Click here to get back home

Write Attributes and Write Extended Attributes
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Write Attributes and Write Extended Attributes Will 10-31-2005
Posted by Will on October 31, 2005, 1:30 am
Please log in for more thread options
 Can someone explain to me why many Windows 2000 applications appear to
require that anyone with read and execute permission has "write attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log for
nearly everyone in the Users group for failing to acquire needed permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that the
users need, the only permissions we have failed to enable for users are
"write attributes" and "write extended attributes". Those permissions
don't seem like something you would want to give users for every file on the
system, and I'm perplexed why Windows would need such permissions on many of
its applications.

--
Will




Posted by Roger Abell [MVP] on November 1, 2005, 6:11 am
Please log in for more thread options
 I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you indicate
in the event log. Thus, I am thinking it is some other aspect of the total
system load, MS plus other software, that is operative here. It used to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things, and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??

> Can someone explain to me why many Windows 2000 applications appear to
> require that anyone with read and execute permission has "write
> attributes"
> and "write extended attributes" permissions enabled? When I turn on
> auditing, I see hundreds of messages in the eventviewer security log for
> nearly everyone in the Users group for failing to acquire needed
> permissions
> on cmd.exe, shell32.dll, etc. In examining the permission list that the
> users need, the only permissions we have failed to enable for users are
> "write attributes" and "write extended attributes". Those permissions
> don't seem like something you would want to give users for every file on
> the
> system, and I'm perplexed why Windows would need such permissions on many
> of
> its applications.
>
> --
> Will
>
>




Posted by Will on November 6, 2005, 8:48 pm
Please log in for more thread options
So what is the workaround to a badly behaved application? I assume it is
setting some environment setting that is inherited whenever it starts some
process? It really does pollute the event log to see constand security
messages of this kind.

--
Will


> I do not believe that Windows does need such permissions, as you have
> stated. When I enable logging similarly I do not get what you indicate
> in the event log. Thus, I am thinking it is some other aspect of the
total
> system load, MS plus other software, that is operative here. It used to
> be pretty common to see software developers being lazy and not using
> a minimal list of requested accesses when getting handles to things, and
> that is MS and third-party developers, so perhaps there is some such
> residual older software installed ??
>
> > Can someone explain to me why many Windows 2000 applications appear to
> > require that anyone with read and execute permission has "write
> > attributes"
> > and "write extended attributes" permissions enabled? When I turn on
> > auditing, I see hundreds of messages in the eventviewer security log for
> > nearly everyone in the Users group for failing to acquire needed
> > permissions
> > on cmd.exe, shell32.dll, etc. In examining the permission list that
the
> > users need, the only permissions we have failed to enable for users are
> > "write attributes" and "write extended attributes". Those permissions
> > don't seem like something you would want to give users for every file on
> > the
> > system, and I'm perplexed why Windows would need such permissions on
many
> > of
> > its applications.
> >
> > --
> > Will
> >
> >
>
>




Posted by Roger Abell [MVP] on November 7, 2005, 2:28 pm
Please log in for more thread options
At the API level an application can state what permissions
it wants, and it gets back a list of what was avaiable.
Lazy authors just ask for everything, hence failures.

> So what is the workaround to a badly behaved application? I assume it is
> setting some environment setting that is inherited whenever it starts some
> process? It really does pollute the event log to see constand security
> messages of this kind.
>
> --
> Will
>
>
>> I do not believe that Windows does need such permissions, as you have
>> stated. When I enable logging similarly I do not get what you indicate
>> in the event log. Thus, I am thinking it is some other aspect of the
> total
>> system load, MS plus other software, that is operative here. It used to
>> be pretty common to see software developers being lazy and not using
>> a minimal list of requested accesses when getting handles to things, and
>> that is MS and third-party developers, so perhaps there is some such
>> residual older software installed ??
>>
>> > Can someone explain to me why many Windows 2000 applications appear to
>> > require that anyone with read and execute permission has "write
>> > attributes"
>> > and "write extended attributes" permissions enabled? When I turn on
>> > auditing, I see hundreds of messages in the eventviewer security log
>> > for
>> > nearly everyone in the Users group for failing to acquire needed
>> > permissions
>> > on cmd.exe, shell32.dll, etc. In examining the permission list that
> the
>> > users need, the only permissions we have failed to enable for users are
>> > "write attributes" and "write extended attributes". Those permissions
>> > don't seem like something you would want to give users for every file
>> > on
>> > the
>> > system, and I'm perplexed why Windows would need such permissions on
> many
>> > of
>> > its applications.
>> >
>> > --
>> > Will
>> >
>> >
>>
>>
>
>




Posted by Will on November 7, 2005, 4:18 pm
Please log in for more thread options
I'm looking for possible workarounds for lazy software. One possible
workaround: Microsoft has a Compatibility tab on the startup properties
dialog for each EXE, and maybe we could set this to Windows 95, etc.?

--
Will

> At the API level an application can state what permissions
> it wants, and it gets back a list of what was avaiable.
> Lazy authors just ask for everything, hence failures.
>
> > So what is the workaround to a badly behaved application? I assume it
is
> > setting some environment setting that is inherited whenever it starts
some
> > process? It really does pollute the event log to see constand security
> > messages of this kind.
> >
> > --
> > Will
> >
> >
> >> I do not believe that Windows does need such permissions, as you have
> >> stated. When I enable logging similarly I do not get what you indicate
> >> in the event log. Thus, I am thinking it is some other aspect of the
> > total
> >> system load, MS plus other software, that is operative here. It used
to
> >> be pretty common to see software developers being lazy and not using
> >> a minimal list of requested accesses when getting handles to things,
and
> >> that is MS and third-party developers, so perhaps there is some such
> >> residual older software installed ??
> >>
> >> > Can someone explain to me why many Windows 2000 applications appear
to
> >> > require that anyone with read and execute permission has "write
> >> > attributes"
> >> > and "write extended attributes" permissions enabled? When I turn on
> >> > auditing, I see hundreds of messages in the eventviewer security log
> >> > for
> >> > nearly everyone in the Users group for failing to acquire needed
> >> > permissions
> >> > on cmd.exe, shell32.dll, etc. In examining the permission list that
> > the
> >> > users need, the only permissions we have failed to enable for users
are
> >> > "write attributes" and "write extended attributes". Those
permissions
> >> > don't seem like something you would want to give users for every file
> >> > on
> >> > the
> >> > system, and I'm perplexed why Windows would need such permissions on
> > many
> >> > of
> >> > its applications.
> >> >
> >> > --
> >> > Will
> >> >
> >> >
> >>
> >>
> >
> >
>
>




Similar ThreadsPosted
Wny Does Windows Want Write Extended Attributes for Users? August 4, 2005, 1:31 am
Windows 2003 CA and attributes October 31, 2006, 4:00 am
Write but no overwrite? June 5, 2007, 12:27 pm
Allowing applets to create and write to a file June 8, 2005, 7:50 am
Utility to directly write NTFS masks etc May 30, 2007, 7:37 am
How to non-trusted users write files to specific location December 15, 2005, 3:42 pm
Why Do So Many Windows EXEs Require Write Attribute File Permissions? December 23, 2006, 5:06 am
Howto : programatically give NTAUTHORIRTY\Network Service account write permission on a directory August 4, 2005, 9:38 pm
"Network Service" account is UNABLE to write to a network shared folder April 18, 2007, 7:01 pm
schannel error 36870 (extended 0x80090016) September 4, 2007, 9:26 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap