Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Windows: Restore ACLs from original file to backup #52987
I've been playing around with this one a bit more and have a few questions/points. I thought it best to briefly give some background into the Windows security descriptors for objects.
A security descriptor (SD) is comprised of 4 parts, a very basic description of each part are;
The second problem is around the Owner part of the SD. In Windows you can only set the owner of an object to either the current access token's user SID, or any groups in that token that has the
While running a module as a non-admin is probably not the mot common scenario today, we probably don't want to be hamstrung too much by this fact. I'm wondering whether the failure to set the the SD should be an error or whether we should be creating a warning. If it's the latter we should be breaking apart each group of the SD when we go to copy it so that a failure on one would not necessarily stop the other aspects from being copied.
The last point is unrelated to the SD, when we get a failure in the Get-Acl/Set-Acl call, we currently just throw an exception, we should probably remove the backup file that was created on a failure. If we were to treat the preserving of the SD as a warning and not a failure then disregard this.