Re: Windows 2000's Everyone permission

From: Erik Osterholm (Erik_Osterholm@ieee.org)
Date: 08/23/01


Date: Thu, 23 Aug 2001 13:19:38 -0500
From: Erik Osterholm <Erik_Osterholm@ieee.org>
To: FOCUS-MS@securityfocus.com
Subject: Re: Windows 2000's Everyone permission
Message-ID: <20010823131938.A13424@neuromancer.cepheid.org>

Not to pick nits, but granting "Everyone" no access will actually also
lock out the payroll group. ACLs are granted the most liberal access
a person has (if a member of a R group and a RWX group, they will get
RWX) but if any of their groups is No Access, they will not have
access.

As to your comment on share permissions being necessary.. well it was
said once in this thread but it bears repeating. Share permissions
are largely left over from Fat filesystems which had no acls. In
those situations, the shares are the only way to prevent unauthorized
access with the bare system. There are 3rd party tools to do this, of
course.

Erik

On Thu, Aug 23, 2001 at 11:19:46AM -0400, Chris Davis mentioned:
> Given: A typical salary spreadsheet created by a typical payroll employee
> which has been placed on a shared folder so that other payroll employees can
> access it as needed.
>
> Share permissions: Everyone full access: Everyone in the company knows
> where to find the salary spreadsheet, even if they can't open it when logged
> on using their own account.
> Share permissions: Payroll full access. Everyone no access: Payroll knows
> where to find the salary spreadsheet. Other people generally do not.
>
> Share permissions serve to obfuscate. That's all they do. That's what
> they're for.
>
> If you Really didn't need share permissions for anything at all, they would
> not exist. Folders would just be "shared" or "not shared".