grants

        [download]

        Unless you arrange to do this yourself in your perl code, that can cause significant troubles. Even cacls.exe got that wrong! (X|I)cacls get that right for you.

        If you really need to have this initiated by the CGI, then I would seriously consider writing a "permissions server" that: opens a port; only accepted connections from the local host; runs under an account/group with just enough authority to run (X|I)cacls to achieve your needs.

        But once again, please think very carefully about granting execute permissions to uploaded files.

        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
[d/l]

Back to Seekers of Perl Wisdom