Re: NTFS folder permissions - Creator Owner issue (I think)

Owner of a New Object:
http://msdn.microsoft.com/library/en-us/secauthz/security/owner_of_a_new_object.asp

This would suggest that the only way to control the owner of a new object is
to write software that has a (primary or impersonation) token for that user.
Possible, but not a good solution.

It also confirms that the owner implicitly has WRITE_DAC access.

Paul

"Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eC7ttkbIGHA.740@xxxxxxxxxxxxxxxxxxxxxxx
> Roger,
>
> I think I see what you mean.
>
> I created a file in a folder that had no CREATOR OWNER access control, no
> access controls were added for me or my group. I then removed all access
> controls and added a Deny access control that denied everything to
> everyone :) I, as the owner, still had Read Permissions and Change
> Permissions effective permissions (though not Take Ownership).
>
> That seems like a bit of a problem. So, the owner has implicit permissions
> regardless of the DACL.
>
> Is there anything in the SACL that influences this? Is there any way to
> influence who is the initial owner when an object is created?
>
> Paul
>
> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> news:%23nQYjsWIGHA.1088@xxxxxxxxxxxxxxxxxxxxxxx
>> His issue is that he can set the permissions exactly as he
>> wants them (it really doesn't matter what they are) and the
>> account that has added something (hence becoming its
>> owner) can alter the permissions from the intended and
>> there is no way the admin can prevent this (except by taking
>> away ownership).
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:uEMUANRIGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
>>> Forgive me, but I am going to have to ask you to take a step back here.
>>>
>>> Which access controls do you have on the folder in which people are
>>> creating these files and folders and give an example of a situation in
>>> which someone is given permissions that you do not intend them to have.
>>>
>>> Paul
>>>
>>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:C7ED4834-1C38-4056-A2F4-DB5722435131@xxxxxxxxxxxxxxxx
>>>> Yes, I figured out that if I took the creator owner placeholder out of
>>>> the
>>>> list then I woudlnt have this problme from reading other peoples posts.
>>>> However, I am using the creator owner placeholder to ensure that staff
>>>> can
>>>> only delete their own files and folders and not other peoples.
>>>>
>>>> Users get Read & Execute, List Folder Contents, Read and Write, and the
>>>> Creator-Owner gets Modify.
>>>>
>>>> Maybe there's another way of getting the same result?
>>>>
>>>> Regards,
>>>>
>>>> Fiona
>>>>
>>>> "Paul Baker" wrote:
>>>>
>>>>> Are you aware that you can prevent permissions being given to the
>>>>> Creator
>>>>> Owner when they create a folder simply by removing the CREATOR OWNER
>>>>> access
>>>>> control. It's default, not hardcoded, behaviour.
>>>>>
>>>>> Paul
>>>>>
>>>>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> news:66363F0F-1388-4A12-89DB-97761A246275@xxxxxxxxxxxxxxxx
>>>>> > Roger,
>>>>> >
>>>>> > Sorry, I was confusing the issue by calling it a group - I do
>>>>> > realise its
>>>>> > a
>>>>> > placeholder. From what you're telling me an owner has rights that
>>>>> > cannot
>>>>> > be
>>>>> > overridden. As we are allowing staff to create subfolders (they then
>>>>> > become
>>>>> > the owner), we will not be able to prevent them having the rights of
>>>>> > an
>>>>> > owner, which seems to include the right to change permissions
>>>>> > whether we
>>>>> > want
>>>>> > them to have that right or not.
>>>>> >
>>>>> > Anyway, thanks for all your patience and help.
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> > Fiona
>>>>> >
>>>>> >
>>>>> > "Roger Abell [MVP]" wrote:
>>>>> >
>>>>> >>
>>>>> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> >> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
>>>>> >> > Roger,
>>>>> >> >
>>>>> >> > Thank you very much for your help.
>>>>> >> >
>>>>> >> > You're saying that this group can change permissions even when
>>>>> >> > not
>>>>> >> > expressly
>>>>> >> > granted the permission to change permissions or denied it, but I
>>>>> >> > have
>>>>> >> > never
>>>>> >>
>>>>> >> No, that is not what I said.
>>>>> >> I said that the owner of an object can change the object's
>>>>> >> permission
>>>>> >> whether the owner is (directly or indirectly) granted that
>>>>> >> permissions or
>>>>> >> even whether explicitly denied that permissions.
>>>>> >> I did not state this about the Creator Owner "group" but about the
