Re: NTFS inherited permissions bug on W2K
From: Tony Thai (tonythai@HOTMAIL.COM)Date: 10/12/01
- Previous message: Peter Larsen: "Re: NTFS inherited permissions bug on W2K"
- Maybe in reply to: Sam Greenfield: "NTFS inherited permissions bug on W2K"
- Next in thread: Jeremy Epstein: "Re: NTFS inherited permissions bug on W2K"
- Next in thread: Ondřej Tučný: "Re: NTFS inherited permissions bug on W2K"
- Reply: Jeremy Epstein: "Re: NTFS inherited permissions bug on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <F141SVvR0WssM5sGmhZ000040f0@hotmail.com> Date: Fri, 12 Oct 2001 12:02:50 -0400 From: Tony Thai <tonythai@HOTMAIL.COM> Subject: Re: NTFS inherited permissions bug on W2K To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Greg Corey...
>Again, rights a folder inherits from it's former parent folder become
> >explicit rights when the folder moves. The rights of files underneath
> >it still reflect inheritance and will inherit (as they should) the
> >permissions of the parent if the parent's permissions change.
This not the observed behaviour. Inherited permissions are not marked as
explicit when the folder moves. See the message from Ronald Beekelaar.
As it has not been raised yet, it should be pointed out that SACLs or
auditing on NTFS volumes is also affected by this behaviour. After moving a
folder, all inherited ACEs are still marked as inherited. When the audit
settings is changed on the new parent, the previous auditing entries from
the old parent are replaced. Are there any security implications here ??
I agree with Ronald that this is a bug as the permissions and audit entries
can "unexpectedly change" when they are changed on the new parent. This
change could affect a moved folder or file any time after it is moved. Thus
the current behaviour dictates that the previously inherited permissions
from the old parent should be considered temporary only for an unspecified
period of time.
The preferred behaviour would be to change it to the first option suggested
by Nathan Yelton. ie "uncheck" the "Allow inheritable permissions from
parent" and change the ACEs on the top level object from inherited to
explicit for both DACLs and SACLs. This will allow the behaviour to be
consistent with NT 4.0.
If the current behaviour is not changed, its effects and implications should
be clearly documented in a new KB article.
Regards,
Tony
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate
- Previous message: Peter Larsen: "Re: NTFS inherited permissions bug on W2K"
- Maybe in reply to: Sam Greenfield: "NTFS inherited permissions bug on W2K"
- Next in thread: Jeremy Epstein: "Re: NTFS inherited permissions bug on W2K"
- Next in thread: Ondřej Tučný: "Re: NTFS inherited permissions bug on W2K"
- Reply: Jeremy Epstein: "Re: NTFS inherited permissions bug on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
