RE: Win NT Permission question ?

["Robert McIntyre" <robert.mcintyre () earthmail com>]

There is another way you can do this but it depends on want you are trying
to accomplish.

I am assuming the following:
1. user1 user2 and user3 are allowed to put files and folders in the details
folder.
2. user2 and user3 are allowed to put files and folders in the data folder.
3. only user3 has access to the info folder.

You can try this

> C:\
> |
> |
> -----detail\ (user1: RW; user2: RW; user3: RW; Creator Owner: Modify)
> |
> |
> |
> --------data\ (user1: None; user2: RW; user3: RW; Creator Owner: Modify)
>     |
>     |
>     |
>     --------info\ (user1: None; user2: None; User3: Modify)

First of all the main difference between Modify and FC is that a person with
FC can change permissions on the files and folders.

What this does is allow user1, user2, and user3 to create a file or a folder
under the detail directory.  But they can only delete the files and folders
that they create.

In the data folder user2 and user3 can create files and folders but only
delete their own files or folders.

In the info folder only user3 can create or delete files and folders.




-----Original Message-----
From: yfs us [mailto:yfs_168us () yahoo com]
Sent: Monday, September 13, 2004 4:51 PM
To: security-basics () securityfocus com
Subject: Re: Win NT Permission question ?


Hi David Schenz,

    Thanks for your help.

   All the user1, user2 & user3 are not admin and the
folder are not
inheriting permissions but the files in the folder are
inheriting the
permissions from the folder.

   In your explaination you do mention that user3 can
delete the data
folder because it had FC. If user3 only want to delete
the folder and
the files that he own in the data folder then what
permission should
be given to user3 ? Or can these be done via special
permissions ?
If not what is the best solution ? According to my
admin, user3 can
only be given add & read in data folder. Is it true ?
For your info all
the 3 user are from  3 different group membership.

All help r welcome.

Cheers.

----- Original Message -----
From: "David Schenz" <schenz.9 () dps ohio-state edu>
To: "Prasanna M" <PrasannaM () catsglobal co in>;
<yfs_168us () yahoo com>;
<security-basics () securityfocus com>
Sent: Sunday, September 12, 2004 1:03 AM
Subject: RE: Win NT Permission question ?


> Nope.... let's evaluate closely....
>
> I'm going to assume 1) Share level permissions are
set to Everyone: FC
> and are therefore only messing with NTFS permissions
(which is a much
> simpler method of working with permissions and is
the way recommended by
> Microsoft) 2) All users are regular domain users,
not admins 3) detail,
> data, and info folders are not inheriting
permissions, otherwise user1,
> user2, and user3 would have full control to detail,
data, and info.
> 4) The files in each folder have the same
permissions as the folder it
> is in (i.e. the files are inheriting the permissions
from the folder)
> C:\
> |
> |
> -----detail\ (user1: FC; user2: FC; user3: FC)
> |
> |
> |
> --------data\ (user1: None; user2: FC; user3: FC)
>     |
>     |
>     |
>     --------info\ (user1: None; user2: None; User3:
FC)
> Remember... every object has an individual ACL, if
there is no
> inheritance, no other ACL should matter most of the
time.
> If user1 tried to delete the detail folder, he would
be able to delete
> all the files in the detail folder, but not the data
or info folder (and
> therefore not the detail folder since he'd get a
"Folder is not empty"
> message). If user2 tried to delete the detail
folder, he would be able
> to delete all of the files in the detail and data,
but not the info
> folder. If user3 tried to delete the detail folder,
he would be
> successful.
>
> User1 cannot access the data folder and could not
delete it. If user2
> tried to delete the data folder, he would be able to
delete all the
> files in the folder, but not the info folder (and
therefore not the data
> folder since he'd get a "Folder is not empty"
message). If user3 tried
> to delete the data folder, he'd be successful.
>
> The assumption that inheritance is turned off for
each of the folders
> here is very important. Otherwise all of this flies
out the window and
> user1,2,3 have full control to all three folders. I
also emphasize
> giving everyone Full control for share level
permissions otherwise the
> permissions get _very_ hairy.
>
> Good luck
> David
>
>
> -----Original Message-----
> From: Prasanna M [mailto:PrasannaM () catsglobal co in]
> Sent: Friday, September 10, 2004 3:46 AM
> To: 'yfs us '; 'security-basics () securityfocus com '
> Subject: RE: Win NT Permission question ?
>
> user1 & user2 are they admins? or normal users?
>
> your file would be safe only if users 1&2 dont know
how to tinker with
> win
> nt much.
> if they do kno their way around win nt, then ur data
isnt safe.
> basically if someone has ownership access to the
parent folder, then
> they
> can definitely access the subfolders, no matter wat
permissions you set.
> hth,
> Prasanna
> -----Original Message-----
> From: yfs us
> To: security-basics () securityfocus com
> Sent: 9/9/2004 6:16 AM
> Subject: Win NT Permission question ?
>
> Hi All,
>
>    Just want to check with u guys here how does
these
> Win NT
> Permission works.My admin had setup a directory with
> the following
> permission :-
>
> C:\detail\  was own by user1 and had Full Control
> (All) (All)
>                   user2 had Full Control (All) (All)
>                   user3 had Full Control (All) (All)
>
> C:\detail\data\  was own by user2  and had Full
> Control (All) (All)
>                         user1 had no access
>                         user3 had add & read (rwx)
> (rwx)
>
> C:\detail\data\info\ was own by user3 and had Full
> Control (All) (All)
>                                 user1 had no access
>                                  user2 had no access
>
> I'm user3 and I just want to know can user1 & user2
> delete my file ?
> Can user2 delete the info folder ? If I create a
> folder in info
> directory eg. C:\detail\data\info\secret , so can
> user1 & user2
> delete it and also the file inside the secret folder
?
> I'm not a
> admin and my admin sucks ? If I want to secure my
info
> folder
> what permission should be given to user2 & user1 ?
>
> All help r welcome.
>
> Cheers
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
> ---
> Computer Forensics Training at the InfoSec
Institute. All of our class
> sizes
> are guaranteed to be 12 students or less to
facilitate one-on-one
> interaction with one of our expert instructors. Gain
the in-demand
> skills of
> a certified computer examiner, learn to recover
trace data left behind
> by
> fraud, theft, and cybercrime perpetrators. Discover
the source of
> computer
> crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
>
------------------------------------------------------------------------
> ----
------------------------------------------------------------------------
> ---
> Computer Forensics Training at the InfoSec
Institute. All of our class
> sizes
> are guaranteed to be 12 students or less to
facilitate one-on-one
> interaction with one of our expert instructors. Gain
the in-demand
> skills of
> a certified computer examiner, learn to recover
trace data left behind
> by
> fraud, theft, and cybercrime perpetrators. Discover
the source of
> computer
> crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
>
------------------------------------------------------------------------
> ----




__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------