Here was my test:
1. Create a standard user account ("gimpy"); Login as "gimpy".
2. Create a file, logout.
3. Log in as an administrator and adjust the DACL with an explicit
deny on permission mods for the user, and remove the allow ACE for
good measure. Confirm "gimpy" is still the file's owner, and that no
other ACEs grant that access.
4. Log back in as "gimpy", meddle with file's DACL.
Perhaps I have overlooked something, but this is pretty consistent
with the UNIX concept of a file owner, where you can always chmod
yourself back into access.
--Steve
On Tue, Mar 13, 2012 at 1:56 PM, Brian Desmond <[email protected]> wrote:
> I would want to confirm that because I'm not sure that's accurate.
>
> Thanks,
> Brian Desmond
> [email protected]
>
> w - 312.625.1438 | c - 312.731.3132
>
>
> -----Original Message-----
> From: Steve Kradel [mailto:[email protected]]
> Sent: Tuesday, March 13, 2012 8:52 AM
> To: NT System Admin Issues
> Subject: Re: (homedrive)
>
> Brian, I understand what you mean, but if you own a file, you can do to it
> what you like, DACL-wise -- I don't believe the deny-write-DACL ACE is even
> checked for the owner. Enclosing each home folder in one where the user is
> not the ACL O:wner seems like the way to go for preventing owner-facilitated
> traversal...
>
> --Steve
>
> On Tue, Mar 13, 2012 at 2:33 AM, Brian Desmond <[email protected]> wrote:
>> With Owner Rights, you fork the Owner from Creator, so you could put a Deny
>> Write DAC to the Owner.
>>
>> Thanks,
>> Brian Desmond
>> [email protected]
>>
>> w - 312.625.1438 | c - 312.731.3132
>>
>> -----Original Message-----
>> From: Steve Kradel [mailto:[email protected]]
>> Sent: Monday, March 12, 2012 10:11 PM
>> To: NT System Admin Issues
>> Subject: Re: (homedrive)
>>
>> I'm not sure if it's feasible to prevent a directory owner from fiddling
>> with the DACL (although I'll try a few things tomorrow)...
>> one possible solution to the "oversharing students" could be a containing
>> folder for each user, which the user does *not* own and which other students
>> cannot traverse, and within that, the actual home directory owned by the
>> user. Definitely agree that breaking inheritance is a big management
>> headache, though not sure what dependence on 2008+ you have in mind? AFAIK
>> the creator-owner SID goes back a long ways.
>>
>> --Steve
>>
>> On Mon, Mar 12, 2012 at 11:30 PM, Brian Desmond <[email protected]>
>> wrote:
>>> Why are you breaking inherited permissions? That is a management nightmare.
>>>
>>> I don't recall what ADUC sets, but, if you're on 2008+ file servers, you
>>> might be able to solve your problem with Owner rights at the top level.
>>> That will depend on not breaking inherited permissions though.
>>>
>>> Thanks,
>>> Brian Desmond
>>> [email protected]
>>>
>>> w - 312.625.1438 | c - 312.731.3132
>>>
>>> -----Original Message-----
>>> From: Matthew W. Ross [mailto:[email protected]]
>>> Sent: Friday, March 09, 2012 1:39 PM
>>> To: NT System Admin Issues
>>> Subject: RE: (homedrive)
>>>
>>> We find that the default permissions created by Windows when you populate
>>> the Profile Tab to be... less than optimal in our case.
>>>
>>> We have students who get "Full Control" of their folders. Thus, they will
>>> grant permissions to other students read and/or write access, so they can
>>> copy their work. It's a 21's century version "looking at somebody else's
>>> answers on the test".
>>>
>>> To fix this, I have created a script that sets the permissions for the
>>> folders. It breaks inherent permissions, and applies the permissions I
>>> want. The users end up with Read, Write, Execute.
>>>
>>> I will on occasion repeat something when issues with permissions arise:
>>> "Permissions are Evil. But they are a necessary Evil." This is especially
>>> true in [Linux|unix].
>>>
>>>
>>> --Matt Ross
>>> Ephrata School District
>>>
>>>
>>> ----- Original Message -----
>>> From: David Lum
>>> [mailto:[email protected]]
>>> To: NT System Admin Issues
>>> [mailto:[email protected]]
>>> Sent: Fri, 09 Mar 2012
>>> 11:24:45 -0800
>>> Subject: RE: (homedrive)
>>>
>>>
>>>> That explains things, I never knew it would auto-create the folder
>>>> and perms! So glad I asked...one more thing I just got more efficient at.
>>>>
>>>> Dave
>>>>
>>>> From: Heaton, Joseph@DFG [mailto:[email protected]]
>>>> Sent: Friday, March 09, 2012 10:07 AM
>>>> To: NT System Admin Issues
>>>> Subject: RE: (homedrive)
>>>>
>>>> We simply populate the Profile Tab, and allow Windows to create the
>>>> actual folder w/ appropriate rights.
>>>>
>>>> Joe Heaton
>>>> ITB - Windows Server Support
>>>>
>>>> From: David Lum
>>>> [mailto:[email protected]]<mailto:[mailto:[email protected]]>
>>>> Sent: Friday, March 09, 2012 9:18 AM
>>>> To: Heaton, Joseph@DFG; NT System Admin Issues
>>>> Subject: H: (homedrive)
>>>>
>>>> Do you guys create individual shares for each user, or do something
>>>> different?
>>>> David Lum
>>>> Systems Engineer // NWEATM
>>>> Office 503.548.5229 // Cell (voice/text) 503.267.9764
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
