[Box Backup-dev] Windows ACLs

[Charles Lecklider]

Chris Wilson wrote:
> Hi Charles,
> 
>>> Can't you use a Windows API to serialise and deserialise the ACLs?
>>
>> Not if you want to stand a chance of applying them on a machine other
>> than the original, no.
>>
>> The only time I can see storing Windows ACLs has any use is if you
>> want to backup an entire machine so that you can restore it as a whole
>> later, and I'm not at all sure that's a role for Box.
> 
> In the example that Pete gave, he needed to restore the data files for
> some tax software that had been lost in a hard disk crash. Presumably
> those files had a DACL on them to protect them from being read by other
> users. Doesn't it make sense to try to back up and restore that DACL,
> just as we back up and restore file permissions on Unix?

No:

1) He was restoring onto a new machine, so none of the raw SIDs would
match. If we stored the names it would only work if he used the same
username on the new machine.

2) The files will automatically get their permissions from the directory
they're restored into. Because of the way ACL inheritance works from
Win2k onwards it's quite hard to change them to what's stored without
breaking things quite badly. It's surprisingly easy to get a null DACL,
which in contrast to a NULL SD actually denies access to everyone....

3) SIDs can become orphaned - usually when users are deleted, but also
temporarily if no domain controller is available. I suppose we could
store a textual representation of them, but that starts getting pretty
nasty.

-C