Welcome Guest.   Make a donation to an author on the site October 24, 2014, 01:14:36 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Learn about the DonationCoder.com microdonation system (DonationCredits).
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: managing file permissions under windows (madness?)  (Read 7654 times)
urlwolf
Charter Member
***
Posts: 1,784



see users location on a map View Profile Give some DonationCredits to this forum member
« on: April 25, 2009, 06:34:29 AM »

I have to admit I ran XP with admin privs all the time. So I never had to worry about permissions.
However, I want to now separate admin and non-admin user.

It's proven to be a real pain, moreso compared to how unix-like OSs do it.
Pain points:
  • Explorer (or TC) do not list file permissions. (!), at least that I could find. What's wrong with listing say -rwx------ like in unix? I really need a fast and visual way of looking at permissions. Quesion: do you know any software that displays permissions graphically?
  • Changing permissions recursively sucks. You have to use cacls.exe, which is very limited. THere's setACL.exe, but it is also really ugly compared to chmod and chown. Question: how do you do this? Any tools? Having to right-click > properties > security is very long, and it's not recursive (!)
  • Changing permissions is extremely slow. In unix, it rarely takes seconds, even for a huge tree. In windows, it's been minutes already for a not-so-big tree! Any reason for this madness?
  • You are allowed to do crazy things like erradicate the administrators group. You read that right: you can make it so some user has full permissions on a file, but the admins don't. I have no idea how I managed to do this feat... and I fixed it now. But I'm really curious about what purpose this may fulfill

Not to mention that every action that requires admin privs will prompt for a passwd. So, in a normal day, you can easily type the admin passwd about seven billion orders of magnitude more than on unix.

All in alll... (quoting the penguins in "Madagascar" after arriving to antartica with a stolen transatlantic ship).
"Well... this sucks".

It makes me think I'm missing the proper tools.

It also makes me thing that when mom and pop have to deal with this, they will go crazy.
Is this the end of civilization as we know it?
Logged
lanux128
Global Moderator
*****
Posts: 6,109



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: April 25, 2009, 06:44:14 AM »

i had some success with this tool, when i was stuck with WinXP Home, might be useful in your case too..

FaJo XP FSE
Logged

Grorgy
Supporting Member
**
Posts: 820

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #2 on: April 25, 2009, 06:58:17 AM »

In TC (im using the ultima prime version) when the full details list is displayed the attributes show up.  To change the attributes, under the file menu the first option is change attributes.
Logged
urlwolf
Charter Member
***
Posts: 1,784



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #3 on: April 25, 2009, 10:59:55 AM »

I see only very minimal info in TC (like -a--).
What does it mean?

Also, I changed the admin password, only to realize that now it doesn't let me use it.
Maybe typo? Maybe the new one it's too short?
I'm disgusted at having to reinstall the entire thing, or have to use a pwd recov. tool on this computer.
It may take ages.

I have no idea how it happened. How could I mistype the pwd twice?
I'm dissapointed enough to try Ubuntu 9.04 smiley
Logged
Shades
Member
**
Posts: 1,672


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #4 on: April 25, 2009, 12:21:38 PM »

a - archive
r - read only
h - hidden

These will be the ones you see mostly anyway (when using Windows).

When you have physical access to a Windows PC, you can boot from a CD, USB stick or floppy disk with the following tool:
Offline NT Password & Registry Editor
It comes with instructions on how to use it, which is quite easy and should not take too much time...15 minutes in total or so ( including downloading, reading the instructions, burning the iso to a CD, booting from the CD, changing the password and rebooting normally).
Logged
fenixproductions
Honorary Member
**
Posts: 1,169



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: April 25, 2009, 12:38:12 PM »

2urlwolf
a - archive
r - read only
h - hidden
One more: s - system

You can also try few plugins like:
- Security Info - http://www.totalcmd.net/plugring/SecInfo.html
- Attributes: http://www.lefteous.de/tc...attributes/attributes.zip

I think it shouldn't be hard for someone skilled to write better plugin which could display the same info as Properties dialog smiley
Logged

Надо было учиться, а не камни в школу бросать...
--
When I am bored I write for displaynone smiley
--
f0dder is my personal hero smiley
urlwolf
Charter Member
***
Posts: 1,784



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: April 25, 2009, 01:59:57 PM »

fenix: thanks, that helps
Shades: I'll try this when I get home, laptop has no CD burner. THanks!
Logged
MilesAhead
Member
**
Posts: 4,947



View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: April 25, 2009, 02:31:30 PM »

For future ref. you can create a password reset on a USB key or floppy(if you have a floppy drive)
http://support.microsoft.com/kb/306214

Also, not that it helps much, but MS almost got it right with NT 4 Server.  In the user account templates there is a group called Operators.  If your account was a member of Operators, you could install software, register ActiveX Controls etc.. but you couldn't delete core system files etc..

