NTFS inherited permissions bug on W2K
From: Sam Greenfield (Sam_Greenfield@SIMAIL.COM)Date: 10/09/01
- Previous message: Paul Wakeford: "Re: Symantec Security Response SecBul-10042001, Revision1, Malfor med Microsoft Excel or PowerPoint documents bypass Microsoft macro securi ty features"
- Next in thread: Russ: "Re: NTFS inherited permissions bug on W2K"
- Reply: Russ: "Re: NTFS inherited permissions bug on W2K"
- Reply: Tony Chow: "Re: NTFS inherited permissions bug on W2K"
- Reply: Sam Greenfield: "Re: NTFS inherited permissions bug on W2K"
- Reply: Ronald Beekelaar: "Re: NTFS inherited permissions bug on W2K"
- Reply: Yelton, Nathan: "Re: NTFS inherited permissions bug on W2K"
- Reply: Greg Corey: "Re: NTFS inherited permissions bug on W2K"
- Reply: Y. W. Ko: "Re: NTFS inherited permissions bug on W2K"
- Reply: Tony Thai: "Re: NTFS inherited permissions bug on W2K"
- Reply: Ondřej Tučný: "Re: NTFS inherited permissions bug on W2K"
- Reply: Fernando Trias: "Re: NTFS inherited permissions bug on W2K"
- Reply: Grant, Lynn: "Re: NTFS inherited permissions bug on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <OFE4FB6912.74BB8B23-ON85256AE0.005A7FDD@timeinc.com> Date: Tue, 9 Oct 2001 12:28:29 -0400 From: Sam Greenfield <Sam_Greenfield@SIMAIL.COM> Subject: NTFS inherited permissions bug on W2K To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hello,
The previous message, "Folders created by Mac clients
override inherited NTFS [...]" reminded me that we had run into a
different NTFS bug. Unfortunately, I have not had time to report
this problem to Microsoft and follow up the problem.
The problem we are having is that a directory that
inherits permissions from one directory will keep those
permissions even if it is moved to a different directory. Let me
describe an example scenario.
Create two test directories with different permissions
called "A" and "B". For example, in directory "A" only give the
group "Administrator" full rights. In directory "B" only give
the group "Everyone" full rights.
Inside directory "A" create a new directory called
"test." Look at the security properties for "Test" using the GUI
or cacls. Notice how the security settings inherit the settings
for the parent folder. In the GUI, the checkbox for "Allow
inheritable permissions from parent to propogate to this object"
should be checked.
Now, move the directory "test" from directory "A" to
directory "B" using either the GUI or the command line. Using
either cacls or the GUI, examine the security settings. They
will be unchanged. In the GUI, the checkbox for inheritable
permissions will still be checked. However, the set permissions
will not match the parent directories permissions.
To see the full effects of the bug, in the GUI, uncheck
the inheritable permissions checkbox, either copying or removing
the existing permissions. Apply the change. Then, recheck the
inheritable permissions checkbox. Notice how the permissions
list change.
There are certainly security implications of this bug. A
user can move a directory from a public to a private area of
shared server space. However, the directory could still
potentially be accessible. This is also an annoying bug. We
have had users move folders from private to public areas of
shared server space only to find their data still inaccessible.
I have tested this problem on Windows 2000 Professional
and Windows 2000 Advanced Server with Service Pack 2 and all
applicable security patches and updates. As far as I can tell,
this is not an issue in NT4 as NT4 didn't implement inheritable
permissions.
Has anyone else seen this problem? Can anyone reproduce
this problem? I was unable to find any reference to it in
Microsoft's public support database.
Of course, if I get more time I will start an incident
with Microsoft. However, right now our workaround is to instruct
users to copy files and directories rather than move them when
they need to have the correct access rights.
Sam Greenfield
Senior System Engineer
Sports Illustrated
sam_greenfield@simail.com
- Previous message: Paul Wakeford: "Re: Symantec Security Response SecBul-10042001, Revision1, Malfor med Microsoft Excel or PowerPoint documents bypass Microsoft macro securi ty features"
- Next in thread: Russ: "Re: NTFS inherited permissions bug on W2K"
- Reply: Russ: "Re: NTFS inherited permissions bug on W2K"
- Reply: Tony Chow: "Re: NTFS inherited permissions bug on W2K"
- Reply: Sam Greenfield: "Re: NTFS inherited permissions bug on W2K"
- Reply: Ronald Beekelaar: "Re: NTFS inherited permissions bug on W2K"
- Reply: Yelton, Nathan: "Re: NTFS inherited permissions bug on W2K"
- Reply: Greg Corey: "Re: NTFS inherited permissions bug on W2K"
- Reply: Y. W. Ko: "Re: NTFS inherited permissions bug on W2K"
- Reply: Tony Thai: "Re: NTFS inherited permissions bug on W2K"
- Reply: Ondřej Tučný: "Re: NTFS inherited permissions bug on W2K"
- Reply: Fernando Trias: "Re: NTFS inherited permissions bug on W2K"
- Reply: Grant, Lynn: "Re: NTFS inherited permissions bug on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
