Announcement

Collapse
No announcement yet.

NTFS perssion issue, want to allow Append and Write, but not Overwrite!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NTFS perssion issue, want to allow Append and Write, but not Overwrite!

    Ok, here is a question for you:

    We are using a home-made software to create files on our fileserver, log files of measurements to be exact.

    The permissions are (A=allow, D=deny):
    A Traverse folder / Execute file
    A List folder / Read data
    A Read Attributes
    A Read Extended Attributes
    A Create files / Write Data
    A Create Folders / Append Data
    A Read Permissions
    D Delete Subfolders and Files
    D Delete

    The problem we are having is that the "Create files / Write Data" permission also permits users overwriting the whole file, the catch being that we need that permission to create new files.

    I can't see how to make this happen, at least not as far as I can google.
    Last edited by Anders; 6th February 2008, 10:48. Reason: Corrected spelling in title.
    A wise man once said: "Assumption is the mother of all fu*k ups".

    Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

  • #2
    Re: NTFS perssion issue, want to allow Append and Write, but not Overwrite!

    Append and Write are the same as "Overwrite", because each time a file is written to disk it is written in its entirety. So - Write on an existing file first deletes the old version and then writes the new version; however it does not check the "Delete" permission first because it is done as part of the "Write" or "Append". There is no way to prevent a user overwriting a file without also preventing him writing new files in the folder.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: NTFS perssion issue, want to allow Append and Write, but not Overwrite!

      Argh! Just as suspected.

      But then, how does append work? Append does not delete the original file just to re-write all the data?

      A plausable work around is to change the folder permission to deny Write. Then instruct the software that creates the log files to first change folder permission to accept Write while creating the file only to switch it back to deny after creation is done. That way we could append updates to the logs without overwriting them. (?)
      A wise man once said: "Assumption is the mother of all fu*k ups".

      Any advice I give is to the best of my knowledge, there is no guarantee what so ever that it will actually work in your particular scenario. I will not accept any responsibility for unexpected consequences, after all - you are taking advice from a complete stranger over the internet. =)

      Comment


      • #4
        Re: NTFS perssion issue, want to allow Append and Write, but not Overwrite!

        Originally posted by Anders View Post
        Argh! Just as suspected.

        But then, how does append work? Append does not delete the original file just to re-write all the data?
        Yes, it does.

        A plausable work around is to change the folder permission to deny Write. Then instruct the software that creates the log files to first change folder permission to accept Write while creating the file only to switch it back to deny after creation is done. That way we could append updates to the logs without overwriting them. (?)
        Yes this could work although it would need scripting.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: NTFS perssion issue, want to allow Append and Write, but not Overwrite!

          There IS a way to set the permissions as you want its just a bit difficult to do. What you do is set the permissions "normally" to give your users access to create files and do all their normal functions, use the advanced permissions tab and make sure that you are applying the permissions on this folder, sub folders and files. At this level you GIVE them access to read, write, list and execute; nothing up to this point is going to be different than what you already do.

          Next you want to create another entry using the advanced security tab, you want to change the apply onto set to be Files Only. In the permission grid, deny the priviliges (write, delete).

          Use the check boxes and replace the ACLs on all folder, files and all child objects.

          The above described set of options gives users the ability to create files and folders (through the ACL set on the actual folders) and creates another ACL entry for each file created which has an explicit deny which exists only on the files (and not on the folders). Since 99.9% of the time, except in a very special set of circumstances, DENY trumps ALLOW and the ACL on the file is looked at before the ACL on the folder users won't be able to overwrite the files.

          The below is the output of CACLS showing the permissions, I do this on a few different directory trees on my network where we store scanned images, photos, things that should go in the system but should not be replaced easily.

          Code:
          D:\...\....>cacls AIMAGE
          D:\...\....\AMAGE LMFJ\Inventory:(OI)(IO)(DENY)(special access:)
                                                           FILE_WRITE_DATA
                                                           FILE_APPEND_DATA
                                                           FILE_WRITE_EA
                                                           FILE_WRITE_ATTRIBUTES
          
                                  BUILTIN\Administrators:(OI)(CI)F
                                  LMFJPDC\Domain Admins:(OI)(CI)F
                                  Everyone:(OI)(CI)R
                                  LMFJPDC\Inventory:(CI)(special access:)
                                                       SYNCHRONIZE
                                                       FILE_READ_DATA
                                                       FILE_WRITE_DATA
                                                       FILE_APPEND_DATA
                                                       FILE_WRITE_EA
                                                       FILE_EXECUTE
                                                       FILE_WRITE_ATTRIBUTES
          
                                  NT AUTHORITY\SYSTEM:(OI)(CI)F
          This should be a little simpler to do and better from a security perspective than a scripting solution. If you don't want users changing the files, you don't want to give them access to change permissions on the files (which your app would do based upon earlier parts of the thread).

          Hopefully this post does not find you to late

          Mark L. @ LMFJ
          Microsoft Certified Systems Engineer: Security

          Comment

          Working...
          X