Are file level delete permissions enforced in Windows? - windows

Someone recently raised a bug against a filter driver I've been working on. They said that I'd made it possible for a limited user to delete Windows files even if they remove the permissions on the file for the user to be able to do that.
I've been looking at it and it's nothing to do with my driver, even a fresh install of Windows allows this. If you:
Logon as a user called "limiteduser" who's a non admin.
Create a text file
Edit the security for the file
Remove inherited permissions and remove "limiteduser" from having any rights to the file.
Once you've done this you find that:
You can't changed the contents of the file.
You can't rename/move the file or send it to the recycle bin
However you can:
Delete the file in explorer with shift-delete
Delete the file with cmd.exe (del myfile.txt)
Why is this? Is deleting files always a property of the parent folder? And if so why isn't renaming files?

I know this answer isn't complete at all, but I hope it will be helpful nonetheless.
You didn't mention which version of Windows you are using, but as the ones that use any version of the NTFS file system should behave the same I believe it doesn't matter.
The documentation on "File and Folder Permissions" in Windows 2008 Server states that:
Groups or users that are granted Full Control on a folder can delete any files in that folder, regardless of the permissions protecting the file.
So it would appear that part of the answer to your question:
Why is this? Is deleting files always a property of the parent folder? And if so why isn't renaming files?
would be that deleting is indeed a property of the parent folder - it looks to me that it's the Delete Subfolders and Filesspecial permission that allows you to override the permissions on the file.
Why the "Full Control" permission on the folder won't give rename permission is unclear to me, but my guess is that it's actually only Delete Subfolders and Filesthat has the power to override; to rename a file you would have to have permissions to write too.
I'm guessing that the reason that "Shift-Del" in Explorer and "del" in cmd works and not "Recycle" would be that recycling is a move/change operation.
See this Technet article for reference: How Permissions Work

Related

Icacls permissions not applying as I expect

I am running a batch file as part of a larger application.
If certain conditions are met, a folder is created and permissions applied to the folder using icacls.
I have permission inheritance disabled on the parent folder, and I want to add to the ACL full permissions for the user "testuser".
I tried the following command...
icacls "V:\debugging\test" /grant testuser:F
The command completes successfully, however when logging in to the folder via CIFS, I do not have full permissions.
I can create files and folders but not modify them.
I cannot even rename a text file during creation, so I end up with a new file called 'New text document' and i have no permission to edit this.
What I need to happen is for the permissions to be applied to "V:\debugging\test" that allow me to read, modify and and write without exception and If possible I need those permissions to be inherited by any child folders that may be created.
Can anyone point me in the right direction?

Why does .MSI file open read-only?

I am attempting to open a .MSI installer package file to modify it. Whenever I try to open it, it opens in read-only mode. I see this with Orca, with InstEd, or when opening the file directly via code:
`MsiOpenDatabase()` (ERROR_OPEN_FAILED with MSIDBOPEN_DIRECT or
MSIDBOPEN_TRANSACT persistence modes).
The file itself does not have the read-only attribute set (in fact, has no attributes set)
I am using an account with Administrators group access
As far as I can tell, no other process has the file open
No installs are in progress or suspended
I can copy the file to another location, and open it read/write there. But the original, I cannot touch
Thanks in advance for your help.
My guess is that this is caused by one of the following factors:
Custom NTFS access rights - defined for the file in its security descriptor
The file might be "blocked" - marked with a special flag after being downloaded via Internet Explorer.
The resolution for the latter is to right click the file and select properties and click the unblock button at the bottom of the property page and pressing OK.
The resolution for custom NTFS rights are done in a similar way by going into the security
tab of the property page for the file, but it is easier just to copy and paste the file and use the fresh copy with the default security.
Found it.
#Glytzhkof, you almost had it but there's a detail I did not know about, and left out. This is a package that lies in a folder under "access protection" by my system's anti-virus program: a filesystem hook that blocks modification of critical system and AV files. Turn off access protection temporarily, and the file is wide open.
Fortunately, one of my teammates had some experience with this, and suggested I try it. Bingo.
Thanks, all.
What I have done to get it working was to create first a backup of the MSI file, and then open that backup. It worked for me
Try to close/kill processes that might interfere, for example:
Other running Install shield instances
Installshield updater
Installshield licensing service
Antivirus

