ACL To Create and Modify Only New Files?

ACL To Create and Modify Only New Files?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
ACL To Create and Modify Only New Files? Will 02-03-2008
Posted by Roger Abell [MVP] on February 5, 2008, 11:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>>> What you suggest makes sense in general, but I don't find an attribute
>>> for just creating new files. The closest attribute is "Create Files /
>>> Write Data". And that sounds suspiciously like a permission to both
>>> create new files but also to modify existing ones. If it is not, then
>>> which attribute would give the ability to modify existing files? It's
>>> really a shame that Microsoft didn't make each part of that a separate
>>> attribute.
>>>
>>
>> When you look in the advanced view the descriptions for the
>> individual ACEs have two parts separated by / char. On the
>> left is what the ACE means applied to a directory, on the right
>> what it means applied to a file. So, selection of that ACE and
>> in the dropbox set to This folder only allows only creating new
>> files in that directory (similarly applied to This folder and subs).
>
> Aha.... I think I just evolved. Thank you. :)
>
>
>> I think this could be seen as artifact of the era when designed
>> and all bits added up to significant cost, so something like a
>> double word is all that was allocated for all ACE flags, and
>> a couple of them for indication of applicability to objects and/or
>> container objects.
>
> Regardless of how badly they overloaded the implementation, the user
> interface of the Advanced Security Settings dialog for ACLs is fairly
> awful. It's way too compressed to easily pull out the explanation you gave
> just from usage. And in general the fact that the implementation is
> overloaded is not a great reason to overload the user interface in a
> parallel fashion.
>

I was only trying to build insight by sharing context for future
understanding. You probably know me sufficiently well by now
to know I am not interested in making excuses for their design or
implementation shortfalls :) And yes, I do hear your comment as
I think it took me nearly a year after coming over from Unix to
realize what I explained about the ACEs (but of course, back then
the documentation was very poor and all hidden in the api docs).

Roger



Posted by Roger Abell [MVP] on February 5, 2008, 11:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
PS
You might be wondering, if Users only has a grant to create files
at the folder level, then how do they actually write the file. That
is where the grant to Creator Owner comes in.


>>> What you suggest makes sense in general, but I don't find an attribute
>>> for just creating new files. The closest attribute is "Create Files /
>>> Write Data". And that sounds suspiciously like a permission to both
>>> create new files but also to modify existing ones. If it is not, then
>>> which attribute would give the ability to modify existing files? It's
>>> really a shame that Microsoft didn't make each part of that a separate
>>> attribute.
>>>
>>
>> When you look in the advanced view the descriptions for the
>> individual ACEs have two parts separated by / char. On the
>> left is what the ACE means applied to a directory, on the right
>> what it means applied to a file. So, selection of that ACE and
>> in the dropbox set to This folder only allows only creating new
>> files in that directory (similarly applied to This folder and subs).
>
> Aha.... I think I just evolved. Thank you. :)
>
>
>> I think this could be seen as artifact of the era when designed
>> and all bits added up to significant cost, so something like a
>> double word is all that was allocated for all ACE flags, and
>> a couple of them for indication of applicability to objects and/or
>> container objects.
>
> Regardless of how badly they overloaded the implementation, the user
> interface of the Advanced Security Settings dialog for ACLs is fairly
> awful. It's way too compressed to easily pull out the explanation you gave
> just from usage. And in general the fact that the implementation is
> overloaded is not a great reason to overload the user interface in a
> parallel fashion.
>
> --
> Will
>
>



Posted by Will on February 5, 2008, 11:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> You might be wondering, if Users only has a grant to create files
> at the folder level, then how do they actually write the file. That
> is where the grant to Creator Owner comes in.

Yes, it all came together for me once I understood to apply "create files"
to the folder only.

--
Will


>>>> What you suggest makes sense in general, but I don't find an attribute
>>>> for just creating new files. The closest attribute is "Create Files /
>>>> Write Data". And that sounds suspiciously like a permission to both
>>>> create new files but also to modify existing ones. If it is not, then
>>>> which attribute would give the ability to modify existing files? It's
>>>> really a shame that Microsoft didn't make each part of that a separate
>>>> attribute.
>>>>
>>>
>>> When you look in the advanced view the descriptions for the
>>> individual ACEs have two parts separated by / char. On the
>>> left is what the ACE means applied to a directory, on the right
>>> what it means applied to a file. So, selection of that ACE and
>>> in the dropbox set to This folder only allows only creating new
>>> files in that directory (similarly applied to This folder and subs).
>>
>> Aha.... I think I just evolved. Thank you. :)
>>
>>
>>> I think this could be seen as artifact of the era when designed
>>> and all bits added up to significant cost, so something like a
>>> double word is all that was allocated for all ACE flags, and
>>> a couple of them for indication of applicability to objects and/or
>>> container objects.
>>
>> Regardless of how badly they overloaded the implementation, the user
>> interface of the Advanced Security Settings dialog for ACLs is fairly
>> awful. It's way too compressed to easily pull out the explanation you
>> gave just from usage. And in general the fact that the implementation
>> is overloaded is not a great reason to overload the user interface in a
>> parallel fashion.
>>
>> --
>> Will



Posted by Roger Abell [MVP] on February 6, 2008, 7:10 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>> You might be wondering, if Users only has a grant to create files
>> at the folder level, then how do they actually write the file. That
>> is where the grant to Creator Owner comes in.
>
> Yes, it all came together for me once I understood to apply "create files"
> to the folder only.
>
> --
> Will
>

OK, good luck, and please spam the vendor of that app with
a bit of your thoughts about their disregard for the guidance
MS has available for software house about how to write apps
that can be certified as made for Windows :) By this time
most of the larger app vendors have come around, but the
message still is needed by some.

Roger

>
>>>>> What you suggest makes sense in general, but I don't find an attribute
>>>>> for just creating new files. The closest attribute is "Create Files
>>>>> / Write Data". And that sounds suspiciously like a permission to
>>>>> both create new files but also to modify existing ones. If it is
>>>>> not, then which attribute would give the ability to modify existing
>>>>> files? It's really a shame that Microsoft didn't make each part of
>>>>> that a separate attribute.
>>>>>
>>>>
>>>> When you look in the advanced view the descriptions for the
>>>> individual ACEs have two parts separated by / char. On the
>>>> left is what the ACE means applied to a directory, on the right
>>>> what it means applied to a file. So, selection of that ACE and
>>>> in the dropbox set to This folder only allows only creating new
>>>> files in that directory (similarly applied to This folder and subs).
>>>
>>> Aha.... I think I just evolved. Thank you. :)
>>>
>>>
>>>> I think this could be seen as artifact of the era when designed
>>>> and all bits added up to significant cost, so something like a
>>>> double word is all that was allocated for all ACE flags, and
>>>> a couple of them for indication of applicability to objects and/or
>>>> container objects.
>>>
>>> Regardless of how badly they overloaded the implementation, the user
>>> interface of the Advanced Security Settings dialog for ACLs is fairly
>>> awful. It's way too compressed to easily pull out the explanation you
>>> gave just from usage. And in general the fact that the implementation
>>> is overloaded is not a great reason to overload the user interface in a
>>> parallel fashion.
>>>
>>> --
>>> Will
>
>



Similar ThreadsPosted
Modify/Write Permissions on Files & Folders July 13, 2005, 3:51 pm
Re: Set all files on Windows XP to a specified create & access date October 7, 2005, 9:43 pm
how to modify ACL for cd-rom and floppy? April 3, 2007, 6:47 am
Modify Print Permission Level rights September 28, 2006, 12:12 pm
read/modify port 113 Ident content? December 2, 2006, 3:29 pm
Novell equal modify rights in windows standard server 2003 March 5, 2006, 1:43 am
Who and how can create users besides administrator? October 26, 2005, 1:23 pm
How to create an ADF file for Windows May 1, 2006, 12:06 pm
create my own forum free? April 20, 2007, 9:13 pm
How do I create a service account? August 6, 2007, 5:20 pm

The site map in XML format XML site map

Contact Us | Privacy Policy