diff --git a/internal/permcheck/security_windows.go b/internal/permcheck/security_windows.go index 8174a4af..39ee2a9c 100644 --- a/internal/permcheck/security_windows.go +++ b/internal/permcheck/security_windows.go @@ -72,16 +72,23 @@ func rangeACEs(dacl *windows.ACL, f aceFunc) (err error) { } // setSecurityInfo sets the security information on the specified file, using -// ents to create a discretionary access control list. Both owner and ents can -// be nil, in which case the corresponding information is not set. +// ents to create a discretionary access control list. Either owner or ents can +// be nil, in which case the corresponding information is not set, but at least +// one of them should be specified. func setSecurityInfo(fname string, owner *windows.SID, ents []windows.EXPLICIT_ACCESS) (err error) { var secInfo windows.SECURITY_INFORMATION + var acl *windows.ACL if len(ents) > 0 { // TODO(e.burkov): Investigate if this whole set is necessary. secInfo |= windows.DACL_SECURITY_INFORMATION | windows.PROTECTED_DACL_SECURITY_INFORMATION | windows.UNPROTECTED_DACL_SECURITY_INFORMATION + + acl, err = windows.ACLFromEntries(ents, nil) + if err != nil { + return fmt.Errorf("creating access control list: %w", err) + } } if owner != nil { @@ -92,11 +99,6 @@ func setSecurityInfo(fname string, owner *windows.SID, ents []windows.EXPLICIT_A return errors.Error("no security information to set") } - acl, err := windows.ACLFromEntries(ents, nil) - if err != nil { - return fmt.Errorf("creating access control list: %w", err) - } - err = windows.SetNamedSecurityInfo(fname, objectType, secInfo, owner, nil, acl, nil) if err != nil { return fmt.Errorf("setting security info: %w", err)