Re: ACL To Create and Modify Only New Files?



"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:49edneivW94VWjranZ2dnUVZ_o-mnZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23IqL7XvZIHA.208@xxxxxxxxxxxxxxxxxxxxxxx
Long time no see.

I am guessing that the application runs in the context of the
user running it. In that case, try using a grant to CreatorOwner
of Modify on the base folder and below plus a grant to Users
to create the new (that the grant from the CreatorOwner will
then set with modify for the one user). Just follow the model
used at the root of the system partition to allow Users to
create and use new folders.

If the application uses persistent temp files and it is on a
multi-user machine, this of course will not work.
Otherwise there is the laborious approach you mention or
the equally effort intensive approach of setting a deny of
write on the existing files.
To my awareness there is no straightforward way to do this.

Hi Roger. It's not that I didn't have questions in all this time. I
guess I'm just taming my ambitions. :)


Then now you are ready for a welcome to Windows land. <g>
I seem to recall a similar wake-up after my being assigned
(from Unix land) to learn how NT would fit in our shop.

What you suggest makes sense in general, but I don't find an attribute for
just creating new files. The closest attribute is "Create Files / Write
Data". And that sounds suspiciously like a permission to both create new
files but also to modify existing ones. If it is not, then which
attribute would give the ability to modify existing files? It's really a
shame that Microsoft didn't make each part of that a separate attribute.


When you look in the advanced view the descriptions for the
individual ACEs have two parts separated by / char. On the
left is what the ACE means applied to a directory, on the right
what it means applied to a file. So, selection of that ACE and
in the dropbox set to This folder only allows only creating new
files in that directory (similarly applied to This folder and subs).

I think this could be seen as artifact of the era when designed
and all bits added up to significant cost, so something like a
double word is all that was allocated for all ACE flags, and
a couple of them for indication of applicability to objects and/or
container objects.

Roger


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:jKOdneQMa87B9DvanZ2dnUVZ_oesnZ2d@xxxxxxxxxxxxxxx
What ACL on NTFS will give a group Read-Only access to files currently
in the folder, but the ability to create and modify and delete new files
in the folder?

I have a badly behaved program that wants to write its TEMP files into
its program installation folder. I would like to avoid the more
permission Modify permission to the users of the application on all
files in the folder including the application's binaries.

One solution appears to be to give files currently in the folder the
desired ACL and then break inheritance. Then give Modify access to the
folder and all children. That isn't my first choice since later
updates to the application will probably install new binaries, and this
approach leaves those installed with Modify access inherited from the
folder.

--
Will




.



Relevant Pages

  • Re: ACL To Create and Modify Only New Files?
    ... try using a grant to CreatorOwner ... of Modify on the base folder and below plus a grant to Users ... program installation folder. ...
    (microsoft.public.security)
  • Re: ACL To Create and Modify Only New Files?
    ... try using a grant to CreatorOwner ... of Modify on the base folder and below plus a grant to Users ...
    (microsoft.public.security)
  • Applying NTFS Folder Permissions
    ... "Giorgio belongs to the Human Resources global group & the 4th Floor Users ... has been granted the Modify permission & the 4th Floor Users group has been ... be able to read the contents of the folder & add files to the folder. ...
    (microsoft.public.cert.exam.mcsa)
  • RE: Applying NTFS Folder Permissions
    ... Giorgio is attempting to access a folder for which the HR group ... > has been granted the Modify permission & the 4th Floor Users group has been ... > granted the Write permission. ... > be able to read the contents of the folder & add files to the folder. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: read and write permission does not delete word ~ files
    ... Ah yes on a file the only diff is delete, on a folder it is delete and deleted ... Based on how Windows apps tend to modify files if you can write and you can ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>In the advanced tab you can specify delete permission instead of giving ...
    (microsoft.public.windows.server.security)