I have a file on a Windows 2003 NTFS file system. It is called C:\MyFolder\MyFile.txt. First grant a user read access to the file. Then I remove the user's read access to the parent folder.
Now the user cannot use Windows Explorer to browse the folder and double click to open in Notepad. The user can go to Start (menu) Run and enter "C:\MyFolder\MyFile.txt" and the file will load in Notepad.
Can someone point me to some MSDN documentation that explains why this is? I've tried all the google and bing queries I can think of.
thanks much
See the 'Traverse Folder' permission in the table on this page:
http://technet.microsoft.com/en-us/library/cc787794(WS.10).aspx
It sounds more like a TechNet article than an MSDN one to me.
If you think about a directory/folder as not a file cabinet folder but rather a index card stuck to the front of the cabinet to say what is in the cabinet. This is effectively what a folder is on the file system (a index to where the files are.)
Because you have denied the user rights to what is in the folder you have denied them access to the index card. However, if they know the precise file they want then they can still access to the file which they have permissions for as this doesn't require a check on the index card.
Behind the scenes it is obviously a little more complicated but that is the basic view. I saw this technique used quite a bit on the *nix environments when I was at Uni to hide previous years assignments from the current batch of students. However, because they hadn't removed permissions from some files the tutors could still direct them to specific examples from previous years.
Related
I have a somewhat unique situation, and while I understand what the problem is, I'm not quite sure what the best workaround may be so I thought I would consult the hive mind. :)
Scenario:
I am working on an application (OS X) that is document based and uses Quicktime. When a new document is created, the user selects a movie to view within the document window. The user can then save this document. When the user later attempts to open the document, nothing happens. It just doesn't open.
What I know so far:
The problem is with the way Sandbox operates, and my limited experience working with it (my first attempt.) I have enabled Sandbox and have the app permissions set to allow any user initiated file operations, and also added permissions for the app to access the Movies folder.
When the user loads a document and the Movie is in the Movies folder, it opens and works correctly. However, if the Movie is anywhere else on the users drive, it does NOT work and performs as described above.
I realized this is because while the user can open the document (user initiated), sandbox is blocking the application when it attempts to then open the linked movie automatically (NOT user initiated) unless the movie is located within the Movies folder.
Since the application is designed to work with large files, it seems like a big limitation to force users to copy the files into their movie folder and leave them there.
(I have not yet tried working with a movie located on an external drive, but suspect that it would work as it's not a system drive.)
Question:
Is there a way to work around this, since the user initiated the task of opening the movie originally?
If not, is there perhaps a way to have the application ask the user to confirm that the movie should be loaded... perhaps like presenting an OPEN dialog box with the movie already selected so they can just click OK? This might be the best solution.
Another option might be to automatically copy the movie into the Movies folder when the user initially selects it, but again it's not really idea for my situation...
Any thoughts would be appreciated!
As you describe it, your App has privileges to access files within its own container and in the Movies folder. To access arbitrary movie files you have to:
Let the user initiate the access to a file, i.e. when a new document is created the user has to use a file chooser to access a movie file. The privileges of your sandbox are then extended to allow access to the selected file.
Those access rights are temporarily. To persist them over App restarts you have to save and restore the access right via security scoped bookmarks.
Refer to Apples documentation on PowerBox and on Security Scoped Bookmarks
Also Session 710 from WWDC 2013 might be helpful.
I am attempting to open a .MSI installer package file to modify it. Whenever I try to open it, it opens in read-only mode. I see this with Orca, with InstEd, or when opening the file directly via code:
`MsiOpenDatabase()` (ERROR_OPEN_FAILED with MSIDBOPEN_DIRECT or
MSIDBOPEN_TRANSACT persistence modes).
The file itself does not have the read-only attribute set (in fact, has no attributes set)
I am using an account with Administrators group access
As far as I can tell, no other process has the file open
No installs are in progress or suspended
I can copy the file to another location, and open it read/write there. But the original, I cannot touch
Thanks in advance for your help.
My guess is that this is caused by one of the following factors:
Custom NTFS access rights - defined for the file in its security descriptor
The file might be "blocked" - marked with a special flag after being downloaded via Internet Explorer.
