share permissions

  • Thread starter Thread starter barolo
  • Start date Start date
B

barolo

i am just learning so bear with me.

if i have a directory with 10 files & users can acces it
on ntfs and via a share, if i change permissions on 1
file (eg changed to read only) is this immediately
propogated to everyone?
or do i need to kisk them off the network & relogon, or
just disconnect from the directory and their next access
will have to proper permissions?

i'm still not so clear on ace's and acl's so thats wy
i'ma bit confused.

also can i specicy permissions on a single object in a
share? i think i read once share perms are set at the
folder those perms is final for all objects?? is this
true?

any help would be good
thanks
 
i am just learning so bear with me.

We were all beginners at one time. Expect technical
corrections, but do not expect anyone to give you a
hard time personally. This is a pretty cool group.
if i have a directory with 10 files & users can acces it
on ntfs and via a share, if i change permissions on 1
file (eg changed to read only) is this immediately
propogated to everyone?

Sort of. It takes EFFECT immediately but permissions
are checked when the file is OPENED so anyone with
the file opened (presumably they had read previously)
will still have it open under the permissions AND the
open request (their program made) then.
or do i need to kisk them off the network & relogon, or
just disconnect from the directory and their next access
will have to proper permissions?

No. Unless you have the weird case (it was on an MCSE
exam once) where you want to REDUCE the permsissions
because you notice that a file was to exposed and people
were editing it.

In this weird case, disconnecting them from the server causes
them to need to RE-OPEN. (Note: you can't really "kick
people off the network" in the way most people mean.)

You can DISCONNECT them from a server, or possibly
log them off a workstation.
i'm still not so clear on ace's and acl's so thats wy
i'ma bit confused.

This is really simple -- just that it's usually explained so
badly.

To make it simple we need to be picky about the wording.

Permissions are really Access Control Entries (ACE)
(Rights are something else.)
An ACE references a Security Principle and grants or denies
a specific access (i.e., permission.) to that Group, User,
or Computer ACCOUNT.
Security Principle is just a general name for any of these:
User, Group, Computer -- Groups is the best method
(We won't say "or Computer Account everytime because
that isn't a common use but it is technically true as of Win2000
and occasionally useful, e.g., Group Policy access.)
An Access Control List is a LIST, or ACEs.
That's it, just a list of permissions.
We add them all up to find a particular user or groups permissons.
-- then take aways any "deny" that refences that user or user's
groups.
There is NO prececence for User, or any specific Group (e.g.
Primary group has little or no meaning for Windows machines.)

Share permissions are completely separate from NTFS -- but
analogous, i.e., similar.

If a user will access a file over the net THROUGH a share, then
that user much have enough access AT the share, and on the
Files' specific NTFS permissions.
(This is the infamous "most restrictive" rule stated in a way we
emphasize UNDERSTANDING it, rather than memorizing it.)
also can i specicy permissions on a single object in a share?

Absolutely -- but it has nothing to do with the share. You can do this
because NTFS permissions and share permissions are two different
things (objects) and have unrelated ACL permission lists.
i think i read once share perms are set at the
folder those perms is final for all objects?? is this
true?

No, it's not true -- it's based on two things, a common practice, followed
by a common misunderstanding.

First, admins who don't set tight permissions (one might say sloppy)
frequently set the Directory (folder) permission and just let ALL the
files inherit. (This isn't a bad thing if one does it BY CHOICE, but if
an admin does it through ignorance or laziness that's different.)

Second, people see that practice and write books and such claiming
that's the way it works -- it doesn't.

Ok: Big KEY (and we'll probably get some arguments from those
who only THINK they know): Once created a file's permissions
have nothing necessarily to do with the parent directory.

Ok, you can leave that inheritance at the default but that is a choice
and nothing prevents you from changing the file to other settings --
or the directory ONLY. Or one file to one setting and another file
to another setting.

Test:
Parent directory is effectively set to No Access for Sally
On a file in Parent directory, Sally has full control
What can Sally do to the file?

Answer: Full control.
Are you sure?
Well, yes, if she can find a program that will cooperate (most will)
However, she cannot BROWSE for that file because browsing
requires READING the parent directory -- but she can type
and explicit (enough) path and get access with most programs.

Overgeneralization: Ok, she can access it but not with Explorer.
Sort of but not quite.
Explorer is the program that runs the file browser but it also
is the Task Bar and Start Menu
If she, types enough of the path and appends File.txt then
likely Notepad will open it -- had it been an execuatable
Explorer would have run it directly.

So the real rule is she can (almost always) access it EXPLICITLY
but she cannot use a file BROWSER to find and open it.
 
One thing to clarify.

If you grant a user permissions directly on a file, that change is granted
immediately.

However, if you create a group, place a user in that group and then give
that group access to a file, the user will need to log off and log back in
to get access to the file.

The reason is that when users log in, they are given tokens which represent
the groups they are members of. If a user has been made a member of a group
since they last logged in, they will not have the token for that group.

Hope this helps

Oli
 
However, if you create a group, place a user in that group and then give
that group access to a file, the user will need to log off and log back in
to get access to the file.

Yes -- but notice that this would be true even if the file
already granted access to the file -- it has nothing to do
with the ACL, or permissions on the file.

The behavior is due to the way Security Access Tokens
which identify a user's groups are only re-created at logon.
 
How does a file grant access to a file?

Actually - in some sense -- that is what always happens.

The file object contains the permissions (ACLs) that allow
access to itself.

This is the reason that changing permissions is immediate --
on next file open, for those referenced by the added or
changed ACEs in the ACL.
 
Back
Top