Solved

Preventing