Focus on Microsoft
Re: NTFS default special permissions Sep 05 2007 03:43PM
Megan Kielman (megan kielman gmail com) (2 replies)
Geekwench -

On 9/4/07, Geekwench <geekwench (at) hotmail (dot) com [email concealed]> wrote:
> I think we both understand the original question perfectly well, but I'm not
> sure you noticed that the discussion is about a volume, not a folder.
>
> As for the 'why', that has been answered several times now. Default
> permissions do not assume that you want a read-only volume. Default
> permissions assume that you want a volume that people can use for using,
> accessing and *storing* data. That is why the default permissions include
> the special permissions that are necessary for that to occur.

I disagree with MS's decision to grant users the ability to write by
default, especially in such a way where it isn't obvious that the
users have write. Granted it only takes a couple of clicks for someone
to see the special permissions but knowing how simple it is to
see/manage permissions in Unix/Linux, I find Windows implementation
combersome, but this is a different conversation altogether.

>
> Note, again, that the original post referenced a VOLUME. As in a partition.
> A drive. An entire chunk of space allocated on a disk. NOT A FOLDER. It is
> fairly rare for somebody to want an entire volume to be read-only (in fact,
> creating a volume and then disallowing any writes to the volume would be
> pretty, well, dumb), which is why the default permissions allow users to
> create and store data on the volume. Don't confuse your choosing to manually
> designate a folder as "read only" with the operating system setting the
> default permissions on an entire volume to allow data to be created and
> stored on that volume. That is what a volume is *for*- to store data of some
> kind.

You continue to refer to the volume as a "data" volume but the default
permissions apply to ALL volumes, including system volumes. Users do
not need any write permission to system volumes. Furthermore, no need
to define what a volume is as I am completely aware. We simply have
had a misunderstanding and your condescending tone is not appreciated.

>
> So, again, the default permissions on a volume are configured to allow that
> volume to actually be usable for data storage. Should an administrator wish
> to reconfigure that, the administrator can, and should, do so. The default
> permission set, however, sets what are essentially the minimum permissions
> required for users to store data on that volume.
>
> It might help you to understand if you pull up the permissions on an NTFS
> volume and look not only at the permissions as they're described in the
> original post- which, btw, is not a complete description and which it seems
> you're misinterpreting a bit- you seem to be assuming that those special
> permissions "came with" some other permissions that the OP set and that is
> not the case. They were not magically set because of the OP setting read &
> execute, etc., permissions. They are the DEFAULT PERMISSIONS for the NEWLY
> CREATED volume. The OP didn't say he'd set a single permission, and those
> special permissions don't magically appear because somebody sets read &
> execute permissions on, say, a folder.
>
> You should also look at what each of the permissions applies *onto* within
> that volume. Then consider the typical user activities on a volume and what
> permissions would be needed for users to do what they need to do to get
> their work done, such as create folders to store documents in and then store
> documents in those folders.
>
> Finally, create a folder in the volume and add somebody to the ACL for that
> folder. Note the default permissions for the newly-added user, which are
> "Read and Execute", "List Folder Contents" and "Read". Then actually look at
> the special permissions for that user. [no yelling, just capping for
> emphasis:] THERE ARE NO SPECIAL PERMISSIONS ALLOWING USERS TO CREATE
> FOLDERS/APPEND DATA AND CREATE FILES/WRITE DATA CREATED. To put this another
> way, GRANTING "READ AND EXECUTE", "LIST FOLDER CONTENTS" AND "READ" DOES NOT
> CREATE THE SPECIAL PERMISSIONS YOU THINK IT CREATES. You are confused about
> the difference between the canned base permissions for the volume and the
> default permissions on folders, as well as the difference between viewing a
> default ACL and actually modifying an ACL, as well as what are the default
> folder permissions for somebody added to the ACL on the folder.

Thank you for the all caps clarification.

