ICACL 权限如何映射到 FileSystemRights
How do ICACL permissions map to FileSystemRights
我正在编写一个脚本来从一个目录结构复制权限并将它们重新应用到另一个目录结构。我不能简单地使用 icacls \my\path\* /save file.acl /T,因为我需要在保存和恢复之间进行一些调整,为此使用 PowerShell 的 (Get-ACL $path).Access 输出更简单。
在执行此操作时,我试图映射此输出(即 FileSystemRights) to their equivalent icacls permissions;然后我将用逗号分隔的权限列表括在括号中以通过 icacls 应用。
[string[]]$rights = $InputObject.FileSystemRights -split '\s*,\s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'AppendData' {'AD'}
#'ChangePermissions' {'?'}
#'CreateDirectories' {'?'}
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} #duplicate of read data
'Modify' {'M'}
'Read' {'R'} # or GR?
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
#'Traverse' {'?'} # or does this mean to specify the /T option? Not really a permission
'Write' {'W'} # or GW?
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
问题
我不确定上面的映射;在某些情况下,我无法计算出等效值是什么(例如 ChangePermissions、CreateDirectories、Traverse),而在其他情况下有多种可能性(例如应该 Read /Write 映射到 R/W 或 GR/GW;或者没有区别)?我检查了文档并搜索了网络,但大多数对这些权限的解释都没有比为这些缩写提供名称更详细。
其他上下文
当我说我需要进行一些调整时,我正在从旧域上的旧文件共享中导出权限,并将它们导入到新域中,因此我需要映射多个帐户从旧域的用户到新域中使用的 SID(我们有一个 SIDHistory,但我们的目标是干净地做事,而不是依赖这个长期的)。新域中也有一些组等同于旧域中的组,但没有任何关系(即它们不是从旧域迁移的;尽管它们的功能基本相同。编辑输出ICACLS 保存的信息很复杂,因为结构非常小。这并非不可能,但比我感觉舒服的多。
我需要将内容从 PS/.Net 输出映射回 icacls 格式的原因是因为目标共享位于 Azure 文件上(启用了 AADDS);所以 Set-ACL 不起作用,而 icacls 起作用。
我已经为继承部分创建了类似的逻辑:
[string[]]$if = $InputObject.InheritanceFlags -split '\s*,\s*'
[string[]]$pf = $InputObject.PropagationFlags -split '\s*,\s*'
switch ($if) {
'ContainerInherit' {'(CI)'}
'ObjectInherit' {'(OI)'}
}
switch ($pf) {
'InheritOnly' {'(IO)'}
'NoPropagateInherit' {'(NP)'}
}
if ($InputObject.IsInherited) {
'(I)'
}
对于不熟悉 PowerShell 的 switch 语句的任何人;功能能够处理数组中的每个项目;因此不需要逻辑循环遍历 $rights 中的每个权利。更多信息 here.
更新 2020-06-16 10:00
我刚刚发现有一种简单的方法可以查看 FileSystemRights 中包含重复项的位置。下面的代码标识了这些。这解决了我的 Traverse 和 CreateDirectories.
问题
[Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) |
sort |
%{[PSCustomObject]@{
Name = $_
FSR = ([System.Security.AccessControl.FileSystemRights]$_)
}} |
ft -AutoSize
这表明我可以重用一些现有值
Name FSR
---- ---
AppendData AppendData
ChangePermissions ChangePermissions
CreateDirectories AppendData <-- i.e. AD
CreateFiles CreateFiles
Delete Delete
DeleteSubdirectoriesAndFiles DeleteSubdirectoriesAndFiles
ExecuteFile ExecuteFile
FullControl FullControl
ListDirectory ReadData <-- i.e. RD
Modify Modify
Read Read
ReadAndExecute ReadAndExecute
ReadAttributes ReadAttributes
ReadData ReadData
ReadExtendedAttributes ReadExtendedAttributes
ReadPermissions ReadPermissions
Synchronize Synchronize
TakeOwnership TakeOwnership
Traverse ExecuteFile <-- i.e. X
Write Write
WriteAttributes WriteAttributes
WriteData CreateFiles <-- i.e. WD
WriteExtendedAttributes WriteExtendedAttributes
在研究如何转换我认为无效的数值时(即认为它们由枚举值组成;尽管由于某种原因在转换时无法解析 [System.Security.AccessControl.FileSystemRights]268435456),我遇到了 this post, then from that found this one.