>>>>> >> Owner.
>>>>> >>
>>>>> >> > read this anywhere, and can't seem to find any documentation on
>>>>> >> > it on
>>>>> >> > the
>>>>> >> > net. (I do believe you as I have seen the results!) I'd like to
>>>>> >> > read
>>>>> >> > up
>>>>> >> > on
>>>>> >> > the rights that this group has that I am not aware of.
>>>>> >> >
>>>>> >>
>>>>> >> It is not really a group, although it appears like one.
>>>>> >> Creator Owner is a placeholder. You will find its use is normally
>>>>> >> set
>>>>> >> to inherit onto contained/child objects. When a new object is
>>>>> >> created
>>>>> >> the grant to Creator Owner becomes a real grant to the creator or
>>>>> >> the
>>>>> >> permissions stated with the Creator Owner grant on the container.
>>>>> >> The account that creates the object does become owner, and does
>>>>> >> have the rights of an owner, not matter what is or is not granted
>>>>> >> with
>>>>> >> the use of Creator Owner.
>>>>> >>
>>>>> >> > We would really like to prevent users changing the permissions on
>>>>> >> > folders
>>>>> >> > because they tend to lock themselves and IT support out of them.
>>>>> >> > Do
>>>>> >> > you
>>>>> >> > know
>>>>> >> > of any method of doing this?
>>>>> >> >
>>>>> >>
>>>>> >> You must take away ownership and then the NTFS security permissions
>>>>> >> will control their actions. While they own (as they do of anything
>>>>> >> they
>>>>> >> create)
>>>>> >> you can only hinder, not prevent.
>>>>> >>
>>>>> >>
>>>>> >> > "Roger Abell [MVP]" wrote:
>>>>> >> >
>>>>> >> >>
>>>>> >> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> >> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
>>>>> >> >> > Hi all,
>>>>> >> >> >
>>>>> >> >> > I need to set up the permissions on a folder so that:
>>>>> >> >> >
>>>>> >> >> > For users in Group 1:
>>>>> >> >> > Anyone can create a file or subfolder.
>>>>> >> >> > Anyone can edit any file.
>>>>> >> >> > Anyone can copy and paste any file or subfolder.
>>>>> >> >> > Only the owner can, delete, rename or move a file or folder
>>>>> >> >> > Anyone can view permissions
>>>>> >> >> > Noone can change permissions or take ownership
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >> I doubt that that combination can be attained.
>>>>> >> >> The issue is in that some files are changed by use of a temp
>>>>> >> >> file that is renamed with the original deleted.
>>>>> >> >>
>>>>> >> >> > For users in Group 2:
>>>>> >> >> > They can create, edit, copy and paste, delete, rename or move
>>>>> >> >> > any
>>>>> >> >> > file
>>>>> >> >> > or folder, and view permissions.
>>>>> >> >> > They can not changer permissions or take ownership
>>>>> >> >> >
>>>>> >> >> > For Group 1, I ticked R&E, List, R and W in basic settings,
>>>>> >> >> > and then
>>>>> >> >> > added
>>>>> >> >> > a
>>>>> >> >> > Creator Owner group to which I gave modify rights. This got
>>>>> >> >> > me
>>>>> >> >> > pretty
>>>>> >> >> > close
>>>>> >> >> > to what I need, except:
>>>>> >> >> >
>>>>> >> >> > (1) when trying to move a file or folder, an error message
>>>>> >> >> > appears
>>>>> >> >> > as
>>>>> >> >> > expected for the file, but the folder error message says
>>>>> >> >> > '...cannot
>>>>> >> >> > copy...'
>>>>> >> >> > and then copies just the folder. I suppose it doesn't
>>>>> >> >> > actually move
>>>>> >> >> > it
>>>>> >> >> > but
>>>>> >> >> > this will be confusing for the users
>>>>> >> >> >
>>>>> >> >> > (2) test user can change the permissions on own folders,
>>>>> >> >> > definitely
>>>>> >> >> > what I
>>>>> >> >> > don't want. (On checking the advanced permissions it
>>>>> >> >> > explicitly
>>>>> >> >> > shows
>>>>> >> >> > that
>>>>> >> >> > change permissions is NOT ticked)
>>>>> >> >>
>>>>> >> >> The owner can always change permissions even when they are not
>>>>> >> >> granted the permission to change permissions or denied it.
>>>>> >> >> Think of
>>>>> >> >> the permission to change permissions as something only important
>>>>> >> >> for non-owners.
>>>>> >> >>
>>>>> >> >> >
>>>>> >> >> > For permission set 2 I was thinking of giving Modify
>>>>> >> >> > permissions
>>>>> >> >> > but,
>>>>> >> >> > again,
>>>>> >> >> > this allows users to change permissions on their own folders.
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >> It is not the Modify grant that allows this but being owner that
>>>>> >> >> does.
>>>>> >> >>
>>>>> >> >> > I wonder if there is a simple explanation?
>>>>> >> >> >
>>>>> >> >> > Regards
>>>>> >> >> >
>>>>> >> >> > Fiona Laufs
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >>
>>>>> >> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages