Write Attributes and Write Extended Attributes

Discussion in 'Server Security' started by Will, Oct 31, 2005.

  1. Will

    Will Guest

    Can someone explain to me why many Windows 2000 applications appear to
    require that anyone with read and execute permission has "write attributes"
    and "write extended attributes" permissions enabled? When I turn on
    auditing, I see hundreds of messages in the eventviewer security log for
    nearly everyone in the Users group for failing to acquire needed permissions
    on cmd.exe, shell32.dll, etc. In examining the permission list that the
    users need, the only permissions we have failed to enable for users are
    "write attributes" and "write extended attributes". Those permissions
    don't seem like something you would want to give users for every file on the
    system, and I'm perplexed why Windows would need such permissions on many of
    its applications.
     
    Will, Oct 31, 2005
    #1
    1. Advertisements

  2. I do not believe that Windows does need such permissions, as you have
    stated. When I enable logging similarly I do not get what you indicate
    in the event log. Thus, I am thinking it is some other aspect of the total
    system load, MS plus other software, that is operative here. It used to
    be pretty common to see software developers being lazy and not using
    a minimal list of requested accesses when getting handles to things, and
    that is MS and third-party developers, so perhaps there is some such
    residual older software installed ??
     
    Roger Abell [MVP], Nov 1, 2005
    #2
    1. Advertisements

  3. At the API level an application can state what permissions
    it wants, and it gets back a list of what was avaiable.
    Lazy authors just ask for everything, hence failures.

     
    Roger Abell [MVP], Nov 7, 2005
    #3
  4. I do not believe you will find any joy for this issue down that road.
    Mostly the app comp tab says, expect this to issue API calls that
    are no longer right, which same you will need to remap to the
    current APIs. It is not likely to adjust parameters to valid API
    calls for acquiring file handles.
     
    Roger Abell [MVP], Nov 12, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.