Sign in with
Sign up | Sign in
Your question

Files without inherited permissions always deletable despi..

Tags:
  • Security
  • Microsoft
  • Permissions
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 11, 2005 3:08:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

i would like to know if the following behavior has been documented and/or is
known. And if it is normal or on a fixlist.

The behavior is as follows:
When applying permissions to a file that removes inheritance of other ACE's
and adds permissions that allow full access for say "user1" and denys all
access for "user2". Now it is not possible to move/copy/rename this file,
however _deleting_ always works. Despite user2 not being of an administrator
group, not being the owner or having any rights to the file.

I've seen this behavior on the latest sp for windows xp and back to windows
2000, don't know about NT 4.0..

Bug?

Regards,

Chris

More about : files inherited permissions deletable despi

Anonymous
a b 8 Security
March 11, 2005 3:08:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> The behavior is as follows:
> When applying permissions to a file that removes inheritance of other
ACE's
> and adds permissions that allow full access for say "user1" and denys all
> access for "user2". Now it is not possible to move/copy/rename this file,
> however _deleting_ always works. Despite user2 not being of an
administrator
> group, not being the owner or having any rights to the file.
>
> I've seen this behavior on the latest sp for windows xp and back to
windows
> 2000, don't know about NT 4.0..

If it's XP and you have "Simple File Sharing" turned off (or are using Safe
Mode), you can view the effective permissions on a file after taking
inherited permissions and groups into account. Look for the "effective
permissions" tab on the Advanced Security windows, and have it check a user
or group to determine what their permissions are on the file or folder.

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc&gt;
Prevent problems before they happen and help others avoid bad design.
<http://www.pan-am.ca/antiwindowscatalog/&gt;
Anonymous
a b 8 Security
March 11, 2005 3:08:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I just tried this on my XP SP2 computer and it did not work.

I copied a picture file to another folder with my account, removed inherited
permissions, selected the copy option, added two users who are only regular
users - user A and user B. I have user A with full control allow and user B
with full control deny. I logged on as user B and tried to access and delete
the file and was not allowed to - access denied for delete. Maybe you did it
a bit differently and I would be happy to try again. --- Steve


"WakA" <waka@_remove_home.nl> wrote in message
news:D 0qk24$h77$1@ares.cs.utwente.nl...
> Hello,
>
> i would like to know if the following behavior has been documented and/or
> is known. And if it is normal or on a fixlist.
>
> The behavior is as follows:
> When applying permissions to a file that removes inheritance of other
> ACE's and adds permissions that allow full access for say "user1" and
> denys all access for "user2". Now it is not possible to move/copy/rename
> this file, however _deleting_ always works. Despite user2 not being of an
> administrator group, not being the owner or having any rights to the file.
>
> I've seen this behavior on the latest sp for windows xp and back to
> windows 2000, don't know about NT 4.0..
>
> Bug?
>
> Regards,
>
> Chris
>
Related resources
Anonymous
a b 8 Security
March 11, 2005 4:06:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> If it's XP and you have "Simple File Sharing" turned off (or are using
> Safe
> Mode), you can view the effective permissions on a file after taking
> inherited permissions and groups into account. Look for the "effective
> permissions" tab on the Advanced Security windows, and have it check a
> user
> or group to determine what their permissions are on the file or folder.

That's the point, checking effective permissions for "user2" shows us that
the delete permission is turned _off_ and the user shouldn't be able to do
anything with the file let alone _delete_ it. Yet it can..please try this
for yourself. You won't even have to make a second user, just deny all
permissions to your own account and you will still able to delete it.

Chris
Anonymous
a b 8 Security
March 11, 2005 4:06:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <d0qnet$jom$1@ares.cs.utwente.nl>, in the
microsoft.public.win2000.security news group, WakA
<waka@_remove_home.nl> says...

> That's the point, checking effective permissions for "user2" shows us that
> the delete permission is turned _off_ and the user shouldn't be able to do
> anything with the file let alone _delete_ it. Yet it can..please try this
> for yourself. You won't even have to make a second user, just deny all
> permissions to your own account and you will still able to delete it.
>

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
a b 8 Security
March 11, 2005 4:35:15 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I used remove myself so there are absolutely no remnants from the inherited
permissions.
But it might be a windows-install specific setting, i'm not sure yet.
I'm at the moment checking out the link from Paul Adare from the post above.
So if you did copy, it might have copied that 'secret' permission flag with
it.

