Opened 9 years ago

Last modified 9 years ago

#66 new enhancement

Windows ACL support

Reported by: Achim J Latz Owned by: ben
Priority: normal Milestone:
Component: bbackupd Version: 0.11rc2
Keywords: Windows ACL Cc:


This would be great, especially if we want to start making BB "bare-metal restore" capable.

In case this would break backwards compatibility with really old clients, there is always the possibility of "Add a switch, functionality is disabled by default": if somebody wants to use it, they have to make sure that backend and frontend are compatible, and then enable the ACL feature themselves. In 3 years, when everybody is on a more recent (i.e. already ACL-compliant) platform, you can throw the default switch to on.

I would be very happy to see ACL support for Windows under Box Backup

It is also official now that SIDs are nowhere near important as believed. From *the* guy that ran sysinternals

Change History (3)

comment:1 Changed 9 years ago by Achim J Latz

ACLs and file attributes (see examples 13 and 14 for storing and restoring ACL information to/from a file)

Public domain (pre 2.0) version of SetACL

List current ACLs

SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn list
SetACL.exe -on "D:" -ot shr -actn list

To set 'change' permissions on the directory:

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:change"
INFO: Privilege 'Back up files and directories' could not be enabled. This can probably be ignored.
INFO: Privilege 'Restore files and directories' could not be enabled. This can probably be ignored.
INFO: Processing ACL of: <\\?\C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile>

SetACL finished successfully.

Remove write and change permission sets from file

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:write,change;m:revoke" 

Possible privileges are: write change full read_ex

Removes "Everyone" from file (everyone becomes todos in ES version)

$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn ace -ace "n:everyone;m:revoke"
$ SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot shr -actn ace -ace "n:ajl;m:revoke"

Remove write and change permission sets from file, replace with 'read and execute' permissions:

SetACL.exe -on "C:\test\AJL\BACKUPTEST\CASES\Set_6-acl\testfile" -ot file -actn ace -ace "n:ajl;p:write,change;m:revoke" -ace "n:ajl;p:read_ex"

comment:2 Changed 9 years ago by Achim J Latz

More details from the backuppc script:

#  [optional] subinacl.exe
#      Only required if backing up ACLs and you want to use this
#      method instead of or in addition to 'getfacl'. The program is a
#      free download from Microsoft (note I found that the older
#      version included with the Windows Server 2003 toolkit didn't
#      work on XP but the following version did):

# By setting the variable ACL or command line -A (--ACL) it is
# possible to have the script dump the ACLs of each desired backup
# drive for inclusion in the backup. The ACLS are generated either by
# 'getfacl' (ACL=1) or more comprehensively by 'subinacl' (ACL=2) or
# by both (ACL=3) The dumps are gzipped but in a format that can be
# restored by 'setfacl' and 'subinacl' respectively. Note that
# 'subinacl' runs slower but dumps the full ntfs file ACLs while
# 'getfacl' only does the cygwin subset.  Additionally, the variable
# $ACLFINDPRUNE contains a list of files/directories to exclude from
# the 'getfacl' dump (typically temp folders, analogous to ones you
# wouldn't backup either. Similary, $ACLSUBINACLEXCLUDE is a list of
# paths to exclude for the 'subinacl' dump.  Note to read the subinacl
# files as plain text you may need to pipe the uncompressed version
# onto: iconv -f UTF-16LE -t UTF-8 | tr -d '\r'

comment:3 Changed 9 years ago by Achim J Latz

See also the discussions on this thread[email protected]/msg17928.html

Note: See TracTickets for help on using tickets.