Security Basics mailing list archives
RE: Win NT Permission question ?
From: "Robert McIntyre" <robert.mcintyre () earthmail com>
Date: Thu, 16 Sep 2004 15:41:00 -0700
There is another way you can do this but it depends on want you are trying to accomplish. I am assuming the following: 1. user1 user2 and user3 are allowed to put files and folders in the details folder. 2. user2 and user3 are allowed to put files and folders in the data folder. 3. only user3 has access to the info folder. You can try this
C:\ | | -----detail\ (user1: RW; user2: RW; user3: RW; Creator Owner: Modify) | | | --------data\ (user1: None; user2: RW; user3: RW; Creator Owner: Modify) | | | --------info\ (user1: None; user2: None; User3: Modify)
First of all the main difference between Modify and FC is that a person with FC can change permissions on the files and folders. What this does is allow user1, user2, and user3 to create a file or a folder under the detail directory. But they can only delete the files and folders that they create. In the data folder user2 and user3 can create files and folders but only delete their own files or folders. In the info folder only user3 can create or delete files and folders. -----Original Message----- From: yfs us [mailto:yfs_168us () yahoo com] Sent: Monday, September 13, 2004 4:51 PM To: security-basics () securityfocus com Subject: Re: Win NT Permission question ? Hi David Schenz, Thanks for your help. All the user1, user2 & user3 are not admin and the folder are not inheriting permissions but the files in the folder are inheriting the permissions from the folder. In your explaination you do mention that user3 can delete the data folder because it had FC. If user3 only want to delete the folder and the files that he own in the data folder then what permission should be given to user3 ? Or can these be done via special permissions ? If not what is the best solution ? According to my admin, user3 can only be given add & read in data folder. Is it true ? For your info all the 3 user are from 3 different group membership. All help r welcome. Cheers. ----- Original Message ----- From: "David Schenz" <schenz.9 () dps ohio-state edu> To: "Prasanna M" <PrasannaM () catsglobal co in>; <yfs_168us () yahoo com>; <security-basics () securityfocus com> Sent: Sunday, September 12, 2004 1:03 AM Subject: RE: Win NT Permission question ?
Nope.... let's evaluate closely.... I'm going to assume 1) Share level permissions are
set to Everyone: FC
and are therefore only messing with NTFS permissions
(which is a much
simpler method of working with permissions and is
the way recommended by
Microsoft) 2) All users are regular domain users,
not admins 3) detail,
data, and info folders are not inheriting
permissions, otherwise user1,
user2, and user3 would have full control to detail,
data, and info.
4) The files in each folder have the same
permissions as the folder it
is in (i.e. the files are inheriting the permissions
from the folder)
C:\ | | -----detail\ (user1: FC; user2: FC; user3: FC) | | | --------data\ (user1: None; user2: FC; user3: FC) | | | --------info\ (user1: None; user2: None; User3:
FC)
Remember... every object has an individual ACL, if
there is no
inheritance, no other ACL should matter most of the
time.
If user1 tried to delete the detail folder, he would
be able to delete
all the files in the detail folder, but not the data
or info folder (and
therefore not the detail folder since he'd get a
"Folder is not empty"
message). If user2 tried to delete the detail
folder, he would be able
to delete all of the files in the detail and data,
but not the info
folder. If user3 tried to delete the detail folder,
he would be
successful. User1 cannot access the data folder and could not
delete it. If user2
tried to delete the data folder, he would be able to
delete all the
files in the folder, but not the info folder (and
therefore not the data
folder since he'd get a "Folder is not empty"
message). If user3 tried
to delete the data folder, he'd be successful. The assumption that inheritance is turned off for
each of the folders
here is very important. Otherwise all of this flies
out the window and
user1,2,3 have full control to all three folders. I
also emphasize
giving everyone Full control for share level
permissions otherwise the
permissions get _very_ hairy. Good luck David -----Original Message----- From: Prasanna M [mailto:PrasannaM () catsglobal co in] Sent: Friday, September 10, 2004 3:46 AM To: 'yfs us '; 'security-basics () securityfocus com ' Subject: RE: Win NT Permission question ? user1 & user2 are they admins? or normal users? your file would be safe only if users 1&2 dont know
how to tinker with
win nt much. if they do kno their way around win nt, then ur data
isnt safe.
basically if someone has ownership access to the
parent folder, then
they can definitely access the subfolders, no matter wat
permissions you set.
hth, Prasanna -----Original Message----- From: yfs us To: security-basics () securityfocus com Sent: 9/9/2004 6:16 AM Subject: Win NT Permission question ? Hi All, Just want to check with u guys here how does
these
Win NT Permission works.My admin had setup a directory with the following permission :- C:\detail\ was own by user1 and had Full Control (All) (All) user2 had Full Control (All) (All) user3 had Full Control (All) (All) C:\detail\data\ was own by user2 and had Full Control (All) (All) user1 had no access user3 had add & read (rwx) (rwx) C:\detail\data\info\ was own by user3 and had Full Control (All) (All) user1 had no access user2 had no access I'm user3 and I just want to know can user1 & user2 delete my file ? Can user2 delete the info folder ? If I create a folder in info directory eg. C:\detail\data\info\secret , so can user1 & user2 delete it and also the file inside the secret folder
?
I'm not a admin and my admin sucks ? If I want to secure my
info
folder what permission should be given to user2 & user1 ? All help r welcome. Cheers __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
--- Computer Forensics Training at the InfoSec
Institute. All of our class
sizes are guaranteed to be 12 students or less to
facilitate one-on-one
interaction with one of our expert instructors. Gain
the in-demand
skills of a certified computer examiner, learn to recover
trace data left behind
by fraud, theft, and cybercrime perpetrators. Discover
the source of
computer crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----
------------------------------------------------------------------------
--- Computer Forensics Training at the InfoSec
Institute. All of our class
sizes are guaranteed to be 12 students or less to
facilitate one-on-one
interaction with one of our expert instructors. Gain
the in-demand
skills of a certified computer examiner, learn to recover
trace data left behind
by fraud, theft, and cybercrime perpetrators. Discover
the source of
computer crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Win NT Permission question ? yfs us (Sep 09)
- <Possible follow-ups>
- RE: Win NT Permission question ? Prasanna M (Sep 10)
- Re: Win NT Permission question ? Ansgar -59cobalt- Wiechers (Sep 13)
- RE: Win NT Permission question ? Roger A. Grimes (Sep 12)
- RE: Win NT Permission question ? David Schenz (Sep 13)
- FW: Win NT Permission question ? David Schenz (Sep 15)
- RE: Win NT Permission question ? Roger A. Grimes (Sep 15)
- Re: Win NT Permission question ? yfs us (Sep 15)
- RE: Win NT Permission question ? Robert McIntyre (Sep 17)
- RE: Win NT Permission question ? Prasanna M (Sep 17)