Author Topic: Patch to Disable ACL access-control-lists (Read 20821 times)

mraeryceos · « **on:** April 24, 2013, 01:09 AM »

I would love a system patch to disable Access Control Lists. The patch would make the system ACE agnostic, both for files and the registry. I don't mind using a patched system file, if that is what it takes.

f0dder · « **Reply #1 on:** April 24, 2013, 08:07 AM »

Presuming we're talking Windows ACLs: why on earth would you want something like that on a live system?

For the legitimate scenarios I can think of, you'd be better of with an exFAT partition or booting to Linux to salvage data...

mraeryceos · « **Reply #2 on:** April 24, 2013, 12:59 PM »

"why on earth would you want something like that on a live system?"
Because I like the simplicity of not having ACLs. I don't like having to wrestle with TrustedInstaller or other files or registry entries I don't have access to. Even if you use SetACL to change ACE's to allow "Everyone" with a null SID owner, the system can still change ACE's in the future.

When you go to install Win7, it does not accept FAT32. Only NTFS? Don't know exFAT. Either way, ACL would still exist in the registry.

Stoic Joker · « **Reply #3 on:** April 24, 2013, 01:57 PM »

Okay, I'm speechless.

That's basically the equivalent of giving your computer AIDS ... Because the slightest hint of a bug will simply kill the then completely defenseless machine.

mraeryceos · « **Reply #4 on:** April 24, 2013, 02:32 PM »

I don't think the viral problem is that bad. Most viruses are spread through social engineering. Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.

Also, viruses spread through a land of fully ACL'd computers.

mraeryceos · « **Reply #5 on:** April 25, 2013, 06:28 PM »

Any takers? Want to run with this?

Stoic Joker · « **Reply #6 on:** April 25, 2013, 06:42 PM »

I don't think the viral problem is that bad. Most viruses are spread through social engineering. Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.
-mraeryceos (April 24, 2013, 02:32 PM)

I'm not sure on the exact numbers, but there were definitely (many) more than 3 exploited holes in Windows. Not to mention that drivebys (infected banner/ad servers) are and have been quite common for a while. To the point where there really aren't any "safe" sites ...Everybody gets a turn in the barrel as the saying goes.

Also, viruses spread through a land of fully ACL'd computers.
-mraeryceos (April 24, 2013, 02:32 PM)

Yes, but those are the ones which have users with administrative rights, UAC turned off, and some pathetic attempt at a babysitter security suite AV program running (and failing) at full tilt. The bugg, when encountered executes in the context of the current user...with all of the rights and privileges that said user has. These scenario never end well...but they do pay well.

...We had two customers that actually called the FBI when that screen popped up, a third called me first to see if they should call the Feds.

On the other hand...Reduced permissions work perfectly, if the user doesn't have permission to break the machine...then neither does the bugg. I just doesn't get any simpler.

mraeryceos · « **Reply #7 on:** April 25, 2013, 06:52 PM »

I don't think the viral problem is that bad. Most viruses are spread through social engineering. Only 3 in a decade were spread through Windows vulnerabilities, and then only if you weren't behind a NAT router.
-mraeryceos (April 24, 2013, 02:32 PM)

I'm not sure on the exact numbers, but there were definitely (many) more than 3 exploited holes in Windows.
-Stoic Joker (April 25, 2013, 06:42 PM)

Between 2004 and 2011, there was Bifrost, Conficker, and Stuxnet. You know of other successful viruses that exploited holes in Windows? The others required social engineering.

But this is besides the point. Leave this thread for people that want ACL disabled. Obviously you are not one of them. There may be some others, so don't crowd them out. If you want to continue this off-topic conversation, send me a private message, or start a new thread where we can discuss this.

Stoic Joker · « **Reply #8 on:** April 25, 2013, 07:32 PM »

But this is besides the point. Leave this thread for people that want ACL disabled. Obviously you are not one of them
-mraeryceos (April 25, 2013, 06:52 PM)

That's true, I'm not. However I am a systems guy, programmer, and quite capable of effecting a solution if I feel that there is a legitimate (e.g. non malicious) need/use for it. Enjoy you thread...I'm done.

mraeryceos · « **Reply #9 on:** April 25, 2013, 07:52 PM »

Reasons I gave before:

I would love a system patch to disable Access Control Lists. The patch would make the system ACE agnostic, both for files and the registry. I don't mind using a patched system file, if that is what it takes.

"why on earth would you want something like that on a live system?"
Because I like the simplicity of not having ACLs. I don't like having to wrestle with TrustedInstaller or other files or registry entries I don't have access to. Even if you use SetACL to change ACE's to allow "Everyone" with a null SID owner, the system can still change ACE's in the future.

I run with no security whatsoever (all my ACL's are set to allow Everyone), and the last virus I had was given to me on a CD in 1998 (chernobyl, which I took off before the payload went off). No malicious intent here.

Look at this guy: http://answers.yahoo...0100328131102AA9hUGA

mraeryceos · « **Reply #10 on:** April 29, 2013, 04:58 PM »

Awaiting a miracle...

x16wda · « **Reply #11 on:** April 29, 2013, 07:32 PM »

I have a feeling that setacl.exe could probably do what you want with regard to the file system and registry. (The link is to the documentation, which you would surely want.) There is also a GUI version that is a free trial for 30 days. I did a little scripting with setacl.exe years ago and I recall being very careful in exactly what I asked it to do...

