Files without inherited permissions always deletable despi..

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

i would like to know if the following behavior has been documented and/or is
known. And if it is normal or on a fixlist.

The behavior is as follows:
When applying permissions to a file that removes inheritance of other ACE's
and adds permissions that allow full access for say "user1" and denys all
access for "user2". Now it is not possible to move/copy/rename this file,
however _deleting_ always works. Despite user2 not being of an administrator
group, not being the owner or having any rights to the file.

I've seen this behavior on the latest sp for windows xp and back to windows
2000, don't know about NT 4.0..

Bug?

Regards,

Chris
10 answers Last reply
More about files inherited permissions deletable despi
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    > The behavior is as follows:
    > When applying permissions to a file that removes inheritance of other
    ACE's
    > and adds permissions that allow full access for say "user1" and denys all
    > access for "user2". Now it is not possible to move/copy/rename this file,
    > however _deleting_ always works. Despite user2 not being of an
    administrator
    > group, not being the owner or having any rights to the file.
    >
    > I've seen this behavior on the latest sp for windows xp and back to
    windows
    > 2000, don't know about NT 4.0..

    If it's XP and you have "Simple File Sharing" turned off (or are using Safe
    Mode), you can view the effective permissions on a file after taking
    inherited permissions and groups into account. Look for the "effective
    permissions" tab on the Advanced Security windows, and have it check a user
    or group to determine what their permissions are on the file or folder.

    --
    PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
    Prevent problems before they happen and help others avoid bad design.
    <http://www.pan-am.ca/antiwindowscatalog/>
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    I just tried this on my XP SP2 computer and it did not work.

    I copied a picture file to another folder with my account, removed inherited
    permissions, selected the copy option, added two users who are only regular
    users - user A and user B. I have user A with full control allow and user B
    with full control deny. I logged on as user B and tried to access and delete
    the file and was not allowed to - access denied for delete. Maybe you did it
    a bit differently and I would be happy to try again. --- Steve


    "WakA" <waka@_remove_home.nl> wrote in message
    news:d0qk24$h77$1@ares.cs.utwente.nl...
    > Hello,
    >
    > i would like to know if the following behavior has been documented and/or
    > is known. And if it is normal or on a fixlist.
    >
    > The behavior is as follows:
    > When applying permissions to a file that removes inheritance of other
    > ACE's and adds permissions that allow full access for say "user1" and
    > denys all access for "user2". Now it is not possible to move/copy/rename
    > this file, however _deleting_ always works. Despite user2 not being of an
    > administrator group, not being the owner or having any rights to the file.
    >
    > I've seen this behavior on the latest sp for windows xp and back to
    > windows 2000, don't know about NT 4.0..
    >
    > Bug?
    >
    > Regards,
    >
    > Chris
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    > If it's XP and you have "Simple File Sharing" turned off (or are using
    > Safe
    > Mode), you can view the effective permissions on a file after taking
    > inherited permissions and groups into account. Look for the "effective
    > permissions" tab on the Advanced Security windows, and have it check a
    > user
    > or group to determine what their permissions are on the file or folder.

    That's the point, checking effective permissions for "user2" shows us that
    the delete permission is turned _off_ and the user shouldn't be able to do
    anything with the file let alone _delete_ it. Yet it can..please try this
    for yourself. You won't even have to make a second user, just deny all
    permissions to your own account and you will still able to delete it.

    Chris
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <d0qnet$jom$1@ares.cs.utwente.nl>, in the
    microsoft.public.win2000.security news group, WakA
    <waka@_remove_home.nl> says...

    > That's the point, checking effective permissions for "user2" shows us that
    > the delete permission is turned _off_ and the user shouldn't be able to do
    > anything with the file let alone _delete_ it. Yet it can..please try this
    > for yourself. You won't even have to make a second user, just deny all
    > permissions to your own account and you will still able to delete it.
    >

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I used remove myself so there are absolutely no remnants from the inherited
    permissions.
    But it might be a windows-install specific setting, i'm not sure yet.
    I'm at the moment checking out the link from Paul Adare from the post above.
    So if you did copy, it might have copied that 'secret' permission flag with
    it.

