0

I am trying to see file permissions on command line. I came across a similar question but cannot understand icacls output.

In the following example, c10.dat is a read-only file, as shown by dir /a:r and the error in overwriting it with dir > c10.dat.

In the icacls output DOMAIN\USER is placeholder for my own id. How does it indicate that c10.dat is a read-only file? From what I understand its acls mean (I) inherited and (F) full-access.

X:\>dir /a:r c10.dat
 Volume in drive X is OSDisk
 Volume Serial Number is 6621-4FA8

 Directory of X:\

04/08/2013  11:11 AM             8,192 c10.dat
               1 File(s)          8,192 bytes
               0 Dir(s)  40,525,492,224 bytes free

X:\>icacls c10.dat
c10.dat NT AUTHORITY\SYSTEM:(I)(F)
        BUILTIN\Administrators:(I)(F)
        DOMAIN\USER:(I)(F)

Successfully processed 1 files; Failed processing 0 files

X:\>dir > c10.dat
Access is denied.
Community
  • 1
Miserable Variable
  • 942
  • 2
  • 12
  • 30
  • 1
    The file attributes (like read-only) and permissions are completely different things. The icacls command shows the file's ACLs. – David Marshall Apr 08 '13 at 23:29
  • Thanks @DavidMarshall. It seems I misunderstood the other question and its answer. Is there a way to find a file's read-only attribute on command line except by `dir /a:r` or `attrib`? – Miserable Variable Apr 08 '13 at 23:39

2 Answers2

2

Сlear read-only attribute:

X:\>attrib -R c10.dat

test:

X:\>dir > c10.dat

SKU:

ls -al

Output:

total 148
drwxrwxrwx+ 1 Domain Users     Domain Users      0 Apr  9 04:06 .
drwxrwxrwx+ 1 +Administrators  513               0 Apr  8 14:43 ..
-rwxrwxrwx+ 1 +Administrators  Domain Users    354 Jun  5  2012 2.ps1
-rwxrwxrwx+ 1 +Administrators  Domain Users    115 Oct 22 22:43 3.ps1
-rwxrwxrwx+ 1 +Administrators  Domain Users    154 Apr  9 02:15 4.ps1
-r-xr-xr-x+ 1 +Administrators  Domain Users  12030 Apr  9 02:25 Aliases.txt
-rwxrwxrwx+ 1 +Administrators  Domain Users    267 Feb 21  2012 ps-run.cmd
-rwxrwxrwx+ 1 +Administrators  Domain Users  61436 Apr  9 04:07 sub2.txt
STTR
  • 6,767
  • 2
  • 18
  • 20
  • I am not trying to clear the read-only attribute, I am trying to understand how to identify that the file is read-only from icacls output – Miserable Variable Apr 08 '13 at 23:38
  • @HemalPandya With icacls probably does. It is a tool to manage the list of rights, and not the changes and view the simple attributes. `dir /A:R-D c10.dat | find /C /I "c10.dat"` or `dir /A:R-D c10.dat` Maybe I did not understand the question, and you are looking for effective rights for the user to provide a read-only use ACLs ... – STTR Apr 08 '13 at 23:59
  • I am trying to find a way to get a list of files along with their read-only status, something like `ls -al` on unix – Miserable Variable Apr 09 '13 at 00:10
  • @HemalPandya http://www.suacommunity.com/SUA.aspx may use SFU/SUA or server - http://www.microsoft.com/en-us/download/details.aspx?id=274 – STTR Apr 09 '13 at 00:20
  • thanks. I am already using `cygwin` on my machine that gives this information but I was looking for something pre-installed. – Miserable Variable Apr 09 '13 at 00:23
2

It seems that you are confusing the Read-only attribute of a file with the ACL (as others have mentioned).

If a file is marked with the Read-only attribute (as can be seen by attrib or dir /a:r), it will be unwriteable (Read-only) by the system and all users regardless of the ACL permissions of the file for any user.

If you are trying to find the Write permission (ACL) of a file for a given user you will see that using icacls.

For example, I created a file named "test.txt". The file is NOT marked Read-only. 

C:\>attrib test.txt
A            C:\test.txt

C:\>


I checked the file using icacls: 

C:\>icacls test.txt
test.txt BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\Authenticated Users:(I)(M)
         BUILTIN\Users:(I)(RX)

C:\>


I marked the file Read-only using attrib: 

C:\>attrib +R test.txt
A    R       C:\test.txt

C:\>attrib test.txt
A    R       C:\test.txt

C:\>


I checked the file again using icacls: 

C:\>icacls test.txt
test.txt BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\Authenticated Users:(I)(M)
         BUILTIN\Users:(I)(RX)

C:\>

As you have seen, there is no change to the output of icacls for this file.

Then I changed the permission of the file for BUILTIN\Users to Deny Write (this approximates Read-only), and checked the file again using icacls: 

C:\>icacls test.txt
test.txt BUILTIN\Users:(DENY)(W)
         BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\Authenticated Users:(I)(M)
         BUILTIN\Users:(I)(RX)

C:\>

Notice that now, it shows BUILTIN\Users:(DENY)(W) for the file.

If I change the permission of the file for BUILTIN\Users to Deny Full control and check the file again icacls shows: 

C:\>icacls test.txt
test.txt BUILTIN\Users:(N)
         BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\Authenticated Users:(I)(M)
         BUILTIN\Users:(I)(RX)

C:\>

It now shows BUILTIN\Users:(N) for the file.

If I change the permission of the file for BUILTIN\Users to Allow Full control and then Deny Modify and check the file again icacls shows: 

C:\>icacls test.txt
test.txt BUILTIN\Users:(DENY)(M)
         BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\Authenticated Users:(I)(M)
         BUILTIN\Users:(I)(RX)

C:\>

It now shows BUILTIN\Users:(DENY)(M) for the file.

If you want to see the setting of the attribute "Read-only" for a file, you will not be able to see it using icacls because Read-only is not a part of the ACL. You should use attrib.

Kevin Fegan
  • 4,777
  • 3
  • 24
  • 37