Focus on Microsoft
Re: NTFS default special permissions Sep 05 2007 04:38AM
Megan Kielman (megan kielman gmail com) (1 replies)
Re: NTFS default special permissions Sep 05 2007 11:26AM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2007-09-04 Megan Kielman wrote:
> Ansgar/Geekwench -
> I believe that both of you have misunderstood the original question.

You believe wrong.

> The OP specifically asked what would happen if the Create
> Folders/Append Data & Create Files/Write Data permission were removed
> because he ONLY wants to provide Read and Execute permission to that
> directory. I followed his question with another question about why
> when Read and Execute, List Folder Contents, and Read are granted,
> there is a "special" permission" allowing users to Create
> Folders/Append Data and Create Files/Write Data.

To repeat myself: there isn't. Read permissions do NOT include (nor do
they imply) the special permissions "Create Files/Write Data" or "Create
Folders/Append Data".

> You both keep mentioning that Create Folders/Append Data & Create
> Files/Write data is needed so users can do their work

Which is why this set of permissions is the DEFAULT for newly created
volumes. You can change permissions from there.

> but in my experiences there are many cases where users only need to
> read for certain directories.

So? If that's all they need then grant them only that.

> Is there some functional reason why read only on directories is not
> sufficient? Is it temp files, as The OP asked earlier?

Nobody ever said read permissions were not sufficient for read-only
access. You keep misreading what's been said in this thread. All I've
been saying is that removing the special permissions MAY cause problems
(e.g. in situations where opening a file results in creation of a
temporary file in the same directory). It's up to the OP to decide if he
can live with these issues, or if they're issues for him in the first

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus