Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why is "View Permissions" required for RO Access 1

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
This is something I encountered a few years ago but never investigated. I ran into this issue again today, and it's bugging me. If I have some sensitive files that I want users to be able to read - why on earth do I have to allow them "View Permissions" also? I'm guessing this is something to do with enumerating the permissions, but the user doesn't decide if he/she is allowed to access a file, so why does it matter if he/she has been allowed to view permissions? I've tried googling this but come up with nothing so far, and a search on this forum turned up nothing either (that I could find).

Anybody any ideas at all ?

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Sort by date Sort by votes
I guess it depends on how MS considers what constitutes a Read right. They figure the 'read' right would allow the user to read all attributes of a particular file and not only the data. With that said, I guess they expect you to modify the ability to 'read' permissions through the Effective permissions tab.
It's not the technical answer you are probably looking at, but that's how I figured it is applied
 
Upvote 0 Downvote
Upvote 0 Downvote
I'm not sure where you are getting this "view" permission.

The difference between "List Folder Contents" and "Read" is to which objects the right grants access. In this case Folders or Files, respectively.

List Folder Contents allows a user to read the contents and attributes of a folder object, such as a list of child objects (files and other folders). It also grants rights to read the attributes of child folders (not files).

Read grants the access listed above and adds the ability to read the contents and attributes of file objects.

I hope this is the answer you are looking for.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
I understand the difference between read permissions & list folder permissions. There's also a permission called "view permissions" which (afaik) permits the user/group to view the security on that object (eg using cacls or by viewing the security tab). My question is if I want to give a user read access to a file, why does the user require the "view permissions" permission.

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
Sorry... I was look at too high a level. I see what you are talking about.

This right is used by an integrated function in Windows called "GetSecurityInfo" (See Here), which I imagine is called every time a process attempts to access an object.

Basically, if you can't read your permissions to an object, you aren't granted access to it, because Windows can't determine what permission you have.

I guess the true questions are: Why is the permission even an option? When would you deny it?

Also, look HERE at "READ_CONTROL".

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
No problem, and thanks for the speedy reply. So escentially the permissions are "calculated by the user account" then.

Yea, I think you're right - the question really is why is the permission an option. I can't see any practical implementation when you would want to grant a user/group ONLY that one permission. Giving somebody permission to view the security an on object without allowing them to read it would be pointless.

But like I said, so long as I'm not the only one that finds it doesn't quiet make sense, I'm happy enough for now :)

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
I suppose you could use the right for an auditing application that walked the directory tree.

Now that's "least privilege" security in it's most nitty-gritty form!

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
494
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
450
mangentle
mangentle
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
233
hairlessupportmonkey
hairlessupportmonkey
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
912
gbaughma
gbaughma
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
863
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top