Re: Win2003 SERVER file security BUG! by Roger
Roger
Wed Feb 08 23:28:18 CST 2006
Let's separate things out here.
You mentioned that the parent and child each are separately
shared. That is not part of the picture here. You are accessing
using the parent share, and you have said the share permissions
are effectively a no-op (Everyone Full).
So, that brings us to the NTFS permissions as the only thing that
might have bearing on what you experience. Access is gated by
the ACL of the object at the time of access and this is done on
the sharing system. So we need to look at the ACL.
Can you show us the actual ACL on the child "company" folder.
Just Start / Run cmd and in the cmd window cd to "company"
and then enter
cacls . > c:\caclsout.txt
(with c:\caclsout.txt as needed if you have no writeable C:
and notice there is a . before the > )
Then just post the contents of that file for us.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Verus" <Verus@discussions.microsoft.com> wrote in message
news:D8CC1ADD-6E7A-40FC-B5EB-0FC07026C502@microsoft.com...
> Hello,
>
> the permissioning of "company" is purely inherited from the parent named
> "data", that's right.
> In the advanced tab i can see that the permissions are right but it is
> just
> not doing what it has to do....
> it's really very strange.
>
> "Roger Abell [MVP]" wrote:
>
>> Note that if the subfolder named "company" has an explict grant on it
>> then this will take priority over any inherited deny.
>> Is this the case, or is the NTFS permissioning of "company" purely
>> inherited from the parent named "data" ?
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "Verus" <Verus@discussions.microsoft.com> wrote in message
>> news:CA9272C3-67D9-4139-801B-7922A77315C6@microsoft.com...
>> > Hi,
>> >
>> > I have win2003 server installed and i am sharing some folders.
>> > let me explain my problem with an example.
>> >
>> > i have a toplevel map named data, under data i have a map company and
>> > this
>> > is on a server named server-test.
>> > my toplevel map data is shared and my subfolder company is also shared
>> > so
>> > i
>> > can see them both when i am searching the directory structure of that
>> > server.
>> > both maps are shared for everyone with full control, change and read
>> > (shared, not the security settings!) so that everyone can see the maps.
>> >
>> > now, for the folder company, i have inheritable permissions ON.
>> > so, this means that if i set security permissions on DATA, the security
>> > permissions for COMPANY are also changed and yes, they are!
>> > When i look to the security settings of data and company, i see in
>> > company
>> > my username with the security settings grayed-out, so this means that
>> > the
>> > thing did it's job and inheritable permissions were passed trough to
>> > the
>> > underlying map.
>> > The security permissions is DENY on EVERYTHING, applied to this
>> > folders,
>> > underlying folders and files.
>> >
>> > now, when i go to server-test, i see 2 folders named data and company.
>> > when i click on data, i don't come in but when i click on company, i
>> > get
>> > in
>> > and i can see all files!
>> >
>> > The only workaround seems that i FIRST deny everything on the
>> > underlying
>> > map
>> > and then deny again on the top level map.
>> > The only problem then is that in the underlying map that is using the
>> > inheritable permissions i have both security settings in it.
>> > both on 1 name but if you check another box, you can see that the
>> > denied
>> > box
>> > is turning grayed-out.
>> >
>> > This seems very unlogical and unsafe!
>> >
>> > does anyone has a solution or am i doing somethig wrong ?
>> >
>> > regards,
>> > Verus
>>
>>
>>