Chris

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:xL2dnQly3Ny-fq3fRVn-jg@comcast.com...
>I just tried this on my XP SP2 computer and it did not work.
>
> I copied a picture file to another folder with my account, removed
> inherited permissions, selected the copy option, added two users who are
> only regular users - user A and user B. I have user A with full control
> allow and user B with full control deny. I logged on as user B and tried
> to access and delete the file and was not allowed to - access denied for
> delete. Maybe you did it a bit differently and I would be happy to try
> again. --- Steve
>
>
Anonymous
a b 8 Security
March 11, 2005 4:35:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I saw the article that Paul posted and was not aware of it but certainly
good to know. I never experienced what you did because I never allow the
everyone group to have full control permissions to any folder. I never give
any group other that system or administrators full control outside of a
user's home folder, profile folder, or redirected folder. --- Steve


"WakA" <waka@_remove_home.nl> wrote in message
news:D 0qp47$l45$1@ares.cs.utwente.nl...
>I used remove myself so there are absolutely no remnants from the inherited
>permissions.
> But it might be a windows-install specific setting, i'm not sure yet.
> I'm at the moment checking out the link from Paul Adare from the post
> above.
> So if you did copy, it might have copied that 'secret' permission flag
> with it.
>
> Chris
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:xL2dnQly3Ny-fq3fRVn-jg@comcast.com...
>>I just tried this on my XP SP2 computer and it did not work.
>>
>> I copied a picture file to another folder with my account, removed
>> inherited permissions, selected the copy option, added two users who are
>> only regular users - user A and user B. I have user A with full control
>> allow and user B with full control deny. I logged on as user B and tried
>> to access and delete the file and was not allowed to - access denied for
>> delete. Maybe you did it a bit differently and I would be happy to try
>> again. --- Steve
>>
>>
>
>
Anonymous
a b 8 Security
March 11, 2005 4:43:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

<quote> Users who have full control permission on a volume or directory
also have the FDC permission. This permission allows a user to delete files
at the root level of the directory where they have full control, even if
they do not have any permissions on the specific file itself. </quote>

<quote> For example, suppose you add the file MyFile.txt to the root of
drive C </quote>

So my understanding at the moment is that this only works at the root of a
drive for reasons of booting and such? It appears this flag is not
inheritable by subdirectories and even if it was woulnd't the not inheriting
flag on the file fix this?

Chris
Anonymous
a b 8 Security
March 11, 2005 4:43:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <d0qpji$lg9$1@ares.cs.utwente.nl>, in the
microsoft.public.win2000.security news group, WakA
<waka@_remove_home.nl> says...

> <quote> Users who have full control permission on a volume or directory
> also have the FDC permission. This permission allows a user to delete files
> at the root level of the directory where they have full control, even if
> they do not have any permissions on the specific file itself. </quote>
>
> <quote> For example, suppose you add the file MyFile.txt to the root of
> drive C </quote>
>
> So my understanding at the moment is that this only works at the root of a
> drive for reasons of booting and such?

Not, it applies to files in the root of any directory, whether that
directory is the root of a drive or not.

> It appears this flag is not
> inheritable by subdirectories and even if it was woulnd't the not inheriting
> flag on the file fix this?

No this has nothing at all to do with inheritance.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
a b 8 Security
March 11, 2005 5:14:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> Not, it applies to files in the root of any directory, whether that
> directory is the root of a drive or not.
>
>> It appears this flag is not
>> inheritable by subdirectories and even if it was woulnd't the not
>> inheriting
>> flag on the file fix this?
>
> No this has nothing at all to do with inheritance.
>
Alright, this all makes perfect sense now :) 
Turning off inheritance to Everyone and not adding full control to the
directory wherein the file resides fixes things (as in sofar as it was
'broken').

Thanks! My faith in newsgroups has been restored :p 

Chris
Anonymous
a b 8 Security
March 11, 2005 10:14:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

FYI : this is not a foolish MS invention, but a behavior once forced on
the design of Windows behaviors to meet Posix standards compliance.

--
Roger
"WakA" <waka@_remove_home.nl> wrote in message
news:D 0qreb$n14$1@ares.cs.utwente.nl...
>
>> Not, it applies to files in the root of any directory, whether that
>> directory is the root of a drive or not.
>>
>>> It appears this flag is not
>>> inheritable by subdirectories and even if it was woulnd't the not
>>> inheriting
>>> flag on the file fix this?
>>
>> No this has nothing at all to do with inheritance.
>>
> Alright, this all makes perfect sense now :) 
> Turning off inheritance to Everyone and not adding full control to the
> directory wherein the file resides fixes things (as in sofar as it was
> 'broken').
>
> Thanks! My faith in newsgroups has been restored :p 
>
> Chris
>
!