Trouble with non Server Windows is there's no happy medium.  Guess they tried to move in that direction with Vista but it would have been better if they did the Operator's Group approach I think. Thing is it's really a single-user multi-tasking system trying to act like multi-user.  You need to be Owner with all the crap turned off or you lose your mind!!

In Linux I just kept a console window open where I did an su command if I was going to be installing or messing with stuff.  No clicking on "do you want to do that?"  when if I didn't want to do it, I wouldn't have done it!!  Jeez!!
Logged

"Genius is not knowing you can't do it that way."
- MilesAhead
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: April 26, 2009, 07:10:46 AM »

Quote
Explorer (or TC) do not list file permissions. (!), at least that I could find. What's wrong with listing say -rwx------ like in unix?
Explorer is geared towards normal users, who don't need to see this kind of stuff. And given how permissions work on NT, I wonder how you'd represent the permissions. Perhaps calculate the effective permissions for the current user?

Quote
Changing permissions recursively sucks. You have to use cacls.exe, which is very limited.
Limited how? And ugly compared to chmod+chown how? Longer commandlines, sure, but beyond that?

Quote
Changing permissions is extremely slow. In unix, it rarely takes seconds, even for a huge tree. In windows, it's been minutes already for a not-so-big tree! Any reason for this madness?
Hm, using cacls is pretty fast for me - going through the GUI might be slower (like mass-deletes through explorer is slow because it wants to report progress etc), but I've never used the GUI for large trees so wouldn't know smiley

Quote
You are allowed to do crazy things like erradicate the administrators group. You read that right: you can make it so some user has full permissions on a file, but the admins don't. I have no idea how I managed to do this feat... and I fixed it now. But I'm really curious about what purpose this may fulfill
It's called flexibility. Traditional unix user/group permissions are extremely limited compared to NT-style ACLs. Granting users and denying administrators might not be a useful thing to do, but stuff like being able to grant multiple groups access to a set of files can be useful - with *u*x permissions, you'd have to create a separate group allowing access to those files, then adding users to that group; messy.

Quote
Not to mention that every action that requires admin privs will prompt for a passwd. So, in a normal day, you can easily type the admin passwd about seven billion orders of magnitude more than on unix.
When running non-root linux, don't you need to sudo when doing administrative tasks? How is this different from Windows?
Logged

- carpe noctem
urlwolf
Charter Member
***
Posts: 1,784



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: April 26, 2009, 09:15:00 AM »

2urlwolf
a - archive
r - read only
h - hidden
One more: s - system

You can also try few plugins like:
- Security Info - http://www.totalcmd.net/plugring/SecInfo.html
- Attributes: http://www.lefteous.de/tc...attributes/attributes.zip

I think it shouldn't be hard for someone skilled to write better plugin which could display the same info as Properties dialog smiley

Hi Shades,

Looks like that program doesn't support windows server 2008; I get Missing operating system, and nothing else. I have an XP partition and a windows server 2008 partition.
Do you know of any alternative that works on windows server 2008? If not, I'll keep searching.

Thanks!
@f0dder: in ubuntu, one sudo leaves you with admin rights for a few mins. So you can install a bunch of stuff with one authentification. In windows server 2008, every new thing you want to install will ask you for a passwd. It adds up.

re: speed, my tree was about 24GB, and it tooks maybe 3-4 hours. No idea how fast that'd be under linux.
Logged
urlwolf
Charter Member
***
Posts: 1,784



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: April 26, 2009, 12:40:53 PM »

I've tried Hiren's boot cd and I still get "Missing operating system" :/
Could it be because I have too bootabe partitions?
windows server 2008 is smart enough to offer the two options; but maybe the boot CDs are not so sophisticated.
Should I erradicate my XP partition?
Logged
Shades
Member
**
Posts: 1,672


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #11 on: April 26, 2009, 01:39:20 PM »

Yes, server editions of Windows have that effect on a lot of software....and as I am not familiar with Win2008 it seems that my advice will not be that useful to you.