鉴于那里的信息,以及我在之前更新中发现的重复值,我现在将映射写成这样:
[string[]]$rights = $InputObject.FileSystemRights -split '\s*,\s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'-2147483648' {'GR'}
'268435456' {'GA'}
'536870912' {'GE'}
'1073741824' {'GW'}
'AppendData' {'AD'}
'ChangePermissions' {'WDAC'}
'CreateDirectories' {'AD'} # duplicate of AppendData
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} # duplicate of read data
'Modify' {'M'}
'Read' {'R'}
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
'Traverse' {'X'} # duplicate of ExecuteFile
'Write' {'W'}
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
为了解决对 WDAC 的 ChangePermissions,我只使用 Get-ACL 和 Set-ACL 仅将 ChangePermissions 访问权限分配给文件夹上的唯一用户,然后使用 icacls查询该文件夹的权限。
我正在编写一个脚本来从一个目录结构复制权限并将它们重新应用到另一个目录结构。我不能简单地使用 icacls \my\path\* /save file.acl /T,因为我需要在保存和恢复之间进行一些调整,为此使用 PowerShell 的 (Get-ACL $path).Access 输出更简单。
在执行此操作时,我试图映射此输出(即 FileSystemRights) to their equivalent icacls permissions;然后我将用逗号分隔的权限列表括在括号中以通过 icacls 应用。
[string[]]$rights = $InputObject.FileSystemRights -split '\s*,\s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'AppendData' {'AD'}
#'ChangePermissions' {'?'}
#'CreateDirectories' {'?'}
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} #duplicate of read data
'Modify' {'M'}
'Read' {'R'} # or GR?
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
#'Traverse' {'?'} # or does this mean to specify the /T option? Not really a permission
'Write' {'W'} # or GW?
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
问题
我不确定上面的映射;在某些情况下,我无法计算出等效值是什么(例如 ChangePermissions、CreateDirectories、Traverse),而在其他情况下有多种可能性(例如应该 Read /Write 映射到 R/W 或 GR/GW;或者没有区别)?我检查了文档并搜索了网络,但大多数对这些权限的解释都没有比为这些缩写提供名称更详细。
其他上下文
当我说我需要进行一些调整时,我正在从旧域上的旧文件共享中导出权限,并将它们导入到新域中,因此我需要映射多个帐户从旧域的用户到新域中使用的 SID(我们有一个 SIDHistory,但我们的目标是干净地做事,而不是依赖这个长期的)。新域中也有一些组等同于旧域中的组,但没有任何关系(即它们不是从旧域迁移的;尽管它们的功能基本相同。编辑输出ICACLS 保存的信息很复杂,因为结构非常小。这并非不可能,但比我感觉舒服的多。
我需要将内容从 PS/.Net 输出映射回 icacls 格式的原因是因为目标共享位于 Azure 文件上(启用了 AADDS);所以 Set-ACL 不起作用,而 icacls 起作用。
我已经为继承部分创建了类似的逻辑:
[string[]]$if = $InputObject.InheritanceFlags -split '\s*,\s*'
[string[]]$pf = $InputObject.PropagationFlags -split '\s*,\s*'
switch ($if) {
'ContainerInherit' {'(CI)'}
'ObjectInherit' {'(OI)'}
}
switch ($pf) {
'InheritOnly' {'(IO)'}
'NoPropagateInherit' {'(NP)'}
}
if ($InputObject.IsInherited) {
'(I)'
}
对于不熟悉 PowerShell 的 switch 语句的任何人;功能能够处理数组中的每个项目;因此不需要逻辑循环遍历 $rights 中的每个权利。更多信息 here.
更新 2020-06-16 10:00
我刚刚发现有一种简单的方法可以查看 FileSystemRights 中包含重复项的位置。下面的代码标识了这些。这解决了我的 Traverse 和 CreateDirectories.
[Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) |
sort |
%{[PSCustomObject]@{
Name = $_
FSR = ([System.Security.AccessControl.FileSystemRights]$_)
}} |
ft -AutoSize
这表明我可以重用一些现有值
Name FSR
---- ---
AppendData AppendData
ChangePermissions ChangePermissions
CreateDirectories AppendData <-- i.e. AD
CreateFiles CreateFiles
Delete Delete
DeleteSubdirectoriesAndFiles DeleteSubdirectoriesAndFiles
ExecuteFile ExecuteFile
FullControl FullControl
ListDirectory ReadData <-- i.e. RD
Modify Modify
Read Read
ReadAndExecute ReadAndExecute
ReadAttributes ReadAttributes
ReadData ReadData
ReadExtendedAttributes ReadExtendedAttributes
ReadPermissions ReadPermissions
Synchronize Synchronize
TakeOwnership TakeOwnership
Traverse ExecuteFile <-- i.e. X
Write Write
WriteAttributes WriteAttributes
WriteData CreateFiles <-- i.e. WD
WriteExtendedAttributes WriteExtendedAttributes
在研究如何转换我认为无效的数值时(即认为它们由枚举值组成;尽管由于某种原因在转换时无法解析 [System.Security.AccessControl.FileSystemRights]268435456),我遇到了 this post, then from that found this one.
鉴于那里的信息,以及我在之前更新中发现的重复值,我现在将映射写成这样:
[string[]]$rights = $InputObject.FileSystemRights -split '\s*,\s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'-2147483648' {'GR'}
'268435456' {'GA'}
'536870912' {'GE'}
'1073741824' {'GW'}
'AppendData' {'AD'}
'ChangePermissions' {'WDAC'}
'CreateDirectories' {'AD'} # duplicate of AppendData
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} # duplicate of read data
'Modify' {'M'}
'Read' {'R'}
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
'Traverse' {'X'} # duplicate of ExecuteFile
'Write' {'W'}
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
为了解决对 WDAC 的 ChangePermissions,我只使用 Get-ACL 和 Set-ACL 仅将 ChangePermissions 访问权限分配给文件夹上的唯一用户,然后使用 icacls查询该文件夹的权限。