原文地址:http://hi.baidu.com/zmcein/blog/item/c424902783163b108b82a1e4.html
SetACL是注册表安全工具Regini的加强版,regini虽然强大,但有很多功能不足的地方,例如他不能对单个键值进行权限细化设置,而SetACL就刚好填补了Regini的不足,SetACL命令参数如下:
设置项目中有四种权限状态:
deny(拒绝)
grant(允许)
set(设置)
revoke(撤消,就是直接从注册表删除指定用户的访问权限)
访问状态中有两种权限:
FULL (完全访问)
READ (只读访问)
命令格式:
SetACL /更改权限的状态 注册表详细路径 /权限(开源软件)
setacl -on "HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\TNB\Products" -ot reg -actn ace -ace "n:administrators;p:set_val;m:deny"
例如這樣就是 administrators設置數值拒絕
用金山翻译的
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.2.0
Copyright: Helge Klein
License: GPL
-O-P-T-I-O-N-S--------------------------------------------------------
-on ObjectName 目标名称
-ot ObjectType 目标类型
-actn Action 动作
(动作)
-ace "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"
(访问控制)(托管人) (许可) (遗传) (模式) (什么)
-trst "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"
(托管人)
-dom "n1:Domain;n2:Domain;da:DomainAction;w:Where"
(域)
-ownr "n:Trustee;s:IsSID"
-grp "n:Trustee;s:IsSID"
-rec Recursion 递归
-op "dacl:Protection;sacl:Protection"
-rst Where
-lst "f:Format;w:What;i:ListInherited;s:DisplaySID"
(格式) (什么) (遗传列表) (显示sid)
-bckp Filename
-log Filename
-fltr Keyword 过滤 关键字
(过滤)
-clr Where
-silent 静默的
-ignoreerr 不理睬
-P-A-R-A-M-E-T-E-R-S-------------------------------------------------
ObjectName: Name of the object to process (e.g. 'c:\mydir')
(目标名称)
ObjectType: Type of object: 目标所属类型
(目标类型)
file: Directory/file 目录或文件
reg: Registry key 注册表键
srv: Service 服务
prn: Printer 打印机
shr: Network share 网络共享
Action: Action(s) to perform:
(动作)
ace: Process ACEs specified by parameter(s) '-ace'
trustee: Process trustee(s) specified by parameter(s)
'-trst'.
domain: Process domain(s) specified by parameter(s)
'-dom'.
list: List permissions. A backup file can be
specified by parameter '-bckp'. Controlled by
parameter '-lst'.
restore: Restore entire security descriptors backed up
using the list function. A file containing the
backup has to be specified using the parameter
'-bckp'. The listing has to be in SDDL format.
setowner: Set the owner to trustee specified by parameter
'-ownr'.
setgroup: Set the primary group to trustee specified by
parameter '-grp'.
clear: Clear the ACL of any non-inherited ACEs. The
parameter '-clr' controls whether to do this for
the DACL, the SACL, or both.
setprot: Set the flag 'allow inheritable permissions from
the parent object to propagate to this object' to
the value specified by parameter '-op'.
rstchldrn: Reset permissions on all sub-objects and enable
propagation of inherited permissions. The
parameter '-rst' controls whether to do this for
the DACL, the SACL, or both.
TrusteeAction: Action to perform on trustee specified:
(托管人动作)
remtrst: Remove all ACEs belonging to trustee specified.
repltrst: Replace trustee 'n1' by 'n2' in all ACEs.
cpytrst: Copy the permissions for trustee 'n1' to 'n2'.
DomainAction: Action to perform on domain specified:
(域动作)
remdom: Remove all ACEs belonging to trustees of domain
specified.
repldom: Replace trustees from domain 'n1' by trustees with
same name from domain 'n2' in all ACEs.
cpydom: Copy permissions from trustees from domain 'n1' to
trustees with same name from domain 'n2' in all
ACEs.
Trustee: Name or SID of trustee (user or group). Format:
(托管人)
a) [(computer | domain)\]name
Where:
computer: DNS or NetBIOS name of a computer -> 'name' must
(电脑) be a local account on that computer.
domain: DNS or NetBIOS name of a domain -> 'name' must
(域) be a domain user or group.
name: user or group name 用户或组名
(名字)
If no computer or domain name is given, SetACL tries to find
a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
b) SID string
Domain: Name of a domain (NetBIOS or DNS name).
(域)
Permission: Permission to set. Validity of permissions depends on the
(许可) object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl' 例子
IsSID: Is the trustee name a SID?
y: Yes
n: No
DisplaySID: Display trustee names as SIDs?
