5

Consider following share rights:

Security \\dev\profiles\
rw – Administrators

Security \\dev\profiles\bambus02
inherited AND
rw – bambus02

Sharing \\dev\profiles
rw – Everyone

as "bambus02", my access to \\dev\profiles is denied, but access to \\dev\profiles\bambus02 is allowed with full rights - this is really wished behaviour, but the question is:

Why I am allowed to access a subfolder of a share, when on the path the higher folder (profiles) has access denied?

Is it not the way how the ACL checks works, checking all path segments from upper to lower and stopping when any of them is not allowed?

peterson
  • 133
  • 8

1 Answers1

3

You will want to look at the Advanced Security Settings (detailed NTFS permissions) on the shared folder. Most likely, you'll find that your user account has the "Traverse folder / execute file" permission.

Even if you don't have this permission, the default settings are to bypass this restriction entirely.

For folders: The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.

Source: KB Article 308419

Nic
  • 13,425
  • 17
  • 61
  • 104
  • [advanced share](http://oi41.tinypic.com/2zf29gx.jpg) and [advanced security](http://oi42.tinypic.com/12164ug.jpg) - there are no other (Traverse) rights, are they? – peterson Nov 10 '11 at 10:43
  • ok, i understand your point, that should be the answer, thanks! – peterson Nov 10 '11 at 10:47
  • Yes, from your screenshot it looks like your user bambus02 does not have explicit traverse rights. So `Bypass Traverse Checking` must be enabled then. – Nic Nov 10 '11 at 10:49
  • this dramatically changed the perspective I was looking at sharing permissions for ages and will make my future concepts much simplier and cleaner, thanks! – peterson Nov 10 '11 at 10:54
  • Bypass Traverse Checking is always enabled by default for the Everyone group (and several other entities as a user rights assignment) and the Traverse Folder NTFS permission is only in effect when the user hasn't been granted the Bypass Traverse Checking user right. Both allow a user to traverse, but not list the contents of, folders that they don't have permissions to in order to get to folders they do have permissions to. – joeqwerty Nov 10 '11 at 11:30
  • 1
    It should also be noted that removing the Bypass Traverse Checking privilege, although possible, is not supported. Windows assumes everyone will have it, and stuff may break if this isn't true. – Harry Johnston Nov 15 '11 at 02:54
  • @HarryJohnston That's not surprising, but can you mention any specific examples? – Nic Nov 15 '11 at 20:51
  • 1
    @Nic, sorry, no, but see http://support.microsoft.com/kb/823659. I also found http://support.microsoft.com/kb/272142 but that's a bit out of date now. – Harry Johnston Nov 15 '11 at 21:04
  • @HarryJohnston Thanks for the citation! That's great to know. – Nic Nov 19 '11 at 04:22