Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Scenario 1.1:

Bob wishes to create "Bob private data" folder in "Public" folder to
place few private files. "Public" has at least "Write" permissions for
"User" group. Bob:

This is, of course, wrong. You muddy the issue with the "Write permissions for User group" red herring and we are all supposed to oooh and aaah at your sleigh-of-hand trickery. Of course, a proper public repository for private folders should have saner settings than that, to begin with.

On my pet Windows Server 2003 machine, for example, I have created a "Protected" folder under "Shared Documents" (and why the hell don't server editions show "Shared Documents" under "My Computer" anyway?) before even thinking about sharing it, having recognized this risk scenario a long time ago ("what if a virus infected all those world-writable setup executables on public network shares?"); it's not really about "private" folders as much as "secure" folders with files that everyone can read but only the owner can write or delete

I have tried to create a "secure public" folder like the one you describe. Its ACL is a pretty complicated affair (not pictured: full access to Administrators and SYSTEM everywhere):
* CREATOR OWNER: full access, subfolders and files, non-inheritable
* Everyone: read-write, files only, non-inheritable
* Everyone: read + create files + create folders, folder only
= everyone can create files and folders

A file created under said folder gets the following default ACL:
* Everyone: read-write access
* owner: full access
= new files are public

A subfolder (or a subfolder of any subfolder) will get, instead:
* CREATOR OWNER: full access, subfolders and files, inheritable
* owner: full access, folder only, non inheritable
= new folders are private

A file created inside a subfolder will get:
* owner: full access
= new files under private folders are private

Is this what you might be looking for?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Access Denied when editing GPO
    ... I checked the "Owner" on some of the GPO folders on my DC (a small one I ... folder has "Domain Admins ... User Accounts" (Administrators is a group, ...
    (microsoft.public.win2000.group_policy)
  • Re: Lost Folder Ownership and Access
    ... I reset permissions for children. ... folders and files from another peer-to-peer computer. ... owner is me, karlo. ... There is no login user named karlo in the first ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Outlook 98 Sticky Notes
    ... "I have 2 notes folders - one as a immediate subfolder of my mailbox ... different server, all be it within the same Exchange site - I don't ... >> within Outlook view seem to have the same date. ...
    (microsoft.public.outlook)
  • Re: Outlook 98 Sticky Notes
    ... "I have 2 notes folders - one as a immediate subfolder of my mailbox ... different server, all be it within the same Exchange site - I don't ... >> within Outlook view seem to have the same date. ...
    (microsoft.public.exchange.clients)
  • Re: Dont Administrators have access to everything?
    ... returning the folders to the Shared Documents folder, ... NO owner and no one has access to the files (not ... account had been granted Full Control, ... Owner's and Administrators' permissions. ...
    (microsoft.public.windowsxp.security_admin)