(显示sid)
y: Yes
n: No
b: Both (names and SIDs)
Inheritance: Inheritance flags for the ACE. This may be a comma separated
(遗传) list containing the following:
so: sub-objects 子目标
sc: sub-containers 子容器
np: no propagation 不传播
io: inherit only 仅继承
Example: 'io,so' 例子
Mode: Access mode of this ACE:
(模式)
a) DACL:
(设置)set: Replace all permissions for given trustee by
those specified.
(同意)grant: Add permissions specified to existing permissions
for given trustee.
(拒绝)deny: Deny permissions specified.
(撤回)revoke: Remove permissions specified from existing
permissions for given trustee.
b) SACL:
aud_succ: Add an audit success ACE.
aud_fail: Add an audit failure ACE.
revoke: Remove permissions specified from existing
permissions for given trustee.
Where: Apply settings to DACL, SACL, or both (comma separated list):
(那里)
dacl
sacl
dacl,sacl
Recursion: Recursion settings, depends on object type:
(递归)
a) file:
no: No recursion. (不递归)
cont: Recurse, and process directories only. 从设,仅目录
obj: Recurse, and process files only. 从设,仅文件
cont_obj: Recurse, and process directories and files. 从设,文件和目录
b) reg:
no: Do not recurse.
yes: Do Recurse.
Protection: Controls the flag 'allow inheritable permissions from the
(保护) parent object to propagate to this object':
nc: Do not change the current setting. (不改变当前设置)
np: Object is not protected, i.e. inherits from (目标没有保护,从父目录继承)
parent.
p_c: Object is protected, ACEs from parent are
copied.
p_nc: Object is protected, ACEs from parent are not
copied.
Format: Which list format to use:
(格式)
sddl: Standardized SDDL format. Only listings in this
format can be restored.
csv: SetACL's csv format.
tab: SetACL's tabular format.
What: Which components of security descriptors to include in the
(什么) listing. (comma separated list):
d: DACL
s: SACL
o: Owner 所有者
g: Primary group 主要组
Example: 'd,s' 例子
ListInherited: List inherited permissions?
(继承列表)
y: Yes
n: No
Filename: Name of a (unicode) file used for list/backup/restore
(文件名) operations or logging.
Keyword: Keyword to filter object names by. Names containing this
(关键字) keyword are not processed.
-R-E-M-A-R-K-S--------------------------------------------------------
Required parameters (all others are optional): 必要的参数
-on (Object name)对象名
-ot (Object type)对象类型
Parameters that may be specified more than once: 可以详细列出的参数
-actn (Action)动作
-ace (Access control entry)访问控制入口
-trst (Trustee)托管人
-dom (Domain)范围/域
-fltr (Filter keyword)过滤关键字
Only actions specified by parameter(s) '-actn' are actually performed,
regardless of the other options set.
Order in which multiple actions are processed:
1. restore 恢复
2. clear 清除
3. trustee 托管人
4. domain 领域
5. ace, setowner, setgroup, setprot
6. rstchldrn
7. list 列出
-V-A-L-I-D--P-E-R-M-I-S-S-I-O-N-S-------------------------------------
a) Standard permission sets (combinations of specific permissions) 标准许可设置
Files / Directories:
(文件/目录)
read: Read 读取
write: Write 写入
list_folder: List folder 列出文件夹
read_ex: Read, execute 读取与执行
change: Change 更改
profile: = change + write_dacl
full: Full access 完全控制
Printers:
(打印机)
print: Print 打印
man_printer: Manage printer 管理打印机
man_docs: Manage documents 管理文档
full: Full access 完全控制
Registry:
(注册表)
read: Read 读取
full: Full access 完全控制
Service:
(服务)
read: Read 完全控制
start_stop: Start / Stop 启动/停止
full: Full access 完全控制
Share:
(共享)
read: Read 读取
change: Change 更改
full: Full access 完全控制
b) Specific permissions 详细许可设置
Files / Directories:
traverse: Traverse folder / execute file 移动文件夹/执行文件
list_dir: List folder / read data 列出文件夹/读取数据
read_attr: Read attributes 读取属性
read_ea: Read extended attributes 读取扩展属性
add_file: Create files / write data 创建文件/写入数据
add_subdir: Create folders / append data 创建文件夹/添加数据
write_attr: Write attributes 写入属性
write_ea: Write extended attributes 写入扩展属性
del_child: Delete subfolders and files 删除子文件夹和文件
delete: Delete 删除
read_dacl: Read permissions 读取许可
write_dacl: Write permissions 写入许可
write_owner: Take ownership 获得所有权
Registry:
query_val: Query value 询问值
set_val: Set value 设置值
create_subkey: Create subkeys 创建子键