When using older versions of windows it was an option to select which (amount of) columns to be shown in Explorer by right-clicking on any of its column headers. You could try if TC changes its folder view according to the default set of Explorer columns.

Likely you are familiar with the 'ls' command under Linux, seems there is also a 'ls' command for Windows (GNU, 385Kbyte). The website shows it is working with Windows 2008. According to the helpfile it is able to show ACL's, SACL's etc. in several formats. Together with CHOWN for Windows (brothersoft link) you should be able to do quite some work regarding permissions (by script at least).

This seems to be an interesting forum thread on techguy.org.
A link to SWXCACLS, which seems to be an interesting tools as well.
There are are also the Unix tools for Windows (Sourceforge).

After all, the suggested tools are similar to the nature of Windows 2008, a version that goes 'back to basic' (hardly any GUI). Happy scripting  smiley
Logged
Shades
Member
**
Posts: 1,672


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #12 on: April 26, 2009, 02:25:41 PM »

Ah, I did not understand your problem correctly.

A boot cd should not care about the partitions on a hard drive. Make sure that your BIOS is set to use a CD/DVD player as the primary boot device. Some bootCD's wait for a while for user interaction to start and without this interaction let the system boot normally from hard drive after this grace period. That could be an explanation for your problem with the Hirens BootCD.

The content of the Hirens BootCD is unknown to me, but I'll guess it contains a lot of software to repair broken systems as well. Going from that assumption, it is very likely that there is a software package on the CD that can show and/or edit partitions on any hard drive recognized by the BIOS.

Start that piece of software and check which partition is set to 'Active', as far as I know only primary partitions can be set to 'Active'. It is also not possible to set more than one 'Active' partition per hard drive and (by default) you cannot put more than four primary partitions on a hard drive. The 'Active' partition is used by he BIOS to start the Operating system. However, the Operating system will not be able to start the if the 'Active' partition does not contain any of the following files:
  • ntldr
  • ntdetect.com
  • boot.ini

From these files only the 'boot.ini' file is easily fixed.
For example, this is the content of my boot.ini file (XP)
[copy or print]
[boot loader]
timeout=15
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS means: use this entry as the default Operating system
multi(0) means: single hard drive
rdisk(0) means: first available drive
partition(1) means: first available partition
\WINDOWS="Microsoft Windows XP Professional" means: default WINDOWS folder and name
/fastdetect means: important setting for NTDETECT.COM.

For example, this is how the content of your dual boot system would look like
[copy or print]
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows 2008 Server edition" /fastdetect


Above boot.ini file makes sure that Win2008 is started by default. More info (Microsoft) about the boot.ini file
Logged
Stoic Joker
Honorary Member
**
Posts: 5,330



View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: May 01, 2009, 03:51:10 PM »

I've tried Hiren's boot cd and I still get "Missing operating system" :/
Could it be because I have too bootabe partitions?
windows server 2008 is smart enough to offer the two options; but maybe the boot CDs are not so sophisticated.
Should I erradicate my XP partition?
Dual boot config shouldn't trip the CD that badly. I could see it skipping the 2nd OS and jumping into the 1st. ...But missing OS error? That sounds like a missing RAID driver type of issue to me.
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,585



View Profile Give some DonationCredits to this forum member
« Reply #14 on: May 01, 2009, 07:09:39 PM »

Quote
@f0dder: in ubuntu, one sudo leaves you with admin rights for a few mins. So you can install a bunch of stuff with one authentification. In windows server 2008, every new thing you want to install will ask you for a passwd. It adds up.
And 'sudo bash' gives you an entire session to root around in (pun intended)...
Logged

All children left unattended will be given a mocha and a puppy.
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: May 01, 2009, 09:08:47 PM »

Quote
@f0dder: in ubuntu, one sudo leaves you with admin rights for a few mins. So you can install a bunch of stuff with one authentification. In windows server 2008, every new thing you want to install will ask you for a passwd. It adds up.
And 'sudo bash' gives you an entire session to root around in (pun intended)...
You can start a shell with administrative privileges on Windows as well smiley - I guess the biggest deficiency is that you can't (through the use existing tools, anyway) say "give my user full admin+UAC rights for X minutes", which could be useful when dealing with control panel stuff (Win7's "control panel doesn't need UAC" UAC-level turned out to be insecure).

