Reading the access attributes of directories in Windows

Nobody nobody at nowhere.com
Sun Aug 22 06:27:32 CEST 2010


On Fri, 20 Aug 2010 19:41:44 +0200, Thomas Jollans wrote:

>> "Create Folders" and "Delete Subfolders and Files" correspond to having
>> write permission on a directory.
> 
> How does append differ from write? If you have appending permissions, but not 
> writing ones, is it impossible to seek? Or is there a more complex "block" 
> that bites you when you seek to before the old end of file and try writing 
> there?

If you have append permission, you can open a file in append mode. AFAICT,
this behaves the same as O_APPEND on Unix, i.e. all writes are
automatically appended to the file, regardless of the current offset.

Having this as a separate permission allows normal users to add entries to
log files but not to erase existing entries.

> Makes me wonder whether SELinux makes changes in this area, and if so,
> how far-reaching they are. 

SELinux adds finer-grained permissions (e.g. append is distinct from
write), but also adds role-based checks, i.e. permissions are attached to
individual programs, which limits the extent to which a bug or misfeature
can be exploited.

>> 3. The owner can be either a user or a group.
> 
> What about both?

A file/directory only has one owner. 

>> 4. On Windows, a file cannot be "given away" either by its owner or an
>> administrator. You can grant the "Take Ownership" permission, but
>> the recipient still has to explicitly change the ownership.
> 
> Really? So the operating system actually places restrictions on what the 
> administrator can do? 

Yes, although doubtless such constraints can be circumvented (if you can
install software, you can use the account of anyone who uses the software).

> Or is there a fine distinction here between administrator-accounts in general 
> and the NT "Administrator" account that at least some versions of Windows (xp 
> home edition springs to mind) appear to try to hide as best they can ?

I don't think that the "Administrator" account is special. AFAICT, any
member of the Administrators group has the same privileges.





More information about the Python-list mailing list