1E 23.11 (SaaS)

FileSystem

Core

Returns the set of permissions for a specified file or directory.

FilePath (string) : The full path of the file or directory.

Each permission is returned as a row of these values:

UserOrRole (string): A user-friendly representation of a username or role. So for example username BUILTIN\ADMINISTRATORS is the user-friendly representation of Security Id S-1-5-32-544. A Linux role is of the form Owner, Group or Others.

Inheritance (string): The inheritance properties for this permission, for example Inherited, None or "ForInheritanceOnly, FoldersInherit, FilesInherit". Currently populated for Windows and macOS.

AccessClass (string): An access class for this permission, typically Allow, Deny, Audit or Alarm.

AccessProperties (string): The access properties for this permission, for example "Read,Write,Execute", FullControl or Special.

The individual access property values are supported as follows:

FileSystem.GetFilePermissions(FilePath:"C:\\Test");

Tachyon uses the same terms as Windows Explorer, such as TakeOwnership except that it presents these attributes as single words in a comma-separated list. In addition, Windows Explorer uses the word "Special" to report complex permissions such as readExtendedAttributes, readAttributes, readPermissions, etc. Tachyon accurately reports every attribute, because "Special" says only that standard permissions are not applied to the file.

Tachyon follows the Windows Explorer example and distinguishes between Modify and FullControl. FullControl containing every right that Modify does plus ChangePerms and TakeOwnership rights. With modify rights, a user can create, delete, change, and move files within their directories. But they cannot change the permissions or change the owner of these files. This ensures that permissions set on these files, by an administrator, will remain uniform.

GetFilePermissions has been restricted to only search the local computer for the translation of SIDs into "domain\user". If the Owner/Group SID identifies a user on a domain that is not the local machine, then the SID will be stringized into the "S-1-5-21-xxx-yyy" format. The reason for this local lookup only is that the Agents involved will all be running the instruction at roughly the same time and thus this could be interpreted as a denial of service attack on the domain controllers.

For non-Windows endpoints, file mode permissions such as drwsrwsrwt are presented as minimal ACLs with the three roles Owner, Group and Other being presented. In addition, if any special modes are set for the file or directory then a Special role is also included which can include the set GID on execution, set UID on execution and sticky bit. For more information on these bits, a kapeli.com/cheat_sheets/Unix_File_Permissions.docset/Contents/Resources/Documents/indexreasnably good explaation is .

ACL support was added in the Linux 2.6 kernel and is available on a filesystem basis (ext2, ext3, ext, IBM JFS, XFS, reiserfs). Linux distributions typically offer ACL as an optional install feature, for example 'yum install acl' on Centos/Red Hat. Also, the file system will need to be mounted with the acl option. Linux ACL support is POSIX 1003.1e DS 17 compliant. This solution only offers read, write, execute permissions on a per user or per group basis, plus directory ACL attribute inheritance. The Linux solution is inferior to either MacOSX ACLs or Windows ACLs. Typically, ACLS are set using setfacl and displayed using getfacl.

ACL support is enabled by default for MacOSX Leopard onwards and the support is much richer than the Linux ACL solution, it is quite similar to Windows ACL solution. Typically, ACLs are set using chmod and displayed using ls -le. A good description of MacOSX ACL support is developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemDetails/FileSystemDetails.html#//apple_ref/doc/uid/TP40010672-CH8-SW20.

ACL support for Windows is rich and comparable to MacOSX ACL support. A good description is technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx.

A good table of operating system/file system support for ACLs is www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.1/com.ibm.itsm.client.doc/c_bac_aclsupt.html.