5

I was working on setting up a network share (see below story) and I ran into some odd behavior with NTFS permissions. The "CREATOR OWNER" object seems to only be able to list "Special" permissions in the "Security tab". No matter what I do, the system reverts back to this setting. Is there a way to get the "CREATOR OWNER" entry to list anything other than Special in the security tab? It would make checking for permission mistakes so much easier since I wouldn't have to dive into the Advanced Tab to see what permissions I set for this group. This is on Windows 7 client connecting to a Windows Server 2008 share.

Bonus Question:

I also would like to know why the "CREATOR OWNER" group can't apply permissions to "This folder". This seems like a weird quirk of this group that must have a story behind why it was setup this way.

I did some searching and found the "How Permissions Work" technet article. I browsed through looking for information on the "OWNER" permission and only found some information on how that permission works.

[Background Story]

So I have a network share where users will create a folder to store their work on a particular project. Files in each user's folder are private due to the parameters given to me by the project managers. On top of that parameter, the users of this folder will change constantly though the year, some for only a few days. So to make the administrative overhead as low as possible, I setup the permissions as follows:

  • Users Group - Allow - List folder contents
  • Users Group - Allow - Write
  • CREATOR OWNER - Allow - Modify

I set the permissions, Hit OK, and everything works. Later, when I come back to add the content manager group to the Security tab I notice something odd. The "CREATOR OWNER" entry has switched from Modify to Special. I go into Advanced permissions and I notice that the "CREATOR OWNER" only applies to "Subfolders and files only". I then try to reset the "Apply To" drop down to "This folder, subfolders, and files" but it switches back as soon as I hit "Apply".

Thanks

Doltknuckle
  • 1,254
  • 7
  • 25
  • 32

4 Answers4

6

CREATOR OWNER access control entries should always be inherit-only, because it doesn't make sense for them to apply to any actual object. When using recent versions of Windows with the modern API, all CREATOR OWNER entries are automatically marked inherit-only.

In the advanced GUI, the inherit-only flag translates as "Subfolders and files only". Changing it to "This folder, subfolders and files" would have the effect of clearing the inherit-only flag, which can't be done for CREATOR OWNER. The basic GUI should probably not be showing this as Special, but I guess MS didn't think of this special case.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • 2
    With both your and @JamesRyan explaining this, I now understand what is going on: The basic GUI will only show permissions that apply to "this folder, subfolder, and files". Since CREATOR OWNER can't apply to an actual object, it will always be a special permission since it can't apply to "this folder". – Doltknuckle Jan 30 '12 at 23:37
2

CREATOR OWNER is primarily for dynamic permissioning as people create stuff in a folder that they have conventional rights to rather than lazy permissioning. If you think of it in this way the concept might make more sense.

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
  • I'm sorry if I was unclear in my question, but I am not asking "how Creator Owner works", but more "why the permission control behaves in a certain way". I understand that "Creator Owner" is a dynamic permission that allows me to limit what a user can do to files they create. I don't feel it is lazy to use this in this situation because of the dynamic usage of this folder. We already have a per user private folder structure. This location is more for a specific project where users come and go at random. – Doltknuckle Sep 15 '11 at 20:18
  • Edited post to make my questions more clear. – Doltknuckle Sep 15 '11 at 20:31
  • 1
    Sorry but you have misunderstood how creator owner works or you wouldn't be asking those questions. If you create a folder and give it creator owner permissions, then create a file inside that folder, the file never has 'creator owner' permissions but instead the actual user who created the file has those permissions. It is not a user group that happens to apply to the current owner but a special permission that always gets applied as an actual user when files are created. So when you set creator owner permission on the current folder it applies to the contents rather than itself. – JamesRyan Sep 16 '11 at 09:05
-2

This is simply a limitation of mapping between POSIX ACLs available in Linux and and Windows ACL.

Talking about a folder, in POSIX ACLs you can assign default permissions for the items created inside. You can do it explicitly for a named users and groups, but there are two defaults that apply for the future owners (user and group) of the file/folder to be created. 

default:user::rwx
default:group::r-x

Those are mapped to the CREATOR OWNER and CREATOR GROUP respectively. They don't apply to the current directory, so when you look in the Windows UI, you'll see that those apply to Subfolders and files only. Windows would treat it as special permission and show as such.

For each directory you'd also have permissions assigned to owner and group

user::rwx
group::rwx

Those however get immediately translated to the actual owner and group when queried by Windows. Even if you grant the CREATOR OWNER the rights to this folder too, this change will be lost - because Windows will see it as a change to the permissions to the actual owner.

So in the UI you'd probably see:

Unix User - Root   - Full Control, This folder only
Unix Group - Root  - Full Control, This folder only
CREATOR OWNER      - Full Control, Subfolders and files only
CREATOR GROUP      - Read and execute, Subfolders and files only

Unfortunately I don't know anything to merge it into anything more readable.

And it get just slightly less tricky when dealing with NFSv4 ACLs...

Grogi
  • 309
  • 2
  • 6
-2

permission "creator owner" - "this folder subfolders and files" restricts by system to "only subfolders and files".

Users, who creators, cannot create it's folders.

alex
  • 1