Focus on Microsoft
Re: NTFS default special permissions Sep 04 2007 02:01PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2007-09-04 Megan Kielman wrote:
> On 9/4/07, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
>> On 2007-09-03 Megan Kielman wrote:
>>> On 8/24/07, Ansgar -59cobalt- Wiechers <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
>>>> If you remove those ACEs your users will be unable to create files
>>>> and folders on that partition. That may cause problems e.g. in cases
>>>> when they need to open files with progams like MS Word, because Word
>>>> creates temp files in the same directory as the document.
>>> How is the Create Folders/Append Data and Create Files/Write Data
>>> permission different then Write?
>> The former two are subsets of the latter. "Write" permissions consist of
>> these four basic permissions:
>> - Create Files/Write Data
>> - Create Folders/Append Data
>> - Write Attributes
>> - Write Extended Attributes
>>> How does it differentiate an action where the user intends to
>>> create/write data versus creating a temp file as a byproduct of
>>> opening a Word doc?
>> You aren't asking what the difference between writing to an already
>> existing file and creating a new file is, are you?
> No, I am asking for clarification on the original question. Why when a
> user is grated Read & Execute are they also granted the special
> permission Create Folders\Append Data and Create Files\Write Data?

Of course not. What gave you that idea? In the OP's case the partitions
have the special permissions "Create Files/Write Data" and "Create
Folders/Append Data" ON TOP OF the Read & Execute permissions.

> Is it only so that a user can create temporary files?

Although there are situations where read-only access will suffice, users
will need some kind of write access to data partitions in most cases,
because they need to work with/on that data. That's why by default users
have the rights to create files and folders on (data) partitions.

> It seems silly to me that when you grant someone read access they by
> default can also write.

They can't.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus