question

DennisA-3739 avatar image
1 Vote"
DennisA-3739 asked DennisA-3739 answered

CopyFileEx and ATTRIBUTE_SECURITY_INFORMATION

I've noticed that since Windows 8, CopyFileEx is documented as copying DACLS along with the file itself; this was not the case in Windows 7. The Microsoft documentation I found for CopyFileEx notes that , "Security resource properties for the existing file are not copied to the new file until Windows 8 and Windows Server 2012."

What I cannot find is any way to disable this behavior. No flags or settings in CopyFileEx. This is problematic because:

  • I'm running in a Workgroup environment, not Domain

  • ACLs for files have both Well-Known (WKS) and Machine-Specific SIDS (MSS). The WSS are not a problem, but the MSS won't translate across the network.

  • The "old behavior" was for a file to take its ACLs from the folder into which it was copied, which is the behavior I'd like to restore!

  • I've written code to accomplish translating MSS between machines, so I can copy ACLs when I need to.

Perhaps I misunderstand what it means to copy the ATTRIBUTE_SECURITY_INFORMATION for a file. The only documentation I've found is for SECURITY_INFORMATION, which talks about ATTRIBUTE_SECURITY_INFORMATION as a value to set when reading or writing SACL ACE entries. If the ACLS are actually not copied, then my code will work. If the are copied, then I'd appreciate any documented or verified ways to keep CopyFileEx from copying the ACLS with the file.

Thanks!



windows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DennisA-3739 avatar image
0 Votes"
DennisA-3739 answered

Well before doing the work to change my code, I decided to run some tests. I used my code to add files to two different directories, one on the same drive and one on a different drive.

Quick answer: CopyFileEx is NOT copying the ACLs from the Source directory/drive to the Target, be it on the same or a different drive.

So despite the documentation, I can keep using my code as-is and it will work as designed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RLWA32-6355 avatar image
0 Votes"
RLWA32-6355 answered RLWA32-6355 edited

Both SHFileOperation and IFileOperation allow you to specify that security attributes should not be copied. Also, the CopyFile2 function does not copy security attributes.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DennisA-3739 avatar image
0 Votes"
DennisA-3739 answered DennisA-3739 edited

Thanks @RLWA32-6355

I'm hoping for something I can use with CopyFileEx -- I make use of several of its existing options. It seems so odd that MSFT would change the API behavior under the cover without offering a flag or setting to disable that new behavior.

... though barring that, CopyFile2 would probably offer the simplest changes -- so long as MSFT doesn't change this too. It would break Win 7 compatibility though (yes I have some Win 7 boxes that are blocked from the Internet), which would be a downside (unless I dynamically load entries with LoadLibrary & GetProcAddress and vary which call I use based on the Windows version -- a fair amount of work to get around this).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.