[WinMac] Security settings weirdness with SFM

From: Bruce Johnson (johnson[at]pharmacy.arizona.edu)
Date: Fri May 09 2003 - 14:31:36 EDT

  • Next message: Antony N. Lord: "Re: [WinMac] Print Screen on Mac Keyboard"

    While looking into a problem yesterday (that turned out to be unrelated)
    I noticed something strange with the security settings of files on our
    server.

    Setup:

    Server Win2K with SFM enabled. Both SP2 and SP3 patchlevel, happens on
    both level servers.

    Clients: Mac OS X 10.2.6 down to 8.1.

    The file permissions on the folders are set to:

    The user: full control.
    Domain Admins: full control.

    with all child files and directories inheriting these settings.

    (The share permissions are set the same way.)

    When *folders* are copied to the server, they and the files they contain
    pick up all sorts of additional permissions:

    (This file was in a folder copied over)

    P:\cacls Facagenda 92000.doc

    P:\Facagenda 92000.doc NT AUTHORITY\SYSTEM:(special access:)
                           STANDARD_RIGHTS_ALL
                           DELETE
                           READ_CONTROL
                           WRITE_DAC
                           WRITE_OWNER
                           SYNCHRONIZE
                           STANDARD_RIGHTS_REQUIRED
                           FILE_GENERIC_READ
                           FILE_GENERIC_WRITE
                           FILE_GENERIC_EXECUTE
                           FILE_READ_DATA
                           FILE_WRITE_DATA
                           FILE_APPEND_DATA
                           FILE_READ_EA
                           FILE_WRITE_EA
                           FILE_EXECUTE
                           FILE_READ_ATTRIBUTES
                           FILE_WRITE_ATTRIBUTES

       Everyone:(special access:)
                READ_CONTROL
                SYNCHRONIZE
                FILE_READ_ATTRIBUTES

       PHARMACY\Domain Users:(special access:)
                             READ_CONTROL
                             SYNCHRONIZE
                             FILE_READ_ATTRIBUTES

       PHARMACY\jacobse:(special access:)
                        READ_CONTROL
                        WRITE_DAC
                        WRITE_OWNER
                        SYNCHRONIZE
                        FILE_READ_ATTRIBUTES

      PHARMACY\Domain Admins:F

      PHARMACY\JacobsonAdm:F

    All files are supposed to be inheriting permissions from the parent
    folder, which does show the proper permissions.

    Here's what they're *supposed to look like:

    (This file was moved by itself)

    P:\>cacls e.doc
    P:\E.doc PHARMACY\Domain Admins:F
              PHARMACY\JacobsonAdm:F

    This file was saved on the server (to my own share, from a Mac running
    OS 8.1 and Appleshare 3.8) :

    L:\>cacls "test of perms weirdness"
    L:\test of perms weirdness PHARMACY\johnson:F
                                PHARMACY\Domain Admins:F

    But if I create a folder on the server, it appears that all these
    additional permissions get attached, so if I create a new folder then
    save the file in the new folder in the save dialog it looks like:

    L:\newcreted folder>cacls "test of perms wierdness"
    L:\newcreted folder\test of perms wierdness

    NT AUTHORITY\SYSTEM:(special access:)
             STANDARD_RIGHTS_ALL
             DELETE
             READ_CONTROL
             WRITE_DAC
             WRITE_OWNER
             SYNCHRONIZE
             STANDARD_RIGHTS_REQUIRED
             FILE_GENERIC_READ
             FILE_GENERIC_WRITE
             FILE_GENERIC_EXECUTE
             FILE_READ_DATA
             FILE_WRITE_DATA
             FILE_APPEND_DATA

             FILE_READ_EA
             FILE_WRITE_EA
             FILE_EXECUTE
             FILE_READ_ATTRIBUTES
             FILE_WRITE_ATTRIBUTES

              Everyone:(special access:)
                READ_CONTROL
                SYNCHRONIZE
                FILE_READ_ATTRIBUTES

              PHARMACY\Domain Users:(special access:)
               READ_CONTROL
               SYNCHRONIZE
               FILE_READ_ATTRIBUTES

              BUILTIN\Administrators:F
              PHARMACY\johnson:F
              PHARMACY\Domain Admins:F

    So it appears that this is occuring when a new directory is created by a
    Mac...

    Is this a bug or feature or what? 

    -- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

    Institutions do not have opinions, merely customs

    *** Windows-MacintoshOS Cooperation List ***
FAQ:  http://www.darryl.com/winmacfaq/
Archive:  http://www.darryl.com/winmac/

    To unsubscribe, send mail to winmac-unsubscribe@iffy.com

    This archive was generated by hypermail 2b29 : Fri May 09 2003 - 14:32:13 EDT