Windows 7 - Can't update my program's files in C:\Program Files

I have an addin program that works with MS Word (version 2007). It is located in the C:\Program Files location. I installed Windows 7 and then went to make a routine change to my files in this location and it would only bring up a read only file. How can I grant myself permission to write to my own program? I cannot change this location or use any other workaround. I have this product out to 25 different companies and I can't change the programming to work from any other location. Thanks
You could also embed a manifest in your EXE that makes your program require adminrights on Windows 7 / Vista.
On Windows Vista, UAC means that users run without admin rights and don't have write access to the program files directories.
The correct solution is to write to a folder for which standard users do have write permissions.
The solution you are looking for is to make your app's folder within program files writeable to all users. You can do this by adding a DACL when installing. It is extremely bad practice to allow standard users to write inside the program files directory and I urge you instead to re-code your app so that it does not need to write there.
Assuming you're doing this as part of modifying the config (and not when your application is running for regular users)...
Your user account probably doesn't have the correct permissions to write/modify the file. Assuming your account is an administrator account, right-click the file, select "Properties". Click the "Security" tab. Click edit and give your user account Full Control.
If you can't do this, it's probably because the ownership of the file doesn't allow you. If this is the case, click on "Advanced", go to the "Owner" tab, and click "Edit".
However, if it needs these permissions when it's running, you should instead be using the %AppData% folder.

Eclipse workspace as htdocs in XAMPP not working in Mac?

I've bought a MacBook Air(I've been converted from a PC guy to a Mac) today and I have recently installed XAMPP and Eclipse for Mac and I try to set the workspace for Eclipse as the htdocs folder in XAMPP. I always get the warning:
Workspace in use or cannot be created, choose a different one!
The directory i try to set is /Applications/XAMPP/htdocs
I've been trying to set an another directory it works fine as long as it is not the one above. What have I done wrong? I want the directory above. Pls. help
The solution is this:
Go into the htdocs folder and hit CMD+I to bring up the "Get Info" window
In this window, go to the bottom right and click on the padlock icon, enter your password to unlock the permissions settings in the window
You'll see a list of users and their respective permissions. Change the "admin"'s permission to "Read & Write"
Click the padlock once more to save your changes and lock the permissions for the htdocs folder
Start up Eclipse and then select htdocs as your workspace, and
Voila! You're done.
Hope that helps.
It's likely a permissions issue. The application may not be requesting admin rights to write to (or in some way control) that directory, it may just be silently failing. Generally, you need to supply admin rights to modify anything under /Applications/.
I wouldn't recommend using /Applications/XAMPP/htdocs/ as your workspace anyway. Your workspace should either be in your home directory (Documents or perhaps even Library though the former would be more intuitive), or in some other shared location if multiple users need to access it. Bundling it with the application itself would risk losing the data during an application upgrade, or in some other way confusing the issue.
Why do you want your data in the /Applications/ directory?
The problem here is that this workspace is locked. The quick solution is to delete /Applications/XAMPP/htdocs/.metadata/.lock
The slightly longer solution is to try the following command whenever such a situation occurs:
find /Applications/XAMPP/htdocs -name "lock" -exec echo {} \;
This will show you any file in that directory that has lock in the name. Remember that hidden files start with a . (such as .lock or .metadata).
The even longer answer is that /Applications is outside of the userspace and should not be used for user documents (like code files). These should ideally be moved to somewhere in /Users or into a directory specifically created for this purpose (such as /home or /shared). I'm particularly fond of having a /Users/Shared directory for sharing files between accounts.

How to get the actual path of a file in Vista with UAC?

I am calling CreateFile() to create a file in the Program Data directory. I'm using SHGetSpecialFolderPath() to get the dir name.
I have a user with Vista for whom CreateFile() is returning error 5 (Access Denied). It would help if I knew where CreateFile() was actually attempting to create the file so we can check his folder permissions. The problem with Vista (UAC) is, it's not attempting to create the file in the directory I passed in. It could also be in a VirtualStore directory. An added source of confusion is this user is German and although SHGetSpecialFolderPath() is returning "C:\Program Data\blah blah" as the path, I don't think that's actually where the path is. I think German Vista uses the German word for "Program Data". I would like to be able to tell the user "This is the exact path where we are trying to create the file. Check your permissions on this folder."
I know you can get the a path from an open file handle, but in this case the CreateFile() is failing so I don't have an open handle. How can I get Vista to tell me the actual path where it's attempting to create the file?
Fire up Process Monitor and watch what it does:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
If with UAC the paths used are not the ones you want, then the redirection is in effect.
To make sure that redirection does not occur, add a manifest to your application which indicates to Vista that your application is properly coded and aware of access restrictions (i.e., you don't write to e.g., HKLM or the programs folder if your app doesn't need admin privileges to run).
But your application should be able to write to the APPDATA folder (if that's what you really use).
Make sure you're using CSIDL_APPDATA and not CSIDL_COMMON_APPDATA (the latter one being accessible only with admin privileges).
To find the real path (the one you would expect) tell the user to type %APPDATA% into the explorer bar (or hit Windows+R, then type %APPDATA%, enter). This will open the explorer on that folder.
My understanding is that ProgramData is used by Vista to write files that were attempting to be written inside C:\Program Files, but failed, since unless you are running the app as Admin you can't write inside program files. Maybe you should try saving your files to the AppData folder under the current user.

Resources