On 2007-09-03 Megan Kielman wrote:
On 8/24/07, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net> wrote:
On 2007-08-22 Robert McIntyre wrote:
On my Windows 2003 servers we create a data partition and format it
with NTFS. The default permissions for Users are Read & Execute,
List Folder Contents, and Read. This is what we want. But the
Users account also gets the special permissions Create
Folders\Append Data and Create Files\Write Data.
From the articles that I have seen on TechNet, the special
permissions are not needed if we only want read access. So why are
they there by default? What purpose do they serve? If we remove
the special permissions will it cause problems?
The only thing that I could think of is that maybe it is needed to
create a temporary file when you open a document for reading.
If you remove those ACEs your users will be unable to create files
and folders on that partition. That may cause problems e.g. in cases
when they need to open files with progams like MS Word, because Word
creates temp files in the same directory as the document.
How is the Create Folders/Append Data and Create Files/Write Data
permission different then Write?
The former two are subsets of the latter. "Write" permissions consist of
these four basic permissions:
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
- Write Extended Attributes
How does it differentiate an action where the user intends to
create/write data versus creating a temp file as a byproduct of
opening a Word doc?
You aren't asking what the difference between writing to an already
existing file and creating a new file is, are you?
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