>
>
> Laura Robinson

> > -----Original Message-----
> > From: Megan Kielman [mailto:megan.kielman (at) gmail (dot) com [email concealed]]
> > Sent: Wednesday, September 05, 2007 12:38 AM
> > To: Geekwench
> > Cc: Ansgar -59cobalt- Wiechers; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Re: NTFS default special permissions
> >
> > Ansgar/Geekwench -
> >
> > I believe that both of you have misunderstood the original question.
> >
> > The OP specifically asked what would happen if the Create
> > Folders/Append Data & Create Files/Write Data permission were removed
> > because he ONLY wants to provide Read and Execute permission to that
> > directory. I followed his question with another question about why
> > when Read and Execute, List Folder Contents, and Read are granted,
> > there is a "special" permission" allowing users to Create
> > Folders/Append Data and Create Files/Write Data. In my opinion that is
> > confusing and misleading.
> >
> > You both keep mentioning that Create Folders/Append Data & Create
> > Files/Write data is needed so users can do their work but in my
> > experiences there are many cases where users only need to read for
> > certain directories. Is there some functional reason why read only on
> > directories is not sufficient? Is it temp files, as The OP asked
> > earlier?
> >
> > Megan
> >
> >
> >
> > On 9/4/07, Geekwench <geekwench (at) hotmail (dot) com [email concealed]> wrote:
> > > I think the original question is being misunderstood. The OP wrote:
> > >
> > > "The default permissions for Users are Read & Execute, List Folder
> > Contents,
> > > and Read. This is what we want. But the Users account also gets the
> > > special permissions Create Folders\Append Data and Create Files\Write
> > Data."
> > >
> > > What I think you may be missing is that the default permissions are
> > not just
> > > read permissions. They are read and *execute* permissions, plus
> > permissions
> > > necessary for users to store content on the volume. Therefore, your
> > > statement " It seems silly to me that when you grant someone read
> > access
> > > they by default can also write" isn't a logical conclusion.
> > >
> > > There was nothing in the original query indicating that the default
> > > permissions are JUST read permissions. They are not. They are read,
> > execute
> > > and "store content" permissions, so any conclusion drawn on the
> > assumption
> > > that the inclusion of "read" in a permissions set implies "read only"
> > is
> > > fallacious.
> > >
> > > The reasons for the create/append permissions have been addressed
> > already.
> > > In order to provide a functional default permissions set on volumes,
> > the
> > > permissions are created the way they are. I'm not sure where you got
> > the
> > > impression that there was anything in the default permissions that
> > provides
> > > read-only functionality, but that would be a very poor default
> > permission
> > > set given that most volumes are not intended to be read-only.
> > >
> > > BTW, how come my legit e-mail got bumped off this list when we got a
> > new
> > > moderator, but my spambox address is still getting the secfocus
> > posts? Grr.
> > >
> > > Laura Robinson
> > >
> > > > -----Original Message-----
> > > > From: listbounce (at) securityfocus (dot) com [email concealed]
> > > > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Megan Kielman
> > > > Sent: Tuesday, September 04, 2007 9:11 AM
> > > > To: Ansgar -59cobalt- Wiechers
> > > > Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> > > > Subject: Re: NTFS default special permissions
> > > >
> > > > No, I am asking for clarification on the original question. Why
> > when a
> > > > user is grated Read & Execute are they also granted the special
> > > > permission Create Folders\Append Data and Create Files\Write Data?
> > Is
> > > > it only so that a user can create temporary files? It seems silly
> > to
> > > > me that when you grant someone read access they by default can also
> > > > write.
> > > >
> > > > On 9/4/07, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]>
> > wrote:
> > > > > On 2007-09-03 Megan Kielman wrote:
> > > > > > On 8/24/07, Ansgar -59cobalt- Wiechers
> > <bugtraq (at) planetcobalt (dot) net [email concealed]>
> > > > wrote:
> > > > > >> On 2007-08-22 Robert McIntyre wrote:
> > > > > >>> On my Windows 2003 servers we create a data partition and
> > format
> > > > it
> > > > > >>> with NTFS. The default permissions for Users are Read &
> > Execute,
> > > > > >>> List Folder Contents, and Read. This is what we want. But
> > the
> > > > > >>> Users account also gets the special permissions Create
> > > > > >>> Folders\Append Data and Create Files\Write Data.
> > > > > >>>
> > > > > >>> From the articles that I have seen on TechNet, the special
> > > > > >>> permissions are not needed if we only want read access. So
> > why
> > > > are
> > > > > >>> they there by default? What purpose do they serve? If we
> > remove
> > > > > >>> the special permissions will it cause problems?
> > > > > >>>
> > > > > >>> The only thing that I could think of is that maybe it is
> > needed
> > > > to
> > > > > >>> create a temporary file when you open a document for reading.
> > > > > >>
> > > > > >> If you remove those ACEs your users will be unable to create
> > files
> > > > > >> and folders on that partition. That may cause problems e.g. in
> > > > cases
> > > > > >> when they need to open files with progams like MS Word,
> > because
> > > > Word
> > > > > >> creates temp files in the same directory as the document.
> > > > > >
> > > > > > How is the Create Folders/Append Data and Create Files/Write
> > Data
> > > > > > permission different then Write?
> > > > >
> > > > > The former two are subsets of the latter. "Write" permissions
> > consist
> > > > of
> > > > > these four basic permissions:
> > > > >
> > > > > - Create Files/Write Data
> > > > > - Create Folders/Append Data
> > > > > - Write Attributes
> > > > > - Write Extended Attributes
> > > > >
> > > > > > How does it differentiate an action where the user intends to
> > > > > > create/write data versus creating a temp file as a byproduct of
> > > > > > opening a Word doc?
> > > > >
> > > > > You aren't asking what the difference between writing to an
> > already
> > > > > existing file and creating a new file is, are you?
> > > > >
> > > > > Regards
> > > > > Ansgar Wiechers
> > > > > --
> > > > > "All vulnerabilities deserve a public fear period prior to
> > patches
> > > > > becoming available."
> > > > > --Jason Coombs on Bugtraq
> > > > >
> > > >
> > > > No virus found in this incoming message.
> > > > Checked by AVG Free Edition.
> > > > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
> > > > 9/4/2007 9:14 AM
> > > >
> > >
> > > No virus found in this outgoing message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
> > 9/4/2007
> > > 9:14 AM
> > >
> > >
> > >
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
> > 9/4/2007 9:14 AM
> >
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: 9/4/2007
> 9:14 AM
>
>
>

[ reply ]
Authenticating with TLS against Active Directory Sep 06 2007 01:38PM
James D. Stallard (james leafgrove com) (4 replies)
RE: Authenticating with TLS against Active Directory Sep 10 2007 04:46PM
James D. Stallard (james leafgrove com)
Re: Authenticating with TLS against Active Directory Sep 06 2007 04:23PM
Christoph Gruber (list guru at)
Re: Authenticating with TLS against Active Directory Sep 06 2007 04:11PM
ManInWhite (maninwhite tpg com au)
RE: Authenticating with TLS against Active Directory Sep 06 2007 03:14PM
Depp, Dennis M. (deppdm ornl gov)
Re: NTFS default special permissions Sep 05 2007 04:00PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)


 

Privacy Statement
Copyright 2010, SecurityFocus