cacls 是 Windows 系统中的一个命令行工具, 用于查看和修改文件或目录的访问控制列表 (ACL)。ACL 定义了用户和组对文件或目录的访问权限。以下是 cacls 的详细介绍、参数说明和用法。
设置权限的方法, 一般有两种:
- 在图形用户界面 (GUI) 的 “安全” 选项卡中对文件或目录访问控制权限进行设置
- 使用
cacls命令, 它是一个基于命令行的命令
基本语法
:: cacls 文件名 [/t] [/e] [/c] [/g 用户:权限] [/r 用户] [/p 用户:权限] [/d 用户]
cacls filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]
常用选项
filename 显示 ACL (访问控制列表)
/T 修改当前目录及所有子目录中指定文件的 ACL
/L 作用于符号链接本身, 而非其目标
/M 修改挂载到目录上的卷的 ACL
/S 显示 DACL 的 SDDL 字符串
/S:SDDL 用指定的 SDDL 字符串替换 ACL (与 /E, /G, /R, /P 或 /D 参数不能同时使用)
/E 编辑 ACL, 而不是替换它
/C 在访问被拒绝错误时继续操作
/G user:perm 为指定用户授予访问权限
perm 可以是: R 读取
W 写入
C 修改 (写入)
F 完全控制
/R user 撤销指定用户的访问权限 (仅在使用 /E 时有效)
/P user:perm 替换指定用户的访问权限
perm 可以是: N 无
R 读取
W 写入
C 修改 (写入)
F 完全控制
/D user 拒绝指定用户的访问
可以使用通配符指定命令中多个文件
你可以在一个命令中指定多个用户
缩写说明:
CI - 容器继承
ACE (访问控制项) 将由目录继承
OI - 对象继承
ACE 将由文件继承
IO - 仅继承
ACE 不适用于当前文件/目录
ID - 已继承
ACE 从父目录的 ACL 继承
使用示例
查看文件的 ACL
C:\>cacls example.txt
C:\example.txt NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
查看文件夹的 ACL
C:\>cacls C:\Documents
C:\Documents NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(特殊访问:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(ID)(特殊访问:)
FILE_WRITE_DATA
CREATOR OWNER:(OI)(CI)(IO)(ID)F
为用户授予完全控制权限
C:\>cacls example.txt /g everyone:F
是否确定(Y/N)?y
处理的文件: C:\example.txt
C:\>cacls example.txt
C:\example.txt Everyone:F
使用 net localgroup 命令查看本地用户组, 赋予文件夹 Guests 所有权限
C:\>net localgroup
\\tj3b_EDUYDN8C16 的别名
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
命令成功完成。
C:\>cacls C:\Documents
C:\Documents NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(特殊访问:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(ID)(特殊访问:)
FILE_WRITE_DATA
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\>cacls C:\Documents /p Guests:F
是否确定(Y/N)?y
处理的目录: C:\Documents
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)F
去除文件夹 Guests 所有权限
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)F
C:\>cacls C:\Documents /p Guests:N
是否确定(Y/N)?y
处理的目录: C:\Documents
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
设置用户访问权限
赋予用户 everyone 对文件夹及其所有子目录的读取权限
C:\>cacls C:\Documents /t /g everyone:R
是否确定(Y/N)?y
处理的目录: C:\Documents
C:\>cacls C:\Documents
C:\Documents Everyone:(OI)(CI)R
赋予用户 everyone 对文件夹及其所有子目录的完全控制权限
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
C:\>cacls C:\Documents /t /e /c /g everyone:F
处理的目录: C:\Documents
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
Everyone:(OI)(CI)F
为文件 example.txt 添加 (/e) 一个新权限, 授予用户组 everyone 写入 (W) 权限
C:\>cacls example.txt
C:\example.txt NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\>cacls example.txt /e /g everyone:W
处理的文件: C:\example.txt
C:\>cacls example.txt
C:\example.txt Everyone:(特殊访问:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_WRITE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_EXECUTE
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
替换用户访问权限
将用户 everyone 的权限替换为只读权限
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
Everyone:(OI)(CI)F
C:\>cacls C:\Documents /t /e /c /p everyone:R
处理的目录: C:\Documents
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
Everyone:(OI)(CI)R
撤销用户访问权限
撤销用户 everyone 的所有访问权限
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
Everyone:(OI)(CI)R
C:\>cacls C:\Documents /t /e /c /r everyone
处理的目录: C:\Documents
文件名、目录名或卷标语法不正确。
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
撤销用户 everyone 的所有访问权限
C:\>cacls example.txt
C:\example.txt Everyone:(特殊访问:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_WRITE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_EXECUTE
FILE_WRITE_ATTRIBUTES
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\>cacls example.txt /e /r everyone
处理的文件: C:\example.txt
C:\>cacls example.txt
C:\example.txt NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
拒绝用户访问
拒绝用户 everyone 对文件夹及其所有子目录的访问权限
C:\>cacls C:\Documents
C:\Documents BUILTIN\Guests:(OI)(CI)N
C:\>cacls C:\Documents /t /e /c /d everyone
处理的目录: C:\Documents
文件名、目录名或卷标语法不正确。
C:\>cacls C:\Documents
C:\Documents Everyone:(OI)(CI)N
BUILTIN\Guests:(OI)(CI)N
拒绝用户 everyone 对文件 example.txt 的访问权限
C:\>cacls example.txt /d everyone
是否确定(Y/N)?y
处理的文件: C:\example.txt
C:\>cacls example.txt
C:\example.txt Everyone:N