Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computer Certification > MCSE > Permissions question

Reply
Thread Tools

Permissions question

 
 
=?Utf-8?B?Q29saW4=?=
Guest
Posts: n/a
 
      12-13-2005
I have this senario:

Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
Access.

Security permissions on folder:
Administrators: Full Control
CREATOR OWNER: Full Control
SYSTEM: Full Control
Test Group: Read, Create, Write, Append

So when a user of Test Group creates a file or folder on the share they
become Creator Owner and have full access to that file or folder. But they
cannot delete files or folders created by other users.

Test
1. Create a file in the folder as domain admin.
2. Map to the share as a user in Test Group and try delete the file. You get
permission denied which is expected.
3. As the mapped user, create a folder in the share.
4. Now create a file in that created folder as domain admin.
5. Check permissions on the newly created file. Test Group or user has no
delete permissions. Running Effective Permissions against the user also shows
no delete permissions.
6. Try delete the file as the user, file is deleted!

I assume the file can be deleted because the user is the Creator Owner of
the parent folder which propegated Full Access down to the file. But this
does not show up on the file's security settings. Why is that?
 
Reply With Quote
 
 
 
 
Ben Smith
Guest
Posts: n/a
 
      12-13-2005
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> I have this senario:
>
> Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
> Access.
>
> Security permissions on folder:
> Administrators: Full Control
> CREATOR OWNER: Full Control
> SYSTEM: Full Control
> Test Group: Read, Create, Write, Append
>
> So when a user of Test Group creates a file or folder on the share they
> become Creator Owner and have full access to that file or folder. But they
> cannot delete files or folders created by other users.
>
> Test
> 1. Create a file in the folder as domain admin.
> 2. Map to the share as a user in Test Group and try delete the file. You get
> permission denied which is expected.
> 3. As the mapped user, create a folder in the share.
> 4. Now create a file in that created folder as domain admin.
> 5. Check permissions on the newly created file. Test Group or user has no
> delete permissions. Running Effective Permissions against the user also shows
> no delete permissions.
> 6. Try delete the file as the user, file is deleted!


Right, this is the expected behavior.

> I assume the file can be deleted because the user is the Creator Owner of
> the parent folder which propegated Full Access down to the file. But this
> does not show up on the file's security settings. Why is that?
>


Because the permission the user is exercising is not on the file - it is
on an object in the folder he has full control over. I will admit, it is
a bit confusing.
 
Reply With Quote
 
 
 
 
=?Utf-8?B?Q29saW4=?=
Guest
Posts: n/a
 
      12-13-2005
Ok, I understand that part. I'm still not rock solid about why it isn't
visible through Secuity or Effective Permissions of that file object.

I guess my question would be, how would you know that a user of Test Group
could delete any files and folders under that directory just by looking at
the security of one of those files or folders? What if you have a scenario
where a file is buried under 100's of directories, the top one being owned by
some specific user, how hard would it be to determine that that file could be
deleted by the user owning the top dir? How do you see that this user has any
control over this file without winding your way up all the directories and
looking for permissions. There must be an easier way? Effective Permissions
tab does not help, as this reports no delete permission but it is in fact
allowed.

"Ben Smith" wrote:

> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
> > I have this senario:
> >
> > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
> > Access.
> >
> > Security permissions on folder:
> > Administrators: Full Control
> > CREATOR OWNER: Full Control
> > SYSTEM: Full Control
> > Test Group: Read, Create, Write, Append
> >
> > So when a user of Test Group creates a file or folder on the share they
> > become Creator Owner and have full access to that file or folder. But they
> > cannot delete files or folders created by other users.
> >
> > Test
> > 1. Create a file in the folder as domain admin.
> > 2. Map to the share as a user in Test Group and try delete the file. You get
> > permission denied which is expected.
> > 3. As the mapped user, create a folder in the share.
> > 4. Now create a file in that created folder as domain admin.
> > 5. Check permissions on the newly created file. Test Group or user has no
> > delete permissions. Running Effective Permissions against the user also shows
> > no delete permissions.
> > 6. Try delete the file as the user, file is deleted!

>
> Right, this is the expected behavior.
>
> > I assume the file can be deleted because the user is the Creator Owner of
> > the parent folder which propegated Full Access down to the file. But this
> > does not show up on the file's security settings. Why is that?
> >

>
> Because the permission the user is exercising is not on the file - it is
> on an object in the folder he has full control over. I will admit, it is
> a bit confusing.
>

 
Reply With Quote
 
Ben Smith
Guest
Posts: n/a
 
      12-13-2005
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Ok, I understand that part. I'm still not rock solid about why it isn't
> visible through Secuity or Effective Permissions of that file object.