enum_subkeys: Enumerate subkeys 列举子键
notify: Notify 通报
create_link: Create link 创建链接
delete: Delete 删除
write_dacl: Write permissions 写入许可
write_owner: Take ownership 获得所有权
read_access: Read control 读取控制
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.2.0
Copyright: Helge Klein
License: GPL
-O-P-T-I-O-N-S--------------------------------------------------------
-on ObjectName 目标名称
-ot ObjectType 目标类型
-actn Action 动作
(动作)
-ace "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"
(访问控制)(托管人) (许可) (遗传) (模式) (什么)
-trst "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"
(托管人)
-dom "n1:Domain;n2:Domain;da:DomainAction;w:Where"
(域)
-ownr "n:Trustee;s:IsSID"
-grp "n:Trustee;s:IsSID"
-rec Recursion 递归
-op "dacl:Protection;sacl:Protection"
-rst Where
-lst "f:Format;w:What;i:ListInherited;s:DisplaySID"
(格式) (什么) (遗传列表) (显示sid)
-bckp Filename
-log Filename
-fltr Keyword 过滤 关键字
(过滤)
-clr Where
-silent 静默的
-ignoreerr 不理睬
-P-A-R-A-M-E-T-E-R-S-------------------------------------------------
ObjectName: Name of the object to process (e.g. 'c:\mydir')
(目标名称)
ObjectType: Type of object: 目标所属类型
(目标类型)
file: Directory/file 目录或文件
reg: Registry key 注册表键
srv: Service 服务
prn: Printer 打印机
shr: Network share 网络共享
Action: Action(s) to perform:
(动作)
ace: Process ACEs specified by parameter(s) '-ace'
trustee: Process trustee(s) specified by parameter(s)
'-trst'.
domain: Process domain(s) specified by parameter(s)
'-dom'.
list: List permissions. A backup file can be
specified by parameter '-bckp'. Controlled by
parameter '-lst'.
restore: Restore entire security descriptors backed up
using the list function. A file containing the
backup has to be specified using the parameter
'-bckp'. The listing has to be in SDDL format.
setowner: Set the owner to trustee specified by parameter
'-ownr'.
setgroup: Set the primary group to trustee specified by
parameter '-grp'.
clear: Clear the ACL of any non-inherited ACEs. The
parameter '-clr' controls whether to do this for
the DACL, the SACL, or both.
setprot: Set the flag 'allow inheritable permissions from
the parent object to propagate to this object' to
the value specified by parameter '-op'.
rstchldrn: Reset permissions on all sub-objects and enable
propagation of inherited permissions. The
parameter '-rst' controls whether to do this for
the DACL, the SACL, or both.
TrusteeAction: Action to perform on trustee specified:
(托管人动作)
remtrst: Remove all ACEs belonging to trustee specified.
repltrst: Replace trustee 'n1' by 'n2' in all ACEs.
cpytrst: Copy the permissions for trustee 'n1' to 'n2'.
DomainAction: Action to perform on domain specified:
(域动作)
remdom: Remove all ACEs belonging to trustees of domain
specified.
repldom: Replace trustees from domain 'n1' by trustees with
same name from domain 'n2' in all ACEs.
cpydom: Copy permissions from trustees from domain 'n1' to
trustees with same name from domain 'n2' in all
ACEs.
Trustee: Name or SID of trustee (user or group). Format:
(托管人)
a) [(computer | domain)\]name
Where:
computer: DNS or NetBIOS name of a computer -> 'name' must
(电脑) be a local account on that computer.
domain: DNS or NetBIOS name of a domain -> 'name' must
(域) be a domain user or group.
name: user or group name 用户或组名
(名字)
If no computer or domain name is given, SetACL tries to find
a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
b) SID string
Domain: Name of a domain (NetBIOS or DNS name).
(域)
Permission: Permission to set. Validity of permissions depends on the
(许可) object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl' 例子
IsSID: Is the trustee name a SID?
y: Yes
n: No
DisplaySID: Display trustee names as SIDs?
(显示sid)
y: Yes
n: No
b: Both (names and SIDs)
Inheritance: Inheritance flags for the ACE. This may be a comma separated
(遗传) list containing the following:
so: sub-objects 子目标
sc: sub-containers 子容器
np: no propagation 不传播
io: inherit only 仅继承
Example: 'io,so' 例子
Mode: Access mode of this ACE:
(模式)
a) DACL:
(设置)set: Replace all permissions for given trustee by
those specified.
