Ping a Specific Port

Question

Doltknuckle

Asked: 2011-09-16 11:22:56 +0800 CST2011-09-16 11:22:56 +0800 CST 2011-09-16 11:22:56 +0800 CST

"CREATOR OWNER" NTFS group always has special permissions in windows

772

I was working on setting up a network share (see below story) and I ran into some odd behavior with NTFS permissions. The "CREATOR OWNER" object seems to only be able to list "Special" permissions in the "Security tab". No matter what I do, the system reverts back to this setting. Is there a way to get the "CREATOR OWNER" entry to list anything other than Special in the security tab? It would make checking for permission mistakes so much easier since I wouldn't have to dive into the Advanced Tab to see what permissions I set for this group. This is on Windows 7 client connecting to a Windows Server 2008 share.

Bonus Question:

I also would like to know why the "CREATOR OWNER" group can't apply permissions to "This folder". This seems like a weird quirk of this group that must have a story behind why it was setup this way.

I did some searching and found the "How Permissions Work" technet article. I browsed through looking for information on the "OWNER" permission and only found some information on how that permission works.

[Background Story]

So I have a network share where users will create a folder to store their work on a particular project. Files in each user's folder are private due to the parameters given to me by the project managers. On top of that parameter, the users of this folder will change constantly though the year, some for only a few days. So to make the administrative overhead as low as possible, I setup the permissions as follows:

Users Group - Allow - List folder contents
Users Group - Allow - Write
CREATOR OWNER - Allow - Modify

I set the permissions, Hit OK, and everything works. Later, when I come back to add the content manager group to the Security tab I notice something odd. The "CREATOR OWNER" entry has switched from Modify to Special. I go into Advanced permissions and I notice that the "CREATOR OWNER" only applies to "Subfolders and files only". I then try to reset the "Apply To" drop down to "This folder, subfolders, and files" but it switches back as soon as I hit "Apply".

Thanks

4 Answers

Voted

Harry Johnston · Answer 1 · 2011-09-16T20:53:57+08:00

Best Answer

Harry Johnston

2011-09-16T20:53:57+08:002011-09-16T20:53:57+08:00

CREATOR OWNER access control entries should always be inherit-only, because it doesn't make sense for them to apply to any actual object. When using recent versions of Windows with the modern API, all CREATOR OWNER entries are automatically marked inherit-only.

In the advanced GUI, the inherit-only flag translates as "Subfolders and files only". Changing it to "This folder, subfolders and files" would have the effect of clearing the inherit-only flag, which can't be done for CREATOR OWNER. The basic GUI should probably not be showing this as Special, but I guess MS didn't think of this special case.

5

JamesRyan · Answer 2 · 2011-09-16T11:41:59+08:00

JamesRyan

2011-09-16T11:41:59+08:002011-09-16T11:41:59+08:00

CREATOR OWNER is primarily for dynamic permissioning as people create stuff in a folder that they have conventional rights to rather than lazy permissioning. If you think of it in this way the concept might make more sense.

2

Grogi · Answer 3 · 2015-10-29T07:58:48+08:00

This is simply a limitation of mapping between POSIX ACLs available in Linux and and Windows ACL.

Talking about a folder, in POSIX ACLs you can assign default permissions for the items created inside. You can do it explicitly for a named users and groups, but there are two defaults that apply for the future owners (user and group) of the file/folder to be created.

default:user::rwx
default:group::r-x

Those are mapped to the CREATOR OWNER and CREATOR GROUP respectively. They don't apply to the current directory, so when you look in the Windows UI, you'll see that those apply to Subfolders and files only. Windows would treat it as special permission and show as such.

For each directory you'd also have permissions assigned to owner and group

user::rwx
group::rwx

Those however get immediately translated to the actual owner and group when queried by Windows. Even if you grant the CREATOR OWNER the rights to this folder too, this change will be lost - because Windows will see it as a change to the permissions to the actual owner.

So in the UI you'd probably see:

Unix User - Root   - Full Control, This folder only
Unix Group - Root  - Full Control, This folder only
CREATOR OWNER      - Full Control, Subfolders and files only
CREATOR GROUP      - Read and execute, Subfolders and files only

Unfortunately I don't know anything to merge it into anything more readable.

And it get just slightly less tricky when dealing with NFSv4 ACLs...

alex · Answer 4 · 2016-09-01T09:24:11+08:00

alex

2016-09-01T09:24:11+08:002016-09-01T09:24:11+08:00

permission "creator owner" - "this folder subfolders and files" restricts by system to "only subfolders and files".

Users, who creators, cannot create it's folders.

-2

"CREATOR OWNER" NTFS group always has special permissions in windows

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?