Re: NTFS inherited permissions bug on W2K

From: Ondřej Tučný (tucny@ALSOFT.CZ)
Date: 10/12/01


Message-ID:  <3BC6D0D1.A9F4B70F@alsoft.cz>
Date:         Fri, 12 Oct 2001 13:15:29 +0200
From: Ondřej Tučný <tucny@ALSOFT.CZ>
Subject:      Re: NTFS inherited permissions bug on W2K
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

there is another point to consider - junctions, NTFS's rather
undocumented feature enabling hardlinks between directories. Let's
have the following directory structure:

  \x ... permission set 1
  \x\z ... junction target, inherited permission set 1
  \x\z\zz ... subdirectory with inherited permission set 1

  \y ... permission set 2
  \y\z ... junction linking to \x\z, inherited permission set 2
  \y\z\zz ... links to \x\z\zz, permission set **1**

When \x and \y subtrees are created and \y\z is linked to \x\z, the
subdirectory \y\z\zz has the permission set one ! The logic of
inheritance assumes that it should have inherited the permission
set two.

Furthermore when a change occurs in permission set two, it is
propagated to \y\z\zz and so to its primary location in \x\z\zz.

Note that junctions are an application of (documented) reparse
points. Other applications of reparse points also need to handle
access control, so there should be a precisely defined behavior
of permission inheritance.

-- 
Yours sincerely Ondřej Tučný, A && L soft s.r.o.

Phone: +420 2 6973320 Support: +420 2 6973335 Fax: +420 2 6973329 www: http://www.alsoft.cz

====================================== Delivery co-sponsored by Trend Micro, Inc. ====================================== BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?siS&BI;$5&UL;=http://www.ant ivirus.com/smex2000_rebate



Relevant Pages

  • Re: Help, I moved mailboxes and now can open boxes using "Service account admin" rights
    ... explicit grant permission it will override the inherited permission. ... I went ahead and just added my AD account the the security tab and gave it ... I checked the permissions on all the DBs and they seem to be the same. ...
    (microsoft.public.exchange.clients)
  • Re: Adding permissions to predefined permission sets
    ... The information concerning an inability to modify the predefined permission ... could modify security policy directly by changing those files and was ... > need to copy the permission set, modify it, then change the permission set ...
    (microsoft.public.dotnet.security)
  • Re: Security Exception when downloading Assembly from IIS
    ... The following applies to a managed user control intended to execute with greater permissions than would normally be granted to the zone the assembly belongs to, most likely either Internet, Local Intranet or Trusted Sites. ... The client has a code group that the assembly resolves to that grants the permissions the assembly requires. ... > permission. ... when I grant the assembly the FullTrust permission set. ...
    (microsoft.public.dotnet.security)
  • Re: [AppArmor 00/45] AppArmor security module overview
    ... This submission of the AppArmor security module is based against -mm. ... file rules can now be specified in permission first order ... added the ability to specify hard link rules using location pairs ... other the full AppArmor permission set are provided. ...
    (Linux-Kernel)
  • Re: Custom CAS permission...
    ... The permission in question is a permission to regulate the access to a ... prints a message to the console if the demand succeeded. ... I add a new conde group under "Runtime Security Policy\Machine\Code ... On the Permission Set tab of this new code group, ...
    (microsoft.public.dotnet.security)