If you need to install a whole bunch of stuff (how often do you need that besides system install time?), couldn't you just either
1) log in with an administrative account
2) start a cmd.exe shell with admin privs and launch the installers from there

?
Logged

- carpe noctem
MilesAhead
Member
**
Posts: 4,947



View Profile WWW Give some DonationCredits to this forum member
« Reply #16 on: May 02, 2009, 01:00:49 PM »

When I was messing with NT 4 Server there was a guy who ported su to Windows.  You could have your user account in Operators group, so that you could install software, register ActiveX Controls, do backups etc.. but for higher privilege work you could su with the admin password.  The neat thing is he had a utility for creating shortcuts for common tasks.   He had some encryption method so that your Admin password wasn't stored in the shortcut.  I think you had to set it up by running a utility for the particular shortcut. The encrypted password input only worked for that shortcut. I don't remember all the details but it was pretty secure while still easy to use.

« Last Edit: May 02, 2009, 01:02:33 PM by MilesAhead » Logged

"Genius is not knowing you can't do it that way."
- MilesAhead
pencoe
Supporting Member
**
Posts: 16


View Profile Give some DonationCredits to this forum member
« Reply #17 on: May 06, 2009, 02:14:21 AM »

On XP there is "runas". And since SP2(?) there is a commandline switch called /savecred. Now create a batch file to start one of the myriads of Explorer alternatives (TC, Altap Salamander, WinCommander,...: hey, they are all better then Explorer  Cool ) with "runas /user:administrator /savecred MyExplorerAlternative". On the first run you will be asked for the admin password, but for the following time you will have a convinient way to use admin rights without any questions (like sudo on unix)...

I use this on my home PC every time i need admin rights.

Bye, Peter
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: May 06, 2009, 05:44:22 AM »

What's the security implications of /savecred ?
Logged

- carpe noctem
songless
Participant
*
Posts: 18

View Profile Give some DonationCredits to this forum member
« Reply #19 on: May 29, 2009, 01:39:31 PM »

Nice thread. Windows filesystem security is VERY powerful, you can have an actually secure system if you create several users and run programs under the adecuate user, and the shell under a limited account.

But yes... it's difficult to maintain, slow and not intuitive. Having for example 10 users for security profiles, you'll have 10 logins at welcome screen unless you hide the users using the registry trick or a program that does it.
And running programs as another user is a bit irritating because you can't drag and drop between them and so on...

I'll love to have an option to restrict a program to only have access to its folder ( ideal for portable software ), for example for uTorrent or eMule. Doing this in Windows is a pain in the ass.
Then we have the security model of Vista/7 that solves the administrator problem ( well done, it's the most important problem ) but there is no new solution to run software with different users ( = different filesystem rules, registry, ... ).

I am tired too, I would be glad to pay for shareware that builds a security layer above Windows one and it's EASY to administer.
Logged
mwb1100
Supporting Member
**
Posts: 1,330


View Profile Give some DonationCredits to this forum member
« Reply #20 on: May 29, 2009, 02:08:17 PM »

    You are allowed to do crazy things like erradicate the administrators group. You read that right: you can make it so some user has full permissions on a file, but the admins don't. I have no idea how I managed to do this feat... and I fixed it now. But I'm really curious about what purpose this may fulfill[/li][/list]

    Remember that this security architecture is designed to support large organizations (even military - to a certain level).  For  example, you have have an enterprise where the admins who maintain the systems are not permitted to access sensitive files such as payroll or heath records (this is actually probably quite common).  In these cases the admin group would not have permission for these files.  However, since admins are all-powerful, there is a 'loophole' - an admin is always allowed to take ownership of a file system object.  Once the admin is the owner, he has access to the file (or at least the ability to modify permissions to give access - the Windows security model is flexible enough to even deny owners access to file objects, but an owner can always modify permissions).

    The one part of the loophole that admins can't close in this scenario is that changing ownership of the object gets logged, so if this occurs there's at least an audit trail (and if the admin deletes the logs, there's an audit trail of that).

    Logged
    Pages: [1]   Go Up
      Reply  |  New Topic  |  Print  
     
    Jump to:  
       Forum Home   Thread Marks Chat! Downloads Search Login Register  

    DonationCoder.com | About Us
    DonationCoder.com Forum | Powered by SMF
    [ Page time: 0.053s | Server load: 0.04 ]