ACE Inheritance in Windows Services for UNIX (321049)

SUMMARY

If you are an administrator who manages file servers for an organization, your day-to-day tasks may include cleanup and maintenance, setting and monitoring quotas, file system backup, and other similar tasks. Many of these tasks are automated. To complete these tasks, you may want to have complete control over the data and files on a disk.

If you set inheritable access control entries (ACEs) on top-level folders, you can access newly created files and folders without relying on users to give you read/write permissions to specific folders and shares. This behavior also applies to common Internet file system (CIFS) shares.

For additional information about CIFS shares, click the article number below to view the article in the Microsoft Knowledge Base:

199072 CIFS or Public SMB Information on Common Internet File Systems

This article describes how to set ACEs for inheritance at the top level and to configure these ACEs to be honored throughout the folder hierarchy for shares that are exported over a network file system (NFS) (or a CIFS and an NFS).

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Microsoft Windows 2000 and Microsoft Windows XP support automatic propagation of inherited ACEs. ACEs that are directly applied to file system objects (explicit ACEs) have a higher priority than inherited ACEs. The directly applied ACEs are applied before any conflicting inherited ACEs.

By default, the Server for NFS service in Windows Services for UNIX 2.0 strips any existing discretionary access control list (DACL) entries and adds the following three entries:

An entry for the file owner
An entry for the primary group of the file
An entry for the built-in Everyone group

The AugmentDACL registry value controls retention behavior of ACEs that do not correspond to the owner, the group, or the Everyone group. If you turn on this registry value, Server for NFS keeps any DACL entries that do not pertain to the file owner, the file group, and the Everyone group.

In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares. When you do so, you can have full control to all securable objects in a particular file system. By default, this value is turned off. Note that you can use any set of inheritable ACEs that is specified by the administrator or user at any position in the file system hierarchy.

To turn on the KeepInheritance registry value:

Start Registry Editor (Regedt32.exe).
Locate the KeepInheritance value under the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping
On the Edit menu, click REG_DWORD, type 1, and then click OK.

NOTE: The default setting for this value is 0 (Off).
Quit Registry Editor.

The following registry values are no longer supported in Windows Services for UNIX 2.3 and later:

InhibitOwnerDenyACE
InhibitGroupDenyACE

Windows Services for UNIX 2.3 uses a new permissions translation logic, which makes these registry values obsolete.

The following registry values are no longer valid in Windows Services for UNIX 2.3 and later:

InhibitDirectoryInheritance
AugmentDACL

The functionality that these registry values controlled is now controlled by the KeepInheritance registry value in Windows Services for UNIX 2.3.

Note About the Permissions That Are Set by NFS Clients

The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client apply only to that file or folder, so the resulting ACEs do not have inheritance set.

Example

You are sharing a folder that is named "share1". It includes a single ACE that was inherited from the parent folder and that gives the Everyone group Read access. If a UNIX client runs the ls -l command, output that is similar to the following is generated:

d------r-- 2 joe users 0 Feb 20 09:51 share1

If user Joe changes the permissions to full access for everyone ( chmod 777), Joe now sees the following output:

drwxrwxrwx 2 joe users 0 Feb 20 09:51 share1

The chmod command added three new ACEs:

One ACE for Joe
One ACE for Users
One ACE for Everyone

The three ACEs grant full control to Joe and almost full control to Users and Everyone. Because KeepInheritance is enabled, a fourth ACE is also inherited that gives Everyone read access. The three new ACEs do not have inheritance enabled because permissions that are set by using NFS only apply to the file or folder that they are set for. Suppose that Joe now creates a file that is named "unix1" in the share1 folder. Because Joe is on a UNIX-based computer, the "umask" determines what the permissions are. Suppose the umask causes the permissions to be set to read/write access for Joe and read access for the group Users. The server for NFS will create three ACEs:

A Modify ACE for Joe
A Read ACE for Users
The inherited Read ACE for Everyone

The entry will look similar to this:

rw-r--r-- 2 joe users 56 Feb 20 09:51 unix1

Now suppose Windows user Bob creates a file that is named "win1". By default, the file is constructed with ACEs that are inherited from the parent folder. In this case, only the original Everyone ACE is inheritable, so the new file has only the single ACE. User Joe on the UNIX client will see the following permissions for the win1 file:

------r-- 2 bob users 23 Feb 20 09:51 win1

If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from Windows because the permissions that are set by NFS clients only apply to the folder itself.