login      my ps      about      contact  



home instructor-led training on-demand screencasts blogs


Security Briefs » Setting file ACLs with PowerShell, part 2

Setting file ACLs with PowerShell, part 2

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

In my last post, I introduced a short little script that adjusts the security settings on a file. There are a number of fine points about PowerShell syntax and Windows security concepts that this little script relies upon, and I'm going to walk through them a little bit at a time so that you really grok what this script does.

Let's take the first line of the script today:

$dacl = (dir foo.txt).GetAccessControl()

The first thing that happens here, is that the dir command runs with an argument of "foo.txt". Dir is actually mapped onto a PowerShell cmdlet. You can discover this mapping via the ALIAS command in PowerShell:

$ alias dir | format-table -autosize

CommandType Name Definition
----------- ---- ----------
Alias       dir  Get-ChildItem

Since we're using the file system, Get-ChildItem returns a stream of .NET objects representing files or directories, and in our case, we get a FileInfo object back. If you're ever curious what type of object a PowerShell command returns, you can pipe its output to the Get-Member cmdlet: 

$ dir foo.txt | Get-Member

   TypeName: System.IO.FileInfo

...

I've elided the rest of the output from Get-Member, which conveniently lists all of the methods, properties, etc. for FileInfo. This is currently the closest you'll get to IntelliSense in PowerShell :)

So...

dir foo.txt returns a FileInfo instance. If you look at the docs for System.IO.FileInfo, you'll see that it has a method called GetAccessControl(), and we are calling that method to access the security descriptor for the file. Here's that line of code again:

$dacl = (dir foo.txt).GetAccessControl()

Note that I should technically call the variable $securityDescriptor, or perhaps $sd because a security descriptor has much more in it than a DACL. With the security descriptor  you can also mess around with the owner and SACL, but that's fairly rare compared to mucking with an object's DACL, where you can control who can do what to your object.

Now that we have a way to get at the access control list, we can use some cool new (well not so new anymore) functionality in .NET 2.0 (System.Security.AccessControl, baby!) to modify the DACL. In my next post, I'll talk about how we do that, along with more PowerShell syntax.

Navigate posts in this series: prev next

Posted Oct 24 2007, 09:37 AM by keith-brown
Filed under: , , ,

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation