0

Windows Server 2003 on i386.

FTP server is running as the SYSTEM user/group.

Some files we want served (read and write) are owned by the group 'ftp.'
ftp has full read/write/whatever permissions on those files and directories.

SYSTEM can't read/write those directories. So, I added SYSTEM to the 'ftp' group. Windows happily complied, but even after restarting Filezilla, it still could not read/write those files.

Is there any way to do what we want without "re-permissioning" all those files? Running the ftp server as 'ftp' isn't really an option because it also serves files that are owned by SYSTEM (And not ftp).
Sigh... :)

Any insights?

splattne
  • 28,508
  • 20
  • 98
  • 148
  • Upon further investigation, it seems Windows treats the SYSTEM group differently.  Another user in the ftp group has all the same permissions as 'ftp' (as determined by the effective permissions tool), but the SYSTEM group does not seem to inherit those permissions. Wha? –  Feb 17 '10 at 22:30

3 Answers3

0

System (Local system) is not a group, it's a local account with a fixed well known security identifier that is used to allow services to act with the highest level of privilege on the local system. When services running under this context need to act in a network context they present the system's Computer Account and not .\Localsystem or computername\localsystem.

If your service needs permissions to access something in a network context then you should add the Computer account into the group that provides those permissions.

Helvick
  • 20,019
  • 4
  • 38
  • 55
  • Well, this is a local account. Based on your answer, I'm wondering if the FTP server (Filezilla, which I forgot to mention, sorry!) is dropping privs. –  Feb 18 '10 at 00:51
0

Incidentally, SYSTEM should by default have Full Control access to everything (clicky) (assuming you're using Security and not Sharing here - you are, aren't you?) so I would certainly recommend repermissioning. I know it's a pain in the face, but getting it right now will always save you from trouble later.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
0

From the article linked by MH (emphasis mine):

The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

This means you can't put the SYSTEM account in a group like any other user account; if you want it to be able to access some files (which you most definitely want, everywhere), then it should explicitly have NTFS full control rights assigned to it.

Massimo
  • 70,200
  • 57
  • 200
  • 323