Geekwench -
On 9/4/07, Geekwench <[EMAIL PROTECTED]> wrote: > I think we both understand the original question perfectly well, but I'm not > sure you noticed that the discussion is about a volume, not a folder. > > As for the 'why', that has been answered several times now. Default > permissions do not assume that you want a read-only volume. Default > permissions assume that you want a volume that people can use for using, > accessing and *storing* data. That is why the default permissions include > the special permissions that are necessary for that to occur. I disagree with MS's decision to grant users the ability to write by default, especially in such a way where it isn't obvious that the users have write. Granted it only takes a couple of clicks for someone to see the special permissions but knowing how simple it is to see/manage permissions in Unix/Linux, I find Windows implementation combersome, but this is a different conversation altogether. > > Note, again, that the original post referenced a VOLUME. As in a partition. > A drive. An entire chunk of space allocated on a disk. NOT A FOLDER. It is > fairly rare for somebody to want an entire volume to be read-only (in fact, > creating a volume and then disallowing any writes to the volume would be > pretty, well, dumb), which is why the default permissions allow users to > create and store data on the volume. Don't confuse your choosing to manually > designate a folder as "read only" with the operating system setting the > default permissions on an entire volume to allow data to be created and > stored on that volume. That is what a volume is *for*- to store data of some > kind. You continue to refer to the volume as a "data" volume but the default permissions apply to ALL volumes, including system volumes. Users do not need any write permission to system volumes. Furthermore, no need to define what a volume is as I am completely aware. We simply have had a misunderstanding and your condescending tone is not appreciated. > > So, again, the default permissions on a volume are configured to allow that > volume to actually be usable for data storage. Should an administrator wish > to reconfigure that, the administrator can, and should, do so. The default > permission set, however, sets what are essentially the minimum permissions > required for users to store data on that volume. > > It might help you to understand if you pull up the permissions on an NTFS > volume and look not only at the permissions as they're described in the > original post- which, btw, is not a complete description and which it seems > you're misinterpreting a bit- you seem to be assuming that those special > permissions "came with" some other permissions that the OP set and that is > not the case. They were not magically set because of the OP setting read & > execute, etc., permissions. They are the DEFAULT PERMISSIONS for the NEWLY > CREATED volume. The OP didn't say he'd set a single permission, and those > special permissions don't magically appear because somebody sets read & > execute permissions on, say, a folder. > > You should also look at what each of the permissions applies *onto* within > that volume. Then consider the typical user activities on a volume and what > permissions would be needed for users to do what they need to do to get > their work done, such as create folders to store documents in and then store > documents in those folders. > > Finally, create a folder in the volume and add somebody to the ACL for that > folder. Note the default permissions for the newly-added user, which are > "Read and Execute", "List Folder Contents" and "Read". Then actually look at > the special permissions for that user. [no yelling, just capping for > emphasis:] THERE ARE NO SPECIAL PERMISSIONS ALLOWING USERS TO CREATE > FOLDERS/APPEND DATA AND CREATE FILES/WRITE DATA CREATED. To put this another > way, GRANTING "READ AND EXECUTE", "LIST FOLDER CONTENTS" AND "READ" DOES NOT > CREATE THE SPECIAL PERMISSIONS YOU THINK IT CREATES. You are confused about > the difference between the canned base permissions for the volume and the > default permissions on folders, as well as the difference between viewing a > default ACL and actually modifying an ACL, as well as what are the default > folder permissions for somebody added to the ACL on the folder. Thank you for the all caps clarification. > > > Laura Robinson > > -----Original Message----- > > From: Megan Kielman [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 05, 2007 12:38 AM > > To: Geekwench > > Cc: Ansgar -59cobalt- Wiechers; [email protected] > > Subject: Re: NTFS default special permissions > > > > Ansgar/Geekwench - > > > > I believe that both of you have misunderstood the original question. > > > > The OP specifically asked what would happen if the Create > > Folders/Append Data & Create Files/Write Data permission were removed > > because he ONLY wants to provide Read and Execute permission to that > > directory. I followed his question with another question about why > > when Read and Execute, List Folder Contents, and Read are granted, > > there is a "special" permission" allowing users to Create > > Folders/Append Data and Create Files/Write Data. In my opinion that is > > confusing and misleading. > > > > You both keep mentioning that Create Folders/Append Data & Create > > Files/Write data is needed so users can do their work but in my > > experiences there are many cases where users only need to read for > > certain directories. Is there some functional reason why read only on > > directories is not sufficient? Is it temp files, as The OP asked > > earlier? > > > > Megan > > > > > > > > On 9/4/07, Geekwench <[EMAIL PROTECTED]> wrote: > > > I think the original question is being misunderstood. The OP wrote: > > > > > > "The default permissions for Users are Read & Execute, List Folder > > Contents, > > > and Read. This is what we want. But the Users account also gets the > > > special permissions Create Folders\Append Data and Create Files\Write > > Data." > > > > > > What I think you may be missing is that the default permissions are > > not just > > > read permissions. They are read and *execute* permissions, plus > > permissions > > > necessary for users to store content on the volume. Therefore, your > > > statement " It seems silly to me that when you grant someone read > > access > > > they by default can also write" isn't a logical conclusion. > > > > > > There was nothing in the original query indicating that the default > > > permissions are JUST read permissions. They are not. They are read, > > execute > > > and "store content" permissions, so any conclusion drawn on the > > assumption > > > that the inclusion of "read" in a permissions set implies "read only" > > is > > > fallacious. > > > > > > The reasons for the create/append permissions have been addressed > > already. > > > In order to provide a functional default permissions set on volumes, > > the > > > permissions are created the way they are. I'm not sure where you got > > the > > > impression that there was anything in the default permissions that > > provides > > > read-only functionality, but that would be a very poor default > > permission > > > set given that most volumes are not intended to be read-only. > > > > > > BTW, how come my legit e-mail got bumped off this list when we got a > > new > > > moderator, but my spambox address is still getting the secfocus > > posts? Grr. > > > > > > Laura Robinson > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Megan Kielman > > > > Sent: Tuesday, September 04, 2007 9:11 AM > > > > To: Ansgar -59cobalt- Wiechers > > > > Cc: [email protected] > > > > Subject: Re: NTFS default special permissions > > > > > > > > No, I am asking for clarification on the original question. Why > > when a > > > > user is grated Read & Execute are they also granted the special > > > > permission Create Folders\Append Data and Create Files\Write Data? > > Is > > > > it only so that a user can create temporary files? It seems silly > > to > > > > me that when you grant someone read access they by default can also > > > > write. > > > > > > > > On 9/4/07, Ansgar -59cobalt- Wiechers <[EMAIL PROTECTED]> > > wrote: > > > > > On 2007-09-03 Megan Kielman wrote: > > > > > > On 8/24/07, Ansgar -59cobalt- Wiechers > > <[EMAIL PROTECTED]> > > > > wrote: > > > > > >> On 2007-08-22 Robert McIntyre wrote: > > > > > >>> On my Windows 2003 servers we create a data partition and > > format > > > > it > > > > > >>> with NTFS. The default permissions for Users are Read & > > Execute, > > > > > >>> List Folder Contents, and Read. This is what we want. But > > the > > > > > >>> Users account also gets the special permissions Create > > > > > >>> Folders\Append Data and Create Files\Write Data. > > > > > >>> > > > > > >>> From the articles that I have seen on TechNet, the special > > > > > >>> permissions are not needed if we only want read access. So > > why > > > > are > > > > > >>> they there by default? What purpose do they serve? If we > > remove > > > > > >>> the special permissions will it cause problems? > > > > > >>> > > > > > >>> The only thing that I could think of is that maybe it is > > needed > > > > to > > > > > >>> create a temporary file when you open a document for reading. > > > > > >> > > > > > >> If you remove those ACEs your users will be unable to create > > files > > > > > >> and folders on that partition. That may cause problems e.g. in > > > > cases > > > > > >> when they need to open files with progams like MS Word, > > because > > > > Word > > > > > >> creates temp files in the same directory as the document. > > > > > > > > > > > > How is the Create Folders/Append Data and Create Files/Write > > Data > > > > > > permission different then Write? > > > > > > > > > > The former two are subsets of the latter. "Write" permissions > > consist > > > > of > > > > > these four basic permissions: > > > > > > > > > > - Create Files/Write Data > > > > > - Create Folders/Append Data > > > > > - Write Attributes > > > > > - Write Extended Attributes > > > > > > > > > > > How does it differentiate an action where the user intends to > > > > > > create/write data versus creating a temp file as a byproduct of > > > > > > opening a Word doc? > > > > > > > > > > You aren't asking what the difference between writing to an > > already > > > > > existing file and creating a new file is, are you? > > > > > > > > > > Regards > > > > > Ansgar Wiechers > > > > > -- > > > > > "All vulnerabilities deserve a public fear period prior to > > patches > > > > > becoming available." > > > > > --Jason Coombs on Bugtraq > > > > > > > > > > > > > No virus found in this incoming message. > > > > Checked by AVG Free Edition. > > > > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: > > > > 9/4/2007 9:14 AM > > > > > > > > > > No virus found in this outgoing message. > > > Checked by AVG Free Edition. > > > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: > > 9/4/2007 > > > 9:14 AM > > > > > > > > > > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: > > 9/4/2007 9:14 AM > > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.485 / Virus Database: 269.13.5/988 - Release Date: 9/4/2007 > 9:14 AM > > >
