lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 9 Mar 2007 19:00:05 +0100
From: "Michele Cicciotti" <mc@...msa.net>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Microsoft Windows Vista/2003/XP/2000
	file	management security issues

>  Scenario  1.1:
> 
>  Bob  wishes  to  create "Bob private data" folder in "Public" folder to
>  place  few private files. "Public" has at least "Write" permissions for
>  "User" group. Bob:

This is, of course, wrong. You muddy the issue with the "Write permissions for User group" red herring and we are all supposed to oooh and aaah at your sleigh-of-hand trickery. Of course, a proper public repository for private folders should have saner settings than that, to begin with.

On my pet Windows Server 2003 machine, for example, I have created a "Protected" folder under "Shared Documents" (and why the hell don't server editions show "Shared Documents" under "My Computer" anyway?) before even thinking about sharing it, having recognized this risk scenario a long time ago ("what if a virus infected all those world-writable setup executables on public network shares?"); it's not really about "private" folders as much as "secure" folders with files that everyone can read but only the owner can write or delete

I have tried to create a "secure public" folder like the one you describe. Its ACL is a pretty complicated affair (not pictured: full access to Administrators and SYSTEM everywhere):
 * CREATOR OWNER: full access, subfolders and files, non-inheritable
 * Everyone: read-write, files only, non-inheritable
 * Everyone: read + create files + create folders, folder only
    = everyone can create files and folders

A file created under said folder gets the following default ACL: 
 * Everyone: read-write access
 * owner: full access
    = new files are public

A subfolder (or a subfolder of any subfolder) will get, instead:
 * CREATOR OWNER: full access, subfolders and files, inheritable
 * owner: full access, folder only, non inheritable
    = new folders are private

A file created inside a subfolder will get:
 * owner: full access
    = new files under private folders are private

Is this what you might be looking for?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