The resolution for the latter is to right click the file and select properties and click the unblock button at the bottom of the property page and pressing OK.
The resolution for custom NTFS rights are done in a similar way by going into the security
tab of the property page for the file, but it is easier just to copy and paste the file and use the fresh copy with the default security.
Found it.
#Glytzhkof, you almost had it but there's a detail I did not know about, and left out. This is a package that lies in a folder under "access protection" by my system's anti-virus program: a filesystem hook that blocks modification of critical system and AV files. Turn off access protection temporarily, and the file is wide open.
Fortunately, one of my teammates had some experience with this, and suggested I try it. Bingo.
Thanks, all.
What I have done to get it working was to create first a backup of the MSI file, and then open that backup. It worked for me
Try to close/kill processes that might interfere, for example:
Other running Install shield instances
Installshield updater
Installshield licensing service
Antivirus
I am trying to open a .chm file.
I downloaded the source, extracted it, and double clicked on Waffle.chm and clicked "Open" but no matter what element in the chm file I click, I get the message:
Navigation to the webpage was canceled.
What you can try:
Retype the address.
What's going on here?
Summary
Microsoft Security Updates 896358 & 840315 block display of CHM file contents when opened from a network drive (or a UNC path). This is Windows' attempt to stop attack vectors for viruses/malware from infecting your computer and has blocked out the .chm file that draw data over the "InfoTech" protocol, which this chm file uses.
Microsoft's summary of the problem: http://support.microsoft.com/kb/896054
Solutions
If you are using Windows Server 2008, Windows 7, windows has created a quick fix. Right click the chm file, and you will get the "yourfile.chm Properties" dialog box, at the bottom, a button called "Unblock" appears. Click Unblock and press OK, and try to open the chm file again, it works correctly. This option is not available for earlier versions of Windows before WindowsXP (SP3).
Solve the problem by moving your chm file OFF the network drive. You may be unaware you are using a network drive, double check now: Right click your .chm file, click properties and look at the "location" field. If it starts with two backslashes like this: \\epicserver\blah\, then you are using a networked drive. So to fix it, Copy the chm file, and paste it into a local drive, like C:\ or E:. Then try to reopen the chm file, windows does not freak out.
Last resort, if you can't copy/move the file off the networked drive. If you must open it where it sits, and you are using a lesser version of windows like XP, Vista, ME or other, you will have to manually tell Windows not to freak out over this .chm file. HHReg (HTML Help Registration Utility) Utility Automates this Task. Basically you download the HHReg utility, load your .chm file, press OK, and it will create the necessary registry keys to tell Windows not to block it. For more info: http://www.winhelponline.com/blog/fix-cannot-view-chm-files-network-xp-2003-vista/
Windows 8 or 10? --> Upgrade to Windows XP.
"unblocking" the file fixes the problem. Screenshot:
Win 8 x64:
just move it to another folder or rename your folder (in my case: my folder was "c#").
avoid to use symbol on folder name. name it with letter.
done.
In addition to Eric Leschinski's answer, and because this is stackoverflow, a programmatical solution:
Windows uses hidden file forks to mark content as "downloaded". Truncating these unblocks the file. The name of the stream used for CHM's is "Zone.Identifier". One can access streams by appending :streamname when opening the file. (keep backups the first time, in case your RTL messes that up!)
In Delphi it would look like this:
var f : file;
begin
writeln('unblocking ',s);
assignfile(f,'some.chm:Zone.Identifier');
rewrite(f,1);
truncate(f);
closefile(f);
end;
I'm told that on non forked filesystems (like FAT32) there are hidden files, but I haven't gotten to the bottom of that yet.
P.s. Delphi's DeleteFile() should also recognize forks.
The definitive solution is to allow the InfoTech protocol to work in the intranet zone.
Add the following value to the registry and the problem should be solved:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001
More info here: http://support.microsoft.com/kb/896054
Go to Start
Type regsvr32 hhctrl.ocx
You should get a success message like:
" DllRegisterServer in hhctrl.ocx succeeded "
Now try to open your CHM file again.
other way is to use different third party software. This link shows more third party software to view chm files...
I tried with SumatraPDF and it work fine.