I am not sure how the UI calculates the effective permissions. Take a
look at the Test group's permission on the folder. You should see that
the permission is to the Folder and all objects in the folder, but the
explicit permission are only on folder objects, not file objects (which
would explain the results of the effective permissions tab.)

> I guess my question would be, how would you know that a user of Test Group
> could delete any files and folders under that directory just by looking at
> the security of one of those files or folders? What if you have a scenario
> where a file is buried under 100's of directories, the top one being owned by
> some specific user, how hard would it be to determine that that file could be
> deleted by the user owning the top dir? How do you see that this user has any
> control over this file without winding your way up all the directories and
> looking for permissions. There must be an easier way? Effective Permissions
> tab does not help, as this reports no delete permission but it is in fact
> allowed.


You point is well-taken. I will run some tests next week and file a bug
on it.

> "Ben Smith" wrote:
>
> > In article <(E-Mail Removed)>,
> > (E-Mail Removed) says...
> > > I have this senario:
> > >
> > > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone: Full
> > > Access.
> > >
> > > Security permissions on folder:
> > > Administrators: Full Control
> > > CREATOR OWNER: Full Control
> > > SYSTEM: Full Control
> > > Test Group: Read, Create, Write, Append
> > >
> > > So when a user of Test Group creates a file or folder on the share they
> > > become Creator Owner and have full access to that file or folder. But they
> > > cannot delete files or folders created by other users.
> > >
> > > Test
> > > 1. Create a file in the folder as domain admin.
> > > 2. Map to the share as a user in Test Group and try delete the file. You get
> > > permission denied which is expected.
> > > 3. As the mapped user, create a folder in the share.
> > > 4. Now create a file in that created folder as domain admin.
> > > 5. Check permissions on the newly created file. Test Group or user has no
> > > delete permissions. Running Effective Permissions against the user also shows
> > > no delete permissions.
> > > 6. Try delete the file as the user, file is deleted!

> >
> > Right, this is the expected behavior.
> >
> > > I assume the file can be deleted because the user is the Creator Owner of
> > > the parent folder which propegated Full Access down to the file. But this
> > > does not show up on the file's security settings. Why is that?
> > >

> >
> > Because the permission the user is exercising is not on the file - it is
> > on an object in the folder he has full control over. I will admit, it is
> > a bit confusing.
> >

>

 
Reply With Quote
 
The Rev [MCT]
Guest
Posts: n/a
 
      12-13-2005
Security Effective Permissions doesn't take into account any SHARE
permissions only the NTFS permissions. And if you are looking for creator
owner permissions then you would need to use CREATOR OWNER in the effective
permissions user dialog box.

--
..rev.mct.mcngp.44

It is the mark of an educated man to be able to entertain a thought without
accepting it.
~Aristotle
..
"Colin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have this senario:
>
> Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone:
> Full
> Access.
>
> Security permissions on folder:
> Administrators: Full Control
> CREATOR OWNER: Full Control
> SYSTEM: Full Control
> Test Group: Read, Create, Write, Append
>
> So when a user of Test Group creates a file or folder on the share they
> become Creator Owner and have full access to that file or folder. But they
> cannot delete files or folders created by other users.
>
> Test
> 1. Create a file in the folder as domain admin.
> 2. Map to the share as a user in Test Group and try delete the file. You
> get
> permission denied which is expected.
> 3. As the mapped user, create a folder in the share.
> 4. Now create a file in that created folder as domain admin.
> 5. Check permissions on the newly created file. Test Group or user has no
> delete permissions. Running Effective Permissions against the user also
> shows
> no delete permissions.
> 6. Try delete the file as the user, file is deleted!
>
> I assume the file can be deleted because the user is the Creator Owner of
> the parent folder which propegated Full Access down to the file. But this
> does not show up on the file's security settings. Why is that?



 
Reply With Quote
 
Ben Smith
Guest
Posts: n/a
 
      12-13-2005
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Subject: Re: Permissions question
> From: =?Utf-8?B?Q29saW4=?= <(E-Mail Removed)>
> Newsgroups: microsoft.public.cert.exam.mcse
>
> Ok, I understand that part. I'm still not rock solid about why it isn't
> visible through Secuity or Effective Permissions of that file object.
>
> I guess my question would be, how would you know that a user of Test Group
> could delete any files and folders under that directory just by looking at
> the security of one of those files or folders? What if you have a scenario
> where a file is buried under 100's of directories, the top one being owned by
> some specific user, how hard would it be to determine that that file could be
> deleted by the user owning the top dir? How do you see that this user has any
> control over this file without winding your way up all the directories and
> looking for permissions. There must be an easier way? Effective Permissions
> tab does not help, as this reports no delete permission but it is in fact
> allowed.
>


I ran this test on XPSP2. The test user did not show up in the file ACL,
as expected, but the effective permissions tab did show that the test
user had modify permissions on the file.

