Re: NTFS inherited permissions bug on W2K

From: Fernando Trias (fernando@PEDESTALSOFTWARE.COM)
Date: 10/12/01 

Message-ID:  <KNEGIDANFDPNMBEIOJMAMEFHEBAA.fernando@pedestalsoftware.com>
Date:         Fri, 12 Oct 2001 14:08:47 -0400
From: Fernando Trias <fernando@PEDESTALSOFTWARE.COM>
Subject:      Re: NTFS inherited permissions bug on W2K
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

============================================================================
Delivery co-sponsored by GFI Software
============================================================================
LANguard Security Event Log Monitor offer!

Catch hackers red-handed with LANguard S.E.L.M.! Provides intrusion
detection through centralized NT/2000 security event log monitoring.
Extensive reporting identifies all machines being targeted & local users
trying to hack. Download your FREE starter pack today:
http://www.gfisoftware.com/stats/adentry.asp?adv=107&LOC;=1

When we faced this issue in our design of our SecurityExpressions product
which, among its many features, copies/moves files securely, we would up
with a scenario of two categories with various options each. You pick one
option (a, b, or c) in each of #1 and #2 below.

1. Existing entities:
    (a) Remove inherited permissions or
    (b) Keep inherited permissions
2. Inheritence
    (a) Inherit from new parent (remove protection if it's there) or
    (b) Protect from inheritance or
    (c) If protected, keep it protected; otherwise inherit from new parent.

This scenario allows for all typical requirements. For files that are
secured individually, you choose 1(a) and 2(b). If you are moving files from
a public area into a private area, you choose 1(a) and 2(a). If moving from
a private directory to a public one, but you want to maintain security,
choose 1(b) and 2(b). And so on.

The principal problem is that there is no single behavior that suits all
needs. Windows must ask the user what behavior he/she prefers.
Alternatively, the desired behavior could be encoded in the ACL itself via a
new set of flags. I prefer asking because then the behavior is explicit and
clearly communicated to the user at the time of the copy/move.

Relevant Pages

  • Re: protected vs. public members
    ... For simple class design, you must remember that there are two ... the class's public functionality, ... or you intend that others inherit ... The decision as to what protection each class member receives has to do ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Form inheritence
    ... I created a Class Library and a base form in it, then want to add a new form ... inherit from the base form then it cannot let me thro the process, ... I just what would happen if I have up to hundred controls in my ancestor ... You need to change the Protection setting of the controls on the base ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Reseting Inherited Security on User Objects?
    ... there are a number of users that lost the inherited permissions from the ... the "Inherit from parent" checkbox is no longer checked. ... We have close to 2000 user account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Deplyement Help Please
    ... but you can create a dll that has classes ... Afterwards your pages can just inherit these classes. ... with whom I guess you have an IP protection ... But I would like to compile and give rather than giving ASP pages so that my ...
    (microsoft.public.dotnet.framework.aspnet)