I fixed this programmatically in my software, using C++ Builder.
Before I assign the CHM help file, Application->HelpFile = HelpFileName, I check to see if it contains the "Zone.Identifier" stream, and when it does, I simply remove it.
String ZIStream(HelpFileName + ":Zone.Identifier") ;
if (FileExists(ZIStream))
{ DeleteFile(ZIStream) ; }
There are apparently different levels of authentication. Most articles I read tell you to set the MaxAllowedZone to '1' which means that local machine zone and intranet zone are allowed but '4' allows access for 'all' zones.
For more info, read this article:
https://support.microsoft.com/en-us/kb/892675
This is how my registry looks (I wasn't sure it would work with the wild cards but it seems to work for me):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\\\\<network_path_root>;\\\\<network_path_root>\*;\\ies-inc.local;http://www.*;http://*;https://www.*;https://*;"
As an additional note, weirdly the "UrlAllowList" key was required to make this work on another PC but not my test one. It's probably not required at all but when I added it, it fixed the problem. The user may have not closed the original file or something like that. So just a consideration. I suggest try the least and test it, then add if needed. Once you confirm, you can deploy if needed. Good Luck!
Edit: P.S. Another method that worked was mapping the path to the network locally by using mklink /d (symbolic linking in Windows 7 or newer) but mapping a network drive letter (Z: for testing) did not work. Just food for thought and I did not have to 'Unblock' any files. Also the accepted 'Solution' did not resolve the issue for me.
Moving to local folder is the quickest solution, nothing else worked for me esp because I was not admin on my system (can't edit registery etc), which is a typical case in a work environment.
Create a folder in C:\help drive, lets call it help and copy the files there and open.
Do not copy to mydocuments or anywhere else, those locations are usually on network drive in office setup and will not work.
I have a joomla website, which I recently moved and I'm having problems with file permissions. The easy fix would be to change all the folders and files permission to 0777, do whatever I need to do, and then change them back. I don't think that's possible anyway - to change them all at once then make everything as it was.
The other solution would be to switch permissions to user Apache from cpanel. Can I do that? How? What other options do I have?
Thanks!
Well it turns out that you can't change the owner from the cpanel. My solution was to contact my hosting and have me transferred to another server of theirs that used FastCGI, which made all my files' owner Apache (instead of null, or nobody, what it was before).
I couldn't find my answer on the internet, I had to ask them and they gave me that solution.
You can change the file/folder permission using the cpanel.
Just login to your cpanel,
there you can find a option called "File Manager".
Just click on that, it will list all your files and folders in a table at the window.
In the table, at the last column which will be named as "Perms". Just click on the column corresponding to the file/folder for which you want to change the permission.
I know this is old thread, but may useful for next user come here.
There is good tool for doing this by Jacob, here you can visit his page http://boomshadow.net/tech/fixes/fixperms-script/, but may you need root access to do it.
I have an addin program that works with MS Word (version 2007). It is located in the C:\Program Files location. I installed Windows 7 and then went to make a routine change to my files in this location and it would only bring up a read only file. How can I grant myself permission to write to my own program? I cannot change this location or use any other workaround. I have this product out to 25 different companies and I can't change the programming to work from any other location. Thanks
You could also embed a manifest in your EXE that makes your program require adminrights on Windows 7 / Vista.
On Windows Vista, UAC means that users run without admin rights and don't have write access to the program files directories.
The correct solution is to write to a folder for which standard users do have write permissions.
The solution you are looking for is to make your app's folder within program files writeable to all users. You can do this by adding a DACL when installing. It is extremely bad practice to allow standard users to write inside the program files directory and I urge you instead to re-code your app so that it does not need to write there.
Assuming you're doing this as part of modifying the config (and not when your application is running for regular users)...
Your user account probably doesn't have the correct permissions to write/modify the file. Assuming your account is an administrator account, right-click the file, select "Properties". Click the "Security" tab. Click edit and give your user account Full Control.
If you can't do this, it's probably because the ownership of the file doesn't allow you. If this is the case, click on "Advanced", go to the "Owner" tab, and click "Edit".
However, if it needs these permissions when it's running, you should instead be using the %AppData% folder.