(同意)grant: Add permissions specified to existing permissions
for given trustee.
(拒绝)deny: Deny permissions specified.
(撤回)revoke: Remove permissions specified from existing
permissions for given trustee.
b) SACL:
aud_succ: Add an audit success ACE.
aud_fail: Add an audit failure ACE.
revoke: Remove permissions specified from existing
permissions for given trustee.
Where: Apply settings to DACL, SACL, or both (comma separated list):
(那里)
dacl
sacl
dacl,sacl
Recursion: Recursion settings, depends on object type:
(递归)
a) file:
no: No recursion. (不递归)
cont: Recurse, and process directories only. 从设,仅目录
obj: Recurse, and process files only. 从设,仅文件
cont_obj: Recurse, and process directories and files. 从设,文件和目录
b) reg:
no: Do not recurse.
yes: Do Recurse.
Protection: Controls the flag 'allow inheritable permissions from the
(保护) parent object to propagate to this object':
nc: Do not change the current setting. (不改变当前设置)
np: Object is not protected, i.e. inherits from (目标没有保护,从父目录继承)
parent.
p_c: Object is protected, ACEs from parent are
copied.
p_nc: Object is protected, ACEs from parent are not
copied.
Format: Which list format to use:
(格式)
sddl: Standardized SDDL format. Only listings in this
format can be restored.
csv: SetACL's csv format.
tab: SetACL's tabular format.
What: Which components of security descriptors to include in the
(什么) listing. (comma separated list):
d: DACL
s: SACL
o: Owner 所有者
g: Primary group 主要组
Example: 'd,s' 例子
ListInherited: List inherited permissions?
(继承列表)
y: Yes
n: No
Filename: Name of a (unicode) file used for list/backup/restore
(文件名) operations or logging.
Keyword: Keyword to filter object names by. Names containing this
(关键字) keyword are not processed.
-R-E-M-A-R-K-S--------------------------------------------------------
Required parameters (all others are optional): 必要的参数
-on (Object name)对象名
-ot (Object type)对象类型
Parameters that may be specified more than once: 可以详细列出的参数
-actn (Action)动作
-ace (Access control entry)访问控制入口
-trst (Trustee)托管人
-dom (Domain)范围/域
-fltr (Filter keyword)过滤关键字
Only actions specified by parameter(s) '-actn' are actually performed,
regardless of the other options set.
Order in which multiple actions are processed:
1. restore 恢复
2. clear 清除
3. trustee 托管人
4. domain 领域
5. ace, setowner, setgroup, setprot
6. rstchldrn
7. list 列出
-V-A-L-I-D--P-E-R-M-I-S-S-I-O-N-S-------------------------------------
a) Standard permission sets (combinations of specific permissions) 标准许可设置
Files / Directories:
(文件/目录)
read: Read 读取
write: Write 写入
list_folder: List folder 列出文件夹
read_ex: Read, execute 读取与执行
change: Change 更改
profile: = change + write_dacl
full: Full access 完全控制
Printers:
(打印机)
print: Print 打印
man_printer: Manage printer 管理打印机
man_docs: Manage documents 管理文档
full: Full access 完全控制
Registry:
(注册表)
read: Read 读取
full: Full access 完全控制
Service:
(服务)
read: Read 完全控制
start_stop: Start / Stop 启动/停止
full: Full access 完全控制
Share:
(共享)
read: Read 读取
change: Change 更改
full: Full access 完全控制
b) Specific permissions 详细许可设置
Files / Directories:
traverse: Traverse folder / execute file 移动文件夹/执行文件
list_dir: List folder / read data 列出文件夹/读取数据
read_attr: Read attributes 读取属性
read_ea: Read extended attributes 读取扩展属性
add_file: Create files / write data 创建文件/写入数据
add_subdir: Create folders / append data 创建文件夹/添加数据
write_attr: Write attributes 写入属性
write_ea: Write extended attributes 写入扩展属性
del_child: Delete subfolders and files 删除子文件夹和文件
delete: Delete 删除
read_dacl: Read permissions 读取许可
write_dacl: Write permissions 写入许可
write_owner: Take ownership 获得所有权
Registry:
query_val: Query value 询问值
set_val: Set value 设置值
create_subkey: Create subkeys 创建子键
enum_subkeys: Enumerate subkeys 列举子键
notify: Notify 通报
create_link: Create link 创建链接
delete: Delete 删除
write_dacl: Write permissions 写入许可
write_owner: Take ownership 获得所有权
read_access: Read control 读取控制