Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 02, 2016, 02:05:19 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Patch to Disable ACL access-control-lists  (Read 9246 times)

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Patch to Disable ACL access-control-lists
« on: April 24, 2013, 01:09:00 AM »
I would love a system patch to disable Access Control Lists.  The patch would make the system ACE agnostic, both for files and the registry.  I don't mind using a patched system file, if that is what it takes.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #1 on: April 24, 2013, 08:07:06 AM »
Presuming we're talking Windows ACLs: why on earth would you want something like that on a live system?

For the legitimate scenarios I can think of, you'd be better of with an exFAT partition or booting to Linux to salvage data...
- carpe noctem

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #2 on: April 24, 2013, 12:59:22 PM »
"why on earth would you want something like that on a live system?"
Because I like the simplicity of not having ACLs.  I don't like having to wrestle with TrustedInstaller or other files or registry entries I don't have access to.  Even if you use SetACL to change ACE's to allow "Everyone" with a null SID owner, the system can still change ACE's in the future.

When you go to install Win7, it does not accept FAT32.  Only NTFS?  Don't know exFAT.  Either way, ACL would still exist in the registry.
« Last Edit: April 24, 2013, 01:31:39 PM by mraeryceos »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #3 on: April 24, 2013, 01:57:18 PM »
Okay, I'm speechless.

That's basically the equivalent of giving your computer AIDS ... Because the slightest hint of a bug will simply kill the then completely defenseless machine.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #4 on: April 24, 2013, 02:32:11 PM »
I don't think the viral problem is that bad.  Most viruses are spread through social engineering.  Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.

Also, viruses spread through a land of fully ACL'd computers.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #5 on: April 25, 2013, 06:28:23 PM »
Any takers?  Want to run with this?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #6 on: April 25, 2013, 06:42:41 PM »
I don't think the viral problem is that bad.  Most viruses are spread through social engineering.  Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.

I'm not sure on the exact numbers, but there were definitely (many) more than 3 exploited holes in Windows. Not to mention that drivebys (infected banner/ad servers) are and have been quite common for a while. To the point where there really aren't any "safe" sites ...Everybody gets a turn in the barrel as the saying goes.


Also, viruses spread through a land of fully ACL'd computers.

Yes, but those are the ones which have users with administrative rights, UAC turned off, and some pathetic attempt at a babysitter security suite AV program running (and failing) at full tilt. The bugg, when encountered executes in the context of the current user...with all of the rights and privileges that said user has. These scenario never end well...but they do pay well. ;) ...We had two customers that actually called the FBI when that screen popped up, a third called me first to see if they should call the Feds.

On the other hand...Reduced permissions work perfectly, if the user doesn't have permission to break the machine...then neither does the bugg. I just doesn't get any simpler.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #7 on: April 25, 2013, 06:52:11 PM »
I don't think the viral problem is that bad.  Most viruses are spread through social engineering.  Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.

I'm not sure on the exact numbers, but there were definitely (many) more than 3 exploited holes in Windows.

Between 2004 and 2011, there was Bifrost, Conficker, and Stuxnet.  You know of other successful viruses that exploited holes in Windows?  The others required social engineering.

But this is besides the point.  Leave this thread for people that want ACL disabled.  Obviously you are not one of them.  There may be some others, so don't crowd them out.  If you want to continue this off-topic conversation, send me a private message, or start a new thread where we can discuss this.
« Last Edit: April 25, 2013, 06:57:16 PM by mraeryceos »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #8 on: April 25, 2013, 07:32:23 PM »
But this is besides the point.  Leave this thread for people that want ACL disabled.  Obviously you are not one of them

That's true, I'm not. However I am a systems guy, programmer, and quite capable of effecting a solution if I feel that there is a legitimate (e.g. non malicious) need/use for it. Enjoy you thread...I'm done.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #9 on: April 25, 2013, 07:52:34 PM »
Reasons I gave before:

Quote
I would love a system patch to disable Access Control Lists.  The patch would make the system ACE agnostic, both for files and the registry.  I don't mind using a patched system file, if that is what it takes.

"why on earth would you want something like that on a live system?"
Because I like the simplicity of not having ACLs.  I don't like having to wrestle with TrustedInstaller or other files or registry entries I don't have access to.  Even if you use SetACL to change ACE's to allow "Everyone" with a null SID owner, the system can still change ACE's in the future.

I run with no security whatsoever (all my ACL's are set to allow Everyone), and the last virus I had was given to me on a CD in 1998 (chernobyl, which I took off before the payload went off).  No malicious intent here.

Look at this guy: http://answers.yahoo...0100328131102AA9hUGA
« Last Edit: April 26, 2013, 01:46:20 AM by mraeryceos »

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #10 on: April 29, 2013, 04:58:29 PM »
Awaiting a miracle...

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 675
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #11 on: April 29, 2013, 07:32:45 PM »
I have a feeling that setacl.exe could probably do what you want with regard to the file system and registry.  (The link is to the documentation, which you would surely want.)  There is also a GUI version that is a free trial for 30 days.  I did a little scripting with setacl.exe years ago and I recall being very careful in exactly what I asked it to do...