Steps:

1) Create share on HOST (HOST\Share) for c:\test1 as Ben, an
administrator
2) Change Share perms from everyone Read to FC
3) Grant Bill_Test Modify permissions on the folder c:\test1
4) Map a drive to HOST\share from remote computer as Bill_Test
5) Create a folder called Bill_Test1 in HOST\Share
6) On host, create a file (as Ben) in c:\test1\Bill_Test

Opening the ACL editor and looking at the file's acl does not list
Bill_Test in the ACEs (this is expected), but using the Effective
Permissions tab did show that Bill_Test effectively had Modify
permissions on the file because Bill_Test has FC on the folder where the
file was created.

The real problem is that Bill_Test could modify the file, but was not
listed in the ACL.

I will ping the person who owns the ACL UI today.
 
Reply With Quote
 
Ben Smith
Guest
Posts: n/a
 
      12-13-2005
In article <OA5KAy$$(E-Mail Removed)>,
(E-Mail Removed) says...
> Subject: Re: Permissions question
> From: The Rev [MCT] <(E-Mail Removed)>
> Newsgroups: microsoft.public.cert.exam.mcse
>
> Security Effective Permissions doesn't take into account any SHARE
> permissions only the NTFS permissions. And if you are looking for creator
> owner permissions then you would need to use CREATOR OWNER in the effective
> permissions user dialog box.
>
>


Share permission are completely irrelevant in this scenario because they
are set to FC.
 
Reply With Quote
 
Ben Smith
Guest
Posts: n/a
 
      12-13-2005
In article <(E-Mail Removed) >,
(E-Mail Removed) says...
> I will ping the person who owns the ACL UI today.
>
>


He is out until next week, so I will update this when he returns.
 
Reply With Quote
 
=?Utf-8?B?Q29saW4=?=
Guest
Posts: n/a
 
      12-14-2005
Also, apart from what Ben said, the owner of the file is administrator.

"The Rev [MCT]" wrote:

> Security Effective Permissions doesn't take into account any SHARE
> permissions only the NTFS permissions. And if you are looking for creator
> owner permissions then you would need to use CREATOR OWNER in the effective
> permissions user dialog box.
>
> --
> ..rev.mct.mcngp.44
>
> It is the mark of an educated man to be able to entertain a thought without
> accepting it.
> ~Aristotle
> ..
> "Colin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I have this senario:
> >
> > Create a folder on Windows 2003 Ent. Ed. server, share it as Everyone:
> > Full
> > Access.
> >
> > Security permissions on folder:
> > Administrators: Full Control
> > CREATOR OWNER: Full Control
> > SYSTEM: Full Control
> > Test Group: Read, Create, Write, Append
> >
> > So when a user of Test Group creates a file or folder on the share they
> > become Creator Owner and have full access to that file or folder. But they
> > cannot delete files or folders created by other users.
> >
> > Test
> > 1. Create a file in the folder as domain admin.
> > 2. Map to the share as a user in Test Group and try delete the file. You
> > get
> > permission denied which is expected.
> > 3. As the mapped user, create a folder in the share.
> > 4. Now create a file in that created folder as domain admin.
> > 5. Check permissions on the newly created file. Test Group or user has no
> > delete permissions. Running Effective Permissions against the user also
> > shows
> > no delete permissions.
> > 6. Try delete the file as the user, file is deleted!
> >
> > I assume the file can be deleted because the user is the Creator Owner of
> > the parent folder which propegated Full Access down to the file. But this
> > does not show up on the file's security settings. Why is that?

>
>
>

 
Reply With Quote
 
=?Utf-8?B?Q29saW4=?=
Guest
Posts: n/a
 
      12-14-2005
"Ben Smith" wrote:

> In article <(E-Mail Removed) >,
> (E-Mail Removed) says...
> > I will ping the person who owns the ACL UI today.
> >
> >

>
> He is out until next week, so I will update this when he returns.
>


Great, thanks Ben.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
In-depth documenation on User Permissions, Group Permissions, ACLs, DCLs etc. Curt K ASP .Net 0 11-03-2006 04:54 PM
NTFS Permissions Question blastingfonda@gmail.com MCSE 15 02-04-2005 02:36 PM
70-270 permissions question Dave MCSE 6 11-20-2004 04:29 AM
ASPX file returning obscur runtime error - after changing permissions to a subweb (.net app) to different permissions than on its parent ? Isabelle ASP .Net 0 08-11-2004 02:04 PM
Re: Permissions - giving "everyone" full permissions is bad ? Scott Allen ASP .Net 0 07-13-2004 08:54 PM



Advertisments