ICACLS reset - all permissions get stripped
Applies to
- ONTAP 9
- ICACLS /RESET
Issue
When resetting ACLs using ICACLS /RESET
on a CIFS share, all permissions as well as the owner, gets removed.
cluster1::*> vserver security file-directory show -vserver DataSvm1 -path /vol01
Vserver: DataSvm1
File Path: /vol01
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff
ALLOW-Everyone-0x10000000-OI|CI|IO <<<<<<< This DACL has 2 ACEs
The following command, from a Windows client, strips all permissions from the CIFS share named "cifsShare01"
PS C:\Windows\system32> ICACLS \\10.10.21.22\cifsShare01 /Q /C /T /RESET
After resetting permissions at the root of the share, the following can be seen:
cluster1::*> vserver security file-directory show -vserver DataSvm1 -path /vol01
Vserver: DataSvm1
File Path: /vol01
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 0
UNIX Mode Bits in Text: ---------
ACLs: NTFS Security Descriptor
Control:0x8514
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
<<<<<<< Notice how all ACEs were removed from the DACL
Microsoft explains the following in DACLs and ACEs:
"If there are no ACEs in the DACL, the system does not allow access to anyone"