Of course I would suggest getting a very good backup of your system before applying anything.  Two copies on different devices.  And testing a full restore ahead of time.  ;)
vi vi vi - editor of the beast

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #12 on: April 29, 2013, 07:36:20 PM »
Been there, done that. I want to kill the ACL permanently.   :P

setacl -on c:\ -ot file -actn setowner -ownr "n:S-1-1-0;s:y" -rec cont_obj ; set owner EVERYONE (both this step and following step required, I guess because you need ownership first, before changing ACL)
setacl -on c:\ -ot file -actn setowner -ownr "n:S-1-0-0;s:y" -actn clear -clr "dacl,sacl" -actn ace -ace "n:s-1-1-0;p:full;s:y;i:so,sc;m:set" -actn setprot -op "dacl:np;sacl:np" -actn rstchldrn -rst "dacl,sacl" -rec cont_obj -ignoreerr ; set owner NULL SID, set full access to EVERYONE

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 675
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #13 on: April 29, 2013, 07:59:06 PM »
OK.  Looks thorough for the file system, did you make the comparable modifications to the registry permissions?

That said, I don't think it is possible to force Windows to just skip the acl check completely, is that what you're asking?
vi vi vi - editor of the beast

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #14 on: April 29, 2013, 08:02:16 PM »
Yes, that is what I'm asking.  I'm asking for someone to create a patch for system files, if there is no microsoft secret way.  I never got to the Registry part with SetACL.  I just know that Windows will change some things back, so I wanted something more thorough.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,778
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #15 on: April 30, 2013, 02:12:17 AM »
Awaiting a miracle...
It's a passed station. They called it Windows 98.

You'd better not hook it up to the internetzzz, it'll be infected with virus or malware in a few minutes.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #16 on: April 30, 2013, 04:16:35 AM »
That was constructive.  Perhaps you meant SLAX instead of Win98.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #17 on: May 06, 2013, 11:14:29 PM »
Ping.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #18 on: May 07, 2013, 12:43:31 AM »
Just for the record, I don't believe you have malicious intents - a tool like this really wouldn't make much sense for malicious use. It would of course limit your system's resilience against malware quite a bit.

And while I don't believe there's any malicious intent, I still think it's misguided, though. But that's probably because I never really run into really vexing permission problems. I can think of perhaps three occasions over the last few years...

1) dealing with NTFS USB drive with user accounts made on another machine (and obviously in a non-domain setup).
2) doing some serious customization of Windows install images - removing and adding drivers.
3) fixing up a running Windows because I had messed up the install image too much.

Apart from that, I can't really recall any permission related problems. But I'm the kind of guy that really doesn't mind UAC popups, anyway.
- carpe noctem
« Last Edit: May 13, 2013, 12:16:27 PM by f0dder »

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #19 on: May 13, 2013, 12:11:31 PM »
Thanks for the vote of confidence.  I would still like ACL disabled.  It is one more layer of complexity that is not always necessary

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #20 on: May 23, 2013, 12:41:53 AM »
Quote from: dreamfuture
I am trying to figure out what you are trying to do is it so you can delete files or are you sick of the annoying popups.

depends on what you are trying to do you may not need to disable acl.

Ideally, the system efficiency would be improved because ACL does not exist in the registry or file system.  However, I would be willing to accept something that automatically does takeown and grants permission anytime you are denied access.  For the file system, Unlocker works most of the time... I keep it in the send-to context menu.  Perhaps something for the registry as well?

dreamfuture

  • Participant
  • Joined in 2013
  • *
  • default avatar
  • Posts: 1
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #21 on: May 23, 2013, 12:55:00 AM »
well I have had no problems with ACL but sometimes I have not been able to erase files because programs call it important but that is rare. SO I have a solution that will allow you to get rid on specific files. I saw you on freelancer.com
what are trying to do is stop a big part of NTFS itself.

you can use programs to modify NTFS permissions.

I have one you can use if you want.

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #22 on: May 23, 2013, 01:01:54 AM »
Yes, there are programs that do this.  I could even do it myself by having SetACL in the right-click context menu for all files.  I suppose I could even find some registry editing program that would have a command in the context menu to takeown+grant.  However, disabling ACL lookups by the system would be better.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #23 on: May 30, 2013, 07:14:04 AM »
Ideally, the system efficiency would be improved because ACL does not exist in the registry or file system.
I doubt you'd br able to measure any performance difference, as a lot of care has gone into optimizing & caching the ACL checks. And you wouldn't be able to get rid of the structures without some very heavy system modifications; patching AccessCheck() should be doable, though.
- carpe noctem

mraeryceos

  • Participant
  • Joined in 2010
  • *
  • Posts: 33
    • View Profile
    • Donate to Member
Re: Patch to Disable ACL access-control-lists
« Reply #24 on: May 30, 2013, 07:28:27 AM »
I don't know if disabling ACL is possible.  It may be, but I don't have a clue how to do it.  I have thought of a work-around, that doesn't disable ACL, but makes everyone a ROOT user, sort of.

The best way I can think to do this, is to follow the path of WinPE, where the only account that is functional is SYSTEM.  So in the installer for Windows (the DVD or the USB key), you would change all references of TrustedInstaller (and it's SID), to that of SYSTEM.

I don't know how you would keep the ability to have multiple users, since I think there can only be one SYSTEM account (unlike the Administrator's "group").  Maybe by changing all references to TrustedInstaller and SYSTEM to a unique member of the administrator's group?  I don't know if this would work though... it would have to be very thorough.

I don't think you could change all users to TrustedInstaller, because I'm not sure that TrustedInstaller is an actual user.  It is a "security principal", whatever that means, and I don't think it has a user profile (SYSTEM has registry hives in system32\config, and I don't know if TrustedInstaller does).

ps.  IMO, FAT32 is a more elegant (because of it's simplicity), and faster file-system than ntfs for smaller partitions (8GB and less).  I wish to state this, and not argue this with dictator mentalities, that are unwilling to look up info for themselves, and would likely refute hard data if put in their hands.
« Last Edit: June 17, 2013, 01:13:27 PM by mraeryceos »