What is the difference between a NULL-DACL and an empty DACL?
Posted by: Christian Wimmer in: JEDI Windows Security Code Lib
- A NULL-DACL (or nil if you wish) defines a none existing discretionary access control list. If the system encounters such a nil pointer, it automatically grants access to all principals including foreigners who are not authenticated.
- A DACL with no access control entries denies access to all principals. If the system encounters such an empty DACL it automatically denies the access. However the owner always has at least the WRITE_DAC right and thus can change the DACL.
- WinAPI receives a pointer to an initialized ACL checks for a flag like SE_DACL_PRESENT (security descriptor flag) or DACL_SECURITY_INFORMATION (functions like SetNamedSecurityInfo)
- JWSCL defines an empty ACL by removing all elements from an instance of TJwDAccessControlList.