ACE Inheritance in Windows Services for UNIX

If you are an administrator who manages file servers for an organization, your day-to-day tasks may include cleanup and maintenance, setting and monitoring quotas, file system backup, and other similar tasks. Many of these tasks are automated. To complete these tasks, you may want to have complete control over the data and files on a disk.

If you set inheritable access control entries (ACEs) on top-level folders, you can access newly created files and folders without relying on users to give you read/write permissions to specific folders and shares. This behavior also applies to common Internet file system (CIFS) shares.

For additional information about CIFS shares, click the article number below to view the article in the Microsoft Knowledge Base: This article describes how to set ACEs for inheritance at the top level and to configure these ACEs to be honored throughout the folder hierarchy for shares that are exported over a network file system (NFS) (or a CIFS and an NFS).

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Microsoft Windows 2000 and Microsoft Windows XP support automatic propagation of inherited ACEs. ACEs that are directly applied to file system objects (explicit ACEs) have a higher priority than inherited ACEs. The directly applied ACEs are applied before any conflicting inherited ACEs.

By default, the Server for NFS service in Windows Services for UNIX 2.0 strips any existing discretionary access control list (DACL) entries and adds the following three entries:

• An entry for the file owner
• An entry for the primary group of the file
• An entry for the built-in Everyone group

The AugmentDACL registry value controls retention behavior of ACEs that do not correspond to the owner, the group, or the Everyone group. If you turn on this registry value, Server for NFS keeps any DACL entries that do not pertain to the file owner, the file group, and the Everyone group.

In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares. When you do so, you can have full control to all securable objects in a particular file system. By default, this value is turned off. Note that you can use any set of inheritable ACEs that is specified by the administrator or user at any position in the file system hierarchy.

To turn on the KeepInheritance registry value:

1. Start Registry Editor (Regedt32.exe).
2. Locate the KeepInheritance value under the following key in the registry:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping
3. On the Edit menu, click REG_DWORD, type 1, and then click OK.
   
   NOTE: The default setting for this value is 0 (Off).
4. Quit Registry Editor.

The following registry values are no longer supported in Windows Services for UNIX 2.3 and later:

• InhibitOwnerDenyACE
• InhibitGroupDenyACE

Windows Services for UNIX 2.3 uses a new permissions translation logic, which makes these registry values obsolete.

The following registry values are no longer valid in Windows Services for UNIX 2.3 and later:

• InhibitDirectoryInheritance
• AugmentDACL

The functionality that these registry values controlled is now controlled by the KeepInheritance registry value in Windows Services for UNIX 2.3.

Note About the Permissions That Are Set by NFS Clients

The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client apply only to that file or folder, so the resulting ACEs do not have inheritance set.

Example

You are sharing a folder that is named "share1". It includes a single ACE that was inherited from the parent folder and that gives the Everyone group Read access. If a UNIX client runs the ls -l command, output that is similar to the following is generated: If user Joe changes the permissions to full access for everyone (chmod 777), Joe now sees the following output: The chmod command added three new ACEs:

• One ACE for Joe
• One ACE for Users
• One ACE for Everyone

The three ACEs grant full control to Joe and almost full control to Users and Everyone. Because KeepInheritance is enabled, a fourth ACE is also inherited that gives Everyone read access. The three new ACEs do not have inheritance enabled because permissions that are set by using NFS only apply to the file or folder that they are set for. Suppose that Joe now creates a file that is named "unix1" in the share1 folder. Because Joe is on a UNIX-based computer, the "umask" determines what the permissions are. Suppose the umask causes the permissions to be set to read/write access for Joe and read access for the group Users. The server for NFS will create three ACEs:

• A Modify ACE for Joe
• A Read ACE for Users
• The inherited Read ACE for Everyone

The entry will look similar to this: Now suppose Windows user Bob creates a file that is named "win1". By default, the file is constructed with ACEs that are inherited from the parent folder. In this case, only the original Everyone ACE is inheritable, so the new file has only the single ACE. User Joe on the UNIX client will see the following permissions for the win1 file: If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from Windows because the permissions that are set by NFS clients only apply to the folder itself.