Re: Windows 2000's Everyone permission

From: Erik Osterholm (Erik_Osterholm@ieee.org)
Date: 08/23/01


Date: Thu, 23 Aug 2001 13:19:38 -0500
From: Erik Osterholm <Erik_Osterholm@ieee.org>
To: FOCUS-MS@securityfocus.com
Subject: Re: Windows 2000's Everyone permission
Message-ID: <20010823131938.A13424@neuromancer.cepheid.org>

Not to pick nits, but granting "Everyone" no access will actually also
lock out the payroll group. ACLs are granted the most liberal access
a person has (if a member of a R group and a RWX group, they will get
RWX) but if any of their groups is No Access, they will not have
access.

As to your comment on share permissions being necessary.. well it was
said once in this thread but it bears repeating. Share permissions
are largely left over from Fat filesystems which had no acls. In
those situations, the shares are the only way to prevent unauthorized
access with the bare system. There are 3rd party tools to do this, of
course.

Erik

On Thu, Aug 23, 2001 at 11:19:46AM -0400, Chris Davis mentioned:
> Given: A typical salary spreadsheet created by a typical payroll employee
> which has been placed on a shared folder so that other payroll employees can
> access it as needed.
>
> Share permissions: Everyone full access: Everyone in the company knows
> where to find the salary spreadsheet, even if they can't open it when logged
> on using their own account.
> Share permissions: Payroll full access. Everyone no access: Payroll knows
> where to find the salary spreadsheet. Other people generally do not.
>
> Share permissions serve to obfuscate. That's all they do. That's what
> they're for.
>
> If you Really didn't need share permissions for anything at all, they would
> not exist. Folders would just be "shared" or "not shared".



Relevant Pages

  • Re: SYSTEM(14) with D3
    ... compile and execute a progam in the secure PAYROLL account, ... matter if you then logto another account or not. ... MAINTENANCE account that does have such change/compile permissions?; ...
    (comp.databases.pick)
  • Re: Windows 2000s Everyone permission
    ... Subject: Windows 2000's Everyone permission ... Share permissions exist because of FAT volumes. ... > Share permissions: Payroll full access. ... > where to find the salary spreadsheet. ...
    (Focus-Microsoft)
  • Re: about common group & user ID space (PR kern/14584)
    ... most security "extensions" I've seen contain relatively ... many applications exist that make strong ... permissions: uid 0 and the uid used to represent NOVAL in vop_setattr ... I should take a moment also to respond to your comments on ACLs. ...
    (FreeBSD-Security)
  • Re: Folder/Drive Permissions
    ... applies the stored acls to files in directory. ... changes the owner of all matching names. ... the permissions replace any previously granted explicit permissions. ... - container inherit ...
    (microsoft.public.windows.vista.security)
  • Re: Had it with Fedora!
    ... Think of ACLs as file permissions on steroids. ... The reason why RedHat is pushing it is because ACLs are a requirement ... feature in UNIX, to be used alongside the default UNIX/POSIX ...
    (alt.os.linux)