Of course I would suggest getting a very good backup of your system before applying anything. Two copies on different devices. And testing a full restore ahead of time.

mraeryceos · « **Reply #12 on:** April 29, 2013, 07:36 PM »

Been there, done that. I want to kill the ACL permanently.

setacl -on c:\ -ot file -actn setowner -ownr "n:S-1-1-0;s:y" -rec cont_obj ; set owner EVERYONE (both this step and following step required, I guess because you need ownership first, before changing ACL)
setacl -on c:\ -ot file -actn setowner -ownr "n:S-1-0-0;s:y" -actn clear -clr "dacl,sacl" -actn ace -ace "n:s-1-1-0;p:full;s:y;i:so,sc;m:set" -actn setprot -op "dacl:np;sacl:np" -actn rstchldrn -rst "dacl,sacl" -rec cont_obj -ignoreerr ; set owner NULL SID, set full access to EVERYONE

x16wda · « **Reply #13 on:** April 29, 2013, 07:59 PM »

OK. Looks thorough for the file system, did you make the comparable modifications to the registry permissions?

That said, I don't think it is possible to force Windows to just skip the acl check completely, is that what you're asking?

mraeryceos · « **Reply #14 on:** April 29, 2013, 08:02 PM »

Yes, that is what I'm asking. I'm asking for someone to create a patch for system files, if there is no microsoft secret way. I never got to the Registry part with SetACL. I just know that Windows will change some things back, so I wanted something more thorough.

Ath · « **Reply #15 on:** April 30, 2013, 02:12 AM »

Awaiting a miracle...
-mraeryceos (April 29, 2013, 04:58 PM)

It's a passed station. They called it Windows 98.

You'd better not hook it up to the internetzzz, it'll be infected with virus or malware in a few minutes.

mraeryceos · « **Reply #16 on:** April 30, 2013, 04:16 AM »

That was constructive. Perhaps you meant SLAX instead of Win98.

mraeryceos · « **Reply #17 on:** May 06, 2013, 11:14 PM »

Ping.

f0dder · « **Reply #18 on:** May 07, 2013, 12:43 AM »

Just for the record, I don't believe you have malicious intents - a tool like this really wouldn't make much sense for malicious use. It would of course limit your system's resilience against malware quite a bit.

And while I don't believe there's any malicious intent, I still think it's misguided, though. But that's probably because I never really run into really vexing permission problems. I can think of perhaps three occasions over the last few years...

1) dealing with NTFS USB drive with user accounts made on another machine (and obviously in a non-domain setup).
2) doing some serious customization of Windows install images - removing and adding drivers.
3) fixing up a running Windows because I had messed up the install image too much.

Apart from that, I can't really recall any permission related problems. But I'm the kind of guy that really doesn't mind UAC popups, anyway.

mraeryceos · « **Reply #19 on:** May 13, 2013, 12:11 PM »

Thanks for the vote of confidence. I would still like ACL disabled. It is one more layer of complexity that is not always necessary

mraeryceos · « **Reply #20 on:** May 23, 2013, 12:41 AM »

I am trying to figure out what you are trying to do is it so you can delete files or are you sick of the annoying popups.

depends on what you are trying to do you may not need to disable acl.
-dreamfuture

Ideally, the system efficiency would be improved because ACL does not exist in the registry or file system. However, I would be willing to accept something that automatically does takeown and grants permission anytime you are denied access. For the file system, Unlocker works most of the time... I keep it in the send-to context menu. Perhaps something for the registry as well?

dreamfuture · « **Reply #21 on:** May 23, 2013, 12:55 AM »

well I have had no problems with ACL but sometimes I have not been able to erase files because programs call it important but that is rare. SO I have a solution that will allow you to get rid on specific files. I saw you on freelancer.com
what are trying to do is stop a big part of NTFS itself.

you can use programs to modify NTFS permissions.

I have one you can use if you want.

mraeryceos · « **Reply #22 on:** May 23, 2013, 01:01 AM »

Yes, there are programs that do this. I could even do it myself by having SetACL in the right-click context menu for all files. I suppose I could even find some registry editing program that would have a command in the context menu to takeown+grant. However, disabling ACL lookups by the system would be better.

f0dder · « **Reply #23 on:** May 30, 2013, 07:14 AM »

Ideally, the system efficiency would be improved because ACL does not exist in the registry or file system.
-mraeryceos (May 23, 2013, 12:41 AM)

I doubt you'd br able to measure any performance difference, as a lot of care has gone into optimizing & caching the ACL checks. And you wouldn't be able to get rid of the structures without some very heavy system modifications; patching AccessCheck() should be doable, though.

mraeryceos · « **Reply #24 on:** May 30, 2013, 07:28 AM »

I don't know if disabling ACL is possible. It may be, but I don't have a clue how to do it. I have thought of a work-around, that doesn't disable ACL, but makes everyone a ROOT user, sort of.

The best way I can think to do this, is to follow the path of WinPE, where the only account that is functional is SYSTEM. So in the installer for Windows (the DVD or the USB key), you would change all references of TrustedInstaller (and it's SID), to that of SYSTEM.

I don't know how you would keep the ability to have multiple users, since I think there can only be one SYSTEM account (unlike the Administrator's "group"). Maybe by changing all references to TrustedInstaller and SYSTEM to a unique member of the administrator's group? I don't know if this would work though... it would have to be very thorough.

I don't think you could change all users to TrustedInstaller, because I'm not sure that TrustedInstaller is an actual user. It is a "security principal", whatever that means, and I don't think it has a user profile (SYSTEM has registry hives in system32\config, and I don't know if TrustedInstaller does).

ps. IMO, FAT32 is a more elegant (because of it's simplicity), and faster file-system than ntfs for smaller partitions (8GB and less). I wish to state this, and not argue this with dictator mentalities, that are unwilling to look up info for themselves, and would likely refute hard data if put in their hands.