I use the AclFileAttributeView from Java7 to read the folder permissions of a Windows directory. The problem is that I'm not able to get a complete overview because the AclFileAttributeView doesn't return generic permissions like GENERIC_ALL, GENERIC_WRITE, GENERIC_READ and GENERIC_EXECUTE (the four high-order bits in the access mask). In fact, when it comes to generic permissions it gives me wrong information about other AclEntries for the same member. Let me give an example:
When I use a tool like AccessChk to list the AclEntries of c:\windows for the System account I get the following:
As you can see the first AclEntry only applies to the folder itself and has
not the special permissions WRITE_ACL and WRITE_OWNER.
The second AclEntry applies only to subfolders and files and contains the generic permission GENERIC_ALL. This is exactly how I see it in the Security tab of Windows Explorer. Two records for the System account, one applies only to the folder (with a subset of permissions) and one applies to subfolders/files with Full control.
Now I run my
java program using the following code:
This gives my the following results for the System account:
NT AUTHORITY\SYSTEM:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/DELETE_CHILD/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/WRITE_ACL/WRITE_OWNER/SYNCHRONIZE:ALLOWNT AUTHORITY\SYSTEM:FILE_INHERIT/DIRECTORY_INHERIT/INHERIT_ONLY:ALLOW
The first AclEntry applies only to the folder itself and contains
all the special permissions, including WRITE_ACL and WRITE_OWNER, which is not correct! The second AclEntry doesn't show any permissions, because it has GENERIC_ALL on it!
I'm not sure where this goes wrong, it seems the JRE just decodes the ACE bitmask given by the OS (sun.nio.fs.WindowsSecurityDescriptor.decode).
Has anyone ever experienced these same issues?
