Quickly Setting Inheritable ACEs on Large Network Filesystems
https://stackoverflow.com/questions/9834269
-
26-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a question regarding ACLs on a network filesystem.
Basically, I want to set a permission on a top level folder object that has potentially 100,000+ file and folder objects below it. I want the permission to be inheritable via all sub folders and sub files (IE 'Applies to files, folders, and subfolders' is true).
I don't want to trash any existing inheritable permissions (IE 'Replace all child object permissions with inheritable permissions from this object' is false).
So, when I run a Set-ACL, SetACL.exe, XCACLS.vbs, or even use the Windows GUI, it takes a very long time for the process to complete - obviously due to the large size of the sub directory.
I'm used to this now, BUT:
I wanted to know - why exactly is this?
At the end of the day, aren't I only writing one ACE on one single folder object?
- I'm not traversing the directory;
- I'm not modifying the individual ACLs on the sub files and folders (I don't think); and
- I'm not replacing permissions
I assumed that if you accessed the sub folder/file object, it would check it's explicit ACEs to see if you had permissions, and if you didn't have it, it would then check for any inheritable permissions (from parent folder objects) that might give you access.
So, does setting an inheritable permission also cause a new, individual ACE to be written to every single sub file and folder, even though you are technically only setting one ACE at the top level?
Is there any way to set an ACE at the top level and not have the command to go and enumerate through the whole sub directory? I'm looking to do this quickly and efficiently on a massive amount of files and folders.
I hope this makes sense. Look forward to any suggestions.
Rhys.
Solution
Inherited permissions (like explicit) are set at folder/file level in the bit mask of the security descriptor in the flag bit field (more info). That's why setting permissions at father folder level that propagate to child (inheritance) may be long depends on how many child are affected.
Base on this the answer is no: you cannot set an ACE at the top level and not have the command to go and enumerate through the whole sub directory.
You can test if set explicit acl programmatically on all childs is faster then inheritance process.
