Files without inherited permissions always deletable despite object specific permissions?

  • Thread starter Thread starter WakA
  • Start date Start date
W

WakA

Hello,

i would like to know if the following behavior has been documented and/or is
known. And if it is normal or on a fixlist.

The behavior is as follows:
When applying permissions to a file that removes inheritance of other ACE's
and adds permissions that allow full access for say "user1" and denys all
access for "user2". Now it is not possible to move/copy/rename this file,
however _deleting_ always works. Despite user2 not being of an administrator
group, not being the owner or having any rights to the file.

I've seen this behavior on the latest sp for windows xp and back to windows
2000, don't know about NT 4.0..

Bug?

Regards,

Chris
 
The behavior is as follows:
When applying permissions to a file that removes inheritance of other ACE's
and adds permissions that allow full access for say "user1" and denys all
access for "user2". Now it is not possible to move/copy/rename this file,
however _deleting_ always works. Despite user2 not being of an administrator
group, not being the owner or having any rights to the file.

I've seen this behavior on the latest sp for windows xp and back to windows
2000, don't know about NT 4.0..
Click to expand...

If it's XP and you have "Simple File Sharing" turned off (or are using Safe
Mode), you can view the effective permissions on a file after taking
inherited permissions and groups into account. Look for the "effective
permissions" tab on the Advanced Security windows, and have it check a user
or group to determine what their permissions are on the file or folder.
 
If it's XP and you have "Simple File Sharing" turned off (or are using
Safe
Mode), you can view the effective permissions on a file after taking
inherited permissions and groups into account. Look for the "effective
permissions" tab on the Advanced Security windows, and have it check a
user
or group to determine what their permissions are on the file or folder.
Click to expand...

That's the point, checking effective permissions for "user2" shows us that
the delete permission is turned _off_ and the user shouldn't be able to do
anything with the file let alone _delete_ it. Yet it can..please try this
for yourself. You won't even have to make a second user, just deny all
permissions to your own account and you will still able to delete it.

Chris
 
microsoft.public.win2000.security news group, WakA
That's the point, checking effective permissions for "user2" shows us that
the delete permission is turned _off_ and the user shouldn't be able to do
anything with the file let alone _delete_ it. Yet it can..please try this
for yourself. You won't even have to make a second user, just deny all
permissions to your own account and you will still able to delete it.
Click to expand...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
 
I just tried this on my XP SP2 computer and it did not work.

I copied a picture file to another folder with my account, removed inherited
permissions, selected the copy option, added two users who are only regular
users - user A and user B. I have user A with full control allow and user B
with full control deny. I logged on as user B and tried to access and delete
the file and was not allowed to - access denied for delete. Maybe you did it
a bit differently and I would be happy to try again. --- Steve
 
I used remove myself so there are absolutely no remnants from the inherited
permissions.
But it might be a windows-install specific setting, i'm not sure yet.
I'm at the moment checking out the link from Paul Adare from the post above.
So if you did copy, it might have copied that 'secret' permission flag with
it.

Chris
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q152763

<quote> Users who have full control permission on a volume or directory
also have the FDC permission. This permission allows a user to delete files
at the root level of the directory where they have full control, even if
they do not have any permissions on the specific file itself. </quote>

<quote> For example, suppose you add the file MyFile.txt to the root of
drive C </quote>

So my understanding at the moment is that this only works at the root of a
drive for reasons of booting and such? It appears this flag is not
inheritable by subdirectories and even if it was woulnd't the not inheriting
flag on the file fix this?

Chris
 
microsoft.public.win2000.security news group, WakA
<quote> Users who have full control permission on a volume or directory
also have the FDC permission. This permission allows a user to delete files
at the root level of the directory where they have full control, even if
they do not have any permissions on the specific file itself. </quote>

<quote> For example, suppose you add the file MyFile.txt to the root of
drive C </quote>

So my understanding at the moment is that this only works at the root of a
drive for reasons of booting and such?
Click to expand...

Not, it applies to files in the root of any directory, whether that
directory is the root of a drive or not.
It appears this flag is not
inheritable by subdirectories and even if it was woulnd't the not inheriting
flag on the file fix this?
Click to expand...

No this has nothing at all to do with inheritance.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
 
Not, it applies to files in the root of any directory, whether that
directory is the root of a drive or not.


No this has nothing at all to do with inheritance.
Click to expand...
Alright, this all makes perfect sense now :)
Turning off inheritance to Everyone and not adding full control to the
directory wherein the file resides fixes things (as in sofar as it was
'broken').

Thanks! My faith in newsgroups has been restored :P

Chris
 
I saw the article that Paul posted and was not aware of it but certainly
good to know. I never experienced what you did because I never allow the
everyone group to have full control permissions to any folder. I never give
any group other that system or administrators full control outside of a
user's home folder, profile folder, or redirected folder. --- Steve
 
FYI : this is not a foolish MS invention, but a behavior once forced on
the design of Windows behaviors to meet Posix standards compliance.
 
Back
Top