Setting file system ACLs on Win32 with Perl

Hopefully adding this tidbit of info to the googlesphere will prevent another poor sap from spending hours trying to work out how to modify file system ACL's on a remote machine via WMI from Perl.

So you want to add a new ACE (Access Control Entry) to a DACL (Discretionary Access Control List, really just an array of ACEs) of a Security Descriptor, and you want to do it via Perl and the Win32::OLE module. You follow the documentation and it doesn't work. Not fun.

The particular problem I was having is that trying to create a new ACE and assigning a Trustee object to it wouldn't stick. For example...

[perl] my $host = '###'; The name of the remote machine my $namespace 'root\cimv2'; my $wmi_user = '###'; my $wmi_pass = '###';

my $wbem_locator = Win32::OLE->CreateObject("WbemScripting.SWbemLocator"); my $wmih = $wbem_locator->ConnectServer($host, $namespace, $wmi_user, $wmi_pass); $wmih->security_->{impersonationlevel} = 3;

my $sid_sddl_string = '###'; my $sid = $wmih->get("Win32_SID.SID='$sid_sddl_string'");

my $trustee = $wmih->get("Win32_Trustee")->SpawnInstance_; $trustee->{sid} = $sid->binaryrepresentation; $trustee->{sidlength} = $sid->sidlength; $trustee->{sidstring} = $sid->sid;

my $new_ace = $wmih->Get("Win32_Ace")->SpawnInstance_; $new_ace->{accessmask} = '###'; $new_ace->{aceflags} = '###'; # Apply to children $new_ace->{acetype} = '###'; $new_ace->{trustee} = $trustee;

my $file_system_object_path = '###'; my $security_settings = $wmih->get("Win32_LogicalFileSecuritySetting.Path='$file_system_object_path'");

my $security_descriptor_ref = Win32::OLE::Variant-> new (VT_DISPATCH | VT_BYREF); $security_settings->getsecuritydescriptor($security_descriptor_ref); my $security_descriptor = $security_descriptor_ref->Get();

push(@{$security_descriptor->{dacl}}, $new_ace);

$security_settings->SetSecurityDescriptor($security_descriptor); [/perl]

Now that should work as far as I am concerned, considering it is more or less a direct port of a VBScript that actually worked. But alas, it won't give any errors but will not add the new ACE to the DACL.

After much googling and general bad language aimed at the computer, I eventually found the solution.

Replace ...

[perl] $new_ace->{trustee} = $trustee; [/perl]

with ...

[perl] $new_ace->LetProperty('trustee', $trustee); [/perl]

That will do it. 'LetProperty' is part of the Win32::OLE module, not part of Win32_Ace. According to the documentation, LetProperty is assignment by value as opposed to assignment by reference when using the directory property set syntax.

So really, the documentation is correct. You just have to be careful of where the API requires assignment by value.

Managerialism

I caught an interesting radio show about halfway through the other day. This is an excerpt of the transcript ...

In the last few years, there have been big changes at our CSIRO , with the arrival of CEO Dr Geoff Garrett. During his time at the helm, the numbers of highly paid management positions have risen sharply. In the 2004-5 annual report, there were five executives earning over $320,000; the next year there were nine, and in the 2006 report, there were twelve. Senior research scientists though are on between $100,000 and $120,000. In the six years to June 2004, while corporate positions were doubling 316 people went from research projects.

The president of the CSIRO staff organisation, Michael Borgas remarked to me, 'the mechanic has become more important than the creator'.

For me, the show articulated a phenomenon that I think everyone that is on the wrong side of is unconsciously aware of. The marginalisation of skilled workers in favour of executives. In a word, I call this 'Capitalism'.

Disclaimer: To be fair, I am not saying I have been explicitly done wrong in my career by this. But, I imagine everyone can relate through tales of experience from family and friends if not directly.

Wikipedia has a very small entry on the matter which doesn't help to clarify all that much. And it is a challenging idea to visualise in a large context in terms of social effect. There is a tendency to view it from a localised perspective, focussing on the dynamics of a particular workplace. I find it helpful to mix in the works of Marx, in particular The Communist Manifesto, which offers the Proletariat vs. Bourgeoisie analysis which can be applied to the 21st century quite easily (Knowledge Workers being the Proletariat and Managers making up the Bourgeoisie). So in that respect, the Managerialism trend is hardly new. It is merely the continuation of the same exploitation the working class, even if that definition has changed, have been suffering for so long.

I encourage you to the read through the transcript or even download the radio show that this came from.