How is the Create Folders/Append Data and Create Files/Write Data
permission different then Write? How does it differentiate an action
where the user intends to create/write data versus creating a temp
file as a byproduct of opening a Word doc?

On 8/24/07, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
> On 2007-08-22 Robert McIntyre wrote:
> > On my Windows 2003 servers we create a data partition and format it
> > with NTFS. The default permissions for Users are Read & Execute, List
> > Folder Contents, and Read. This is what we want. But the Users
> > account also gets the special permissions Create Folders\Append Data
> > and Create Files\Write Data.
> >
> > From the articles that I have seen on TechNet, the special permissions
> > are not needed if we only want read access. So why are they there by
> > default? What purpose do they serve? If we remove the special
> > permissions will it cause problems?
> >
> > The only thing that I could think of is that maybe it is needed to
> > create a temporary file when you open a document for reading.
>
> If you remove those ACEs your users will be unable to create files and
> folders on that partition. That may cause problems e.g. in cases when
> they need to open files with progams like MS Word, because Word creates
> temp files in the same directory as the document.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>

[ reply ]