GENERIC_ALL and folder/file ACLs? What does GENERIC_ALL really do?

Asked 9/5, 2012 at 1:20 Answered 9/5, 2012 at 1:28

I recently redesigned the security on a file server of ours, marking most of what was Full Control to be Modify. Now my developers are telling me that whenever they use GENERIC_ALL to open a file (with CreateFile() for instance), they receive an access denied message.

After research, nothing seemed to indicate that GENERIC_ALL was any more than GENERIC_EXECUTE + GENERIC_WRITE + GENERIC_READ; however, this seems not to be the case, since a developer was able to add the three constant values, and use this to CreateFile().

So, I ask... what does GENERIC_ALL really do?

Thanks,

Matt

Grassofparnassus answered 9/5, 2012 at 1:20 Comment(1)

Like some damn ghost in the machine miracle, I thought about this today when I came across a timeout issue with TortoiseHg not being able to create files on a user's share. Whoever just updated the post, I owe you one. – Grassofparnassus 10/11, 2016 at 18:58

The GENERIC_ALL access rights include every possible access right, including such things as WRITE_DAC (to change permissions) and WRITE_OWNER (to change owner). The File Security and Access Rights page shows how the GENERIC_* access rights map to specific access rights for files. The File Access Rights Constants page shows all the possible access rights for files (which presumably would all be requested when GENERIC_ALL is used).

You should encourage your developers to request only the level of access that they actually need. Rarely, for example, is a file opened for both GENERIC_EXECUTE and GENERIC_WRITE at the same time.

Slowly answered 9/5, 2012 at 1:28 Comment(0)

GENERIC_ALL means "every possible level of access" (for files, this has the name FILE_ALL_ACCESS). Since you removed Full Control, attempts to open for GENERIC_ALL will fail with Access Denied because (for example) WRITE_DAC is no longer granted.

Repentant answered 9/5, 2012 at 1:28 Comment(0)

Recommended topics

Hot tags