However, this is a perl CGI script running on IIS and it won't let me do that for security reasons. Therefore, I need to do it through Perl. Can this be done?

What makes you think that a Perl script would be able to do it, if the system utilities can not? The Perl script would be running under the same user ID and so be subject to the same restrictions.

Let me say that having your webserver grant Everyone execute permissions on (presumably uploaded) files seems like a recipe for disaster. If you do this, and get hacked as a result, be it on your own head. You are warned!

Like you, I've had trouble with both the modules you tried. They do not preserve the explicit ordering of ACLs. Ie:

Explicit denials
Explicit grants
Inherited denials
Inherited grants
[download]

Unless you arrange to do this yourself in your perl code, that can cause significant troubles. Even cacls.exe got that wrong! (X|I)cacls get that right for you.

If you really need to have this initiated by the CGI, then I would seriously consider writing a "permissions server" that: opens a port; only accepted connections from the local host; runs under an account/group with just enough authority to run (X|I)cacls to achieve your needs.

But once again, please think very carefully about granting execute permissions to uploaded files.

You asked "what makes you think that a Perl script would be able to do it, if the system utilities can not"? The answer is because as stated in the original post, the commented line that sets the permissions works. It just replaces all the permissions with what I set and that is not desirable. I just can't figure out how to modify the existing permissions. I have security taken care of so that is not the issue. The issue is can Perl be used to modify existing NTFS permissions? I'm beginning to think it just isn't possible and that is certainly disappointing.

The answer is because as stated in the original post, the commented line that sets the permissions works.

If your perl script has sufficient authority to modify the permissions, then it has sufficient authority to use (I|X)cacls.exe to modify those permissions.

I just can't figure out how to modify the existing permissions.

Which is why I suggested you use (I|X)cacls to do the job. Because they are easier to figure out. And they are less likely to screw up existing permissions as you add new ones.

I'm beginning to think it just isn't possible and that is certainly disappointing.

It is possible. It's just quite hard to get right. In general, when modifying bitmapped values, the process is:

$toAdd = (BIT1 | BIT4 | BIT7);
$old = getOld( X );
$new = $old | $toAdd;
put( X, $new );
[download]

---

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

Is there a read permission command? With many other things, you need to read the existing, apply your changes, and write them back out. Is this one of those things?

--MidLifeXis

The tomes, scrolls etc are dusty because they reside in a dusty old house, not because they're unused. --hangon in this post