Understanding XP file permissions ? (Application Programs not following standards ?)

From: dvk (dvk@fuxorina.net)
Date: 12/23/02 

From: dvk <dvk@fuxorina.net>
Date: Mon, 23 Dec 2002 04:02:11 GMT

I've been trying to understand how file permissions in Windows NT/XP
work. I want to give certain users on my computer access to certain
files and programs. The problem is there really is no accepted
standard in how programs store their data files. So I have to mess
with permissions for almost every program I have installed, ,after I
have installed it. Seems they change this location in every version of
windows also. In XP, each user has an "Application Data" folder in
their user profile folder under "Documents and Settings".

Almost no program uses this folder though. I'll use Forte Agent as an
example. It wants to store all it's data in it's own folder under
"Program Files". There is no problem with this as long as I am always
Administrator. But what if I want to be a limited user and use the
Administrator account only for administrative purposes as it is
intended to be ? I have to change permissions for the "Agent" folder
under "Program Files" so limited users can actually use the program.

This is pretty simple, just add the "Users" group to this folder, give
it full permissions, and tell everything under it to inherit these
permissions. But this allows anyone to do anything with this program.
They can delete the entire program if they wish. Now things get more
complicated. I want users to be able to use the program to read and
save newsgroups, but I don't want to let them do anything with the
program, such as delete needed files. So now I have to find out which
files get modified with this program under normal use, and set
specific permissions on specific files. Multiply this by 20 other
programs I might install that don't follow the standard, and it can
get to be a hassle.

If program-specific data files were stored in "Application Data" for
each user, this problem would be eliminated, and each user would have
their own copy of their data/settings etc.

Yes, even Microsoft doesn't follow their own standards! Log in under a
non-administrator user. Open up the calculator program. Change it from
Standard to Scientific or vice versa. Now close the calc program and
open it again. Your setting was not saved. This is because
Calculator's settings are stored under HKEY_LOCAL_MACHINE in the
registry, which normal users can not modify. It should be under
HKEY_CURRENT_USER. Shame on you, Microsoft!

I also have a question about changing ownership of folders/files. It
took me about an hour to figure out how to give ownership to somebody
else. I am used to the Unix way of file permissions, and understand
them almost fully, so maybe my mind has been corrupted by it's ways.
File permissions in Unix are much simpler and much better in my
opinion. Just use the chown program and use the proper arguments.

My first instinct in windows was to click on the Security Tab, click
Advanced, ,then click the Owner tab, and it would give me a list of
users to change ownership to. But this was not the case. I had to add
this user to the long list of user/groups associated with this file.
Then I had to edit this user's "Special Permissions" to allow to take
ownership. Then I had to login under this user and "take ownership".
This is too much of a hassle IMHO.

Maybe I just don't fully understand permissions under XP. So I am
asking if there is any resource / book out there that explains this
completely? Microsoft's help docs and website help a little bit, but
it explains too much specifics and not enough of the general stuff for
me. Maybe a good book or website out there has a chapter that
explains everything? Personally I think permissions are much too
complex in windows.

Relevant Pages

  • Re: Understanding XP file permissions ? (Application Programs not following standards ?)
    ... > I've been trying to understand how file permissions in Windows NT/XP ... > Administrator account only for administrative purposes as it is ... > I also have a question about changing ownership of folders/files. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
    ... In order for Alice to Take Ownership of Bob's private folder she would ... Owner and now Bob no longer has the ability to set permissions on it. ... And Windows does have a umask-like function. ... This article contains a set of attack scenarios to demonstrate security ...
    (Full-Disclosure)
  • Re: User rights problem (Least Privilege)
    ... After giving write permission to Users group on Windows folder the ... >> I am managing a small network with Windows 2003 as DC and XP as clients. ... > inexperienced or limited user should ever have write permissions. ... > limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Modify advanced permissions using wsh on W2K Server
    ... the checkbox that applies changes made to a folder to ... parameters it requires to accomplish your permissions changes. ... >> Two lines of your gifted experience with windows ... >> In the event you had not unchecked the daylight savings time box ...
    (microsoft.public.scripting.wsh)
  • Re: Password
    ... You don't assign passwords to files in Windows XP, ... In Windows Explorer, go to Tools, Folder Options, View and uncheck ... Here you can assign or deny permissions based on user name or user ...
    (microsoft.public.windowsxp.security_admin)