    Chris

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:xL2dnQly3Ny-fq3fRVn-jg@comcast.com...
    >I just tried this on my XP SP2 computer and it did not work.
    >
    > I copied a picture file to another folder with my account, removed
    > inherited permissions, selected the copy option, added two users who are
    > only regular users - user A and user B. I have user A with full control
    > allow and user B with full control deny. I logged on as user B and tried
    > to access and delete the file and was not allowed to - access denied for
    > delete. Maybe you did it a bit differently and I would be happy to try
    > again. --- Steve
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    I saw the article that Paul posted and was not aware of it but certainly
    good to know. I never experienced what you did because I never allow the
    everyone group to have full control permissions to any folder. I never give
    any group other that system or administrators full control outside of a
    user's home folder, profile folder, or redirected folder. --- Steve


    "WakA" <waka@_remove_home.nl> wrote in message
    news:d0qp47$l45$1@ares.cs.utwente.nl...
    >I used remove myself so there are absolutely no remnants from the inherited
    >permissions.
    > But it might be a windows-install specific setting, i'm not sure yet.
    > I'm at the moment checking out the link from Paul Adare from the post
    > above.
    > So if you did copy, it might have copied that 'secret' permission flag
    > with it.
    >
    > Chris
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:xL2dnQly3Ny-fq3fRVn-jg@comcast.com...
    >>I just tried this on my XP SP2 computer and it did not work.
    >>
    >> I copied a picture file to another folder with my account, removed
    >> inherited permissions, selected the copy option, added two users who are
    >> only regular users - user A and user B. I have user A with full control
    >> allow and user B with full control deny. I logged on as user B and tried
    >> to access and delete the file and was not allowed to - access denied for
    >> delete. Maybe you did it a bit differently and I would be happy to try
    >> again. --- Steve
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

    <quote> Users who have full control permission on a volume or directory
    also have the FDC permission. This permission allows a user to delete files
    at the root level of the directory where they have full control, even if
    they do not have any permissions on the specific file itself. </quote>

    <quote> For example, suppose you add the file MyFile.txt to the root of
    drive C </quote>

    So my understanding at the moment is that this only works at the root of a
    drive for reasons of booting and such? It appears this flag is not
    inheritable by subdirectories and even if it was woulnd't the not inheriting
    flag on the file fix this?

    Chris
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <d0qpji$lg9$1@ares.cs.utwente.nl>, in the
    microsoft.public.win2000.security news group, WakA
    <waka@_remove_home.nl> says...

    > <quote> Users who have full control permission on a volume or directory
    > also have the FDC permission. This permission allows a user to delete files
    > at the root level of the directory where they have full control, even if
    > they do not have any permissions on the specific file itself. </quote>
    >
    > <quote> For example, suppose you add the file MyFile.txt to the root of
    > drive C </quote>
    >
    > So my understanding at the moment is that this only works at the root of a
    > drive for reasons of booting and such?

    Not, it applies to files in the root of any directory, whether that
    directory is the root of a drive or not.

    > It appears this flag is not
    > inheritable by subdirectories and even if it was woulnd't the not inheriting
    > flag on the file fix this?

    No this has nothing at all to do with inheritance.


    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    > Not, it applies to files in the root of any directory, whether that
    > directory is the root of a drive or not.
    >
    >> It appears this flag is not
    >> inheritable by subdirectories and even if it was woulnd't the not
    >> inheriting
    >> flag on the file fix this?
    >
    > No this has nothing at all to do with inheritance.
    >
    Alright, this all makes perfect sense now :)
    Turning off inheritance to Everyone and not adding full control to the
    directory wherein the file resides fixes things (as in sofar as it was
    'broken').

    Thanks! My faith in newsgroups has been restored :P

    Chris
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    FYI : this is not a foolish MS invention, but a behavior once forced on
    the design of Windows behaviors to meet Posix standards compliance.

    --
    Roger
    "WakA" <waka@_remove_home.nl> wrote in message
    news:d0qreb$n14$1@ares.cs.utwente.nl...
    >
    >> Not, it applies to files in the root of any directory, whether that
    >> directory is the root of a drive or not.
    >>
    >>> It appears this flag is not
    >>> inheritable by subdirectories and even if it was woulnd't the not
    >>> inheriting
    >>> flag on the file fix this?
    >>
    >> No this has nothing at all to do with inheritance.
    >>
    > Alright, this all makes perfect sense now :)
    > Turning off inheritance to Everyone and not adding full control to the
    > directory wherein the file resides fixes things (as in sofar as it was
    > 'broken').
    >
    > Thanks! My faith in newsgroups has been restored :P
    >
    > Chris
    >
Ask a new question

Read More

Security Microsoft Permissions Windows