Re: NTFS default special permissions

Ansgar/Geekwench -

I believe that both of you have misunderstood the original question.

The OP specifically asked what would happen if the Create
Folders/Append Data & Create Files/Write Data permission were removed
because he ONLY wants to provide Read and Execute permission to that
directory. I followed his question with another question about why
when Read and Execute, List Folder Contents, and Read are granted,
there is a "special" permission" allowing users to Create
Folders/Append Data and Create Files/Write Data. In my opinion that is
confusing and misleading.

You both keep mentioning that Create Folders/Append Data & Create
Files/Write data is needed so users can do their work but in my
experiences there are many cases where users only need to read for
certain directories. Is there some functional reason why read only on
directories is not sufficient? Is it temp files, as The OP asked
earlier?

Megan



On 9/4/07, Geekwench <geekwench@hotmail.com> wrote:
> I think the original question is being misunderstood. The OP wrote:
>
> "The default permissions for Users are Read & Execute, List Folder Contents,
> and Read.  This is what we want.  But the Users account also gets the
> special permissions Create Folders\Append Data and Create Files\Write Data."
>
> What I think you may be missing is that the default permissions are not just
> read permissions. They are read and *execute* permissions, plus permissions
> necessary for users to store content on the volume. Therefore, your
> statement " It seems silly to me that when you grant someone read access
> they by default can also write" isn't a logical conclusion.
>
> There was nothing in the original query indicating that the default
> permissions are JUST read permissions. They are not. They are read, execute
> and "store content" permissions, so any conclusion drawn on the assumption
> that the inclusion of "read" in a permissions set implies "read only" is
> fallacious.
>
> The reasons for the create/append permissions have been addressed already.
> In order to provide a functional default permissions set on volumes, the
> permissions are created the way they are. I'm not sure where you got the
> impression that there was anything in the default permissions that provides
> read-only functionality, but that would be a very poor default permission
> set given that most volumes are not intended to be read-only.
>
> BTW, how come my legit e-mail got bumped off this list when we got a new
> moderator, but my spambox address is still getting the secfocus posts? Grr.
>
> Laura Robinson
>
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> > [mailto:listbounce@securityfocus.com] On Behalf Of Megan Kielman
> > Sent: Tuesday, September 04, 2007 9:11 AM
> > To: Ansgar -59cobalt- Wiechers
> > Cc: focus-ms@securityfocus.com
> > Subject: Re: NTFS default special permissions
> >
> > No, I am asking for clarification on the original question. Why when a
> > user is grated Read & Execute are they also granted the special
> > permission Create Folders\Append Data and Create Files\Write Data? Is
> > it only so that a user can create temporary files? It seems silly to
> > me that when you grant someone read access they by default can also
> > write.
> >
> > On 9/4/07, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net> wrote:
> > > On 2007-09-03 Megan Kielman wrote:
> > > > On 8/24/07, Ansgar -59cobalt- Wiechers <bugtraq@planetcobalt.net>
> > wrote:
> > > > > On 2007-08-22 Robert McIntyre wrote:
> > > > > > On my Windows 2003 servers we create a data partition and format
> > it
> > > > > > with NTFS.  The default permissions for Users are Read & Execute,
> > > > > > List Folder Contents, and Read.  This is what we want.  But the
> > > > > > Users account also gets the special permissions Create
> > > > > > Folders\Append Data and Create Files\Write Data.
> > > > > >
> > > > > > From the articles that I have seen on TechNet, the special
> > > > > > permissions are not needed if we only want read access.  So why
> > are
> > > > > > they there by default?  What purpose do they serve?  If we remove
> > > > > > the special permissions will it cause problems?
> > > > > >
> > > > > > The only thing that I could think of is that maybe it is needed
> > to
> > > > > > create a temporary file when you open a document for reading.
> > > > >
> > > > > If you remove those ACEs your users will be unable to create files
> > > > > and folders on that partition. That may cause problems e.g. in
> > cases
> > > > > when they need to open files with progams like MS Word, because
> > Word
> > > > > creates temp files in the same directory as the document.
> > > >
> > > > How is the Create Folders/Append Data and Create Files/Write Data
> > > > permission different then Write?
> > >
> > > The former two are subsets of the latter. "Write" permissions consist
> > of
> > > these four basic permissions:
> > >
> > > - Create Files/Write Data
> > > - Create Folders/Append Data
> > > - Write Attributes
> > > - Write Extended Attributes
> > >
> > > > How does it differentiate an action where the user intends to
> > > > create/write data versus creating a temp file as a byproduct of
> > > > opening a Word doc?
> > >
> > > You aren't asking what the difference between writing to an already
> > > existing file and creating a new file is, are you?
> > >
> > > Regards
> > > Ansgar Wiechers
> > > --
> > > "All vulnerabilities deserve a public fear period prior to patches
> > > becoming available."
> > > --Jason Coombs on Bugtraq
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date:
> > 9/4/2007 9:14 AM
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: 9/4/2007
> 9:14 AM