On 2007-09-05 Megan Kielman wrote:
On 9/4/07, Geekwench <geekwench@hotmail.com> wrote:
Note, again, that the original post referenced a VOLUME. As in a
partition. A drive. An entire chunk of space allocated on a disk. NOT
A FOLDER. It is fairly rare for somebody to want an entire volume to
be read-only (in fact, creating a volume and then disallowing any
writes to the volume would be pretty, well, dumb), which is why the
default permissions allow users to create and store data on the
volume. Don't confuse your choosing to manually designate a folder as
"read only" with the operating system setting the default permissions
on an entire volume to allow data to be created and stored on that
volume. That is what a volume is *for*- to store data of some kind.
You continue to refer to the volume as a "data" volume but the default
permissions apply to ALL volumes, including system volumes. Users do
not need any write permission to system volumes.
You hardly ever create a new system volume from within a running Windows
system, thus a newly created volume is most likely a data volume, in
which case the default permissions are just fine. Besides, since Windows
by default creates the user profiles on the system volume users do need
write permissions to at least some directories on the volume.
I do, however, agree that it was a bad decision for Microsoft to allow
normal users to create files/folders in the root directory of the system
volume, and removing those special permissions from the root directory
is one of the first things I do on all my Windows installations.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
