RE: permission

["David Gillett" <gillettdavid () fhda edu>]

> The program suppose to check to make sure that the drive has 
> enough space before it starts writing or copying things and 
> for that it needs read access to the C drive.

  It's going to need more than read access to do the "writing
or copying".  i.e., Something here is not kosher.

David Gillett


> -----Original Message-----
> From: Kenzo [mailto:kenzo_chin () hotmail com]
> Sent: February 7, 2003 11:47
> To: security-basics () securityfocus com
> Subject: permission
>
>
> OK, I need some input from you guys on this.
> Our webmaster seems to think that giving the guest internet 
> user read access
> to the C drive is OK as long as you don't set IIS to list 
> content and other
> stuff that I don't understand, since I don't know anything 
> about running a
> website.
> I told him that by doing so, most subfolders will also take 
> that permission,
> so if someone that knows what they're doing could compromise 
> that account,
> they would have read access to almost the whole C drive.
> the box is a win2k server with IIS5.  I believe he wants to 
> do this for some
> error checking for a C or java program.
> The program suppose to check to make sure that the drive has 
> enought space
> before it starts writing or copying things and for that it 
> needs read access
> to the C drive.
> To me, even thought I don't know anything about programing 
> and webhosting,
> it doesn't look right from the security point of view.
>
> Please give me some input on this if it's OK or not and why, 
> so that I can
> tell him yes it's OK or NO it's not OK because of this and that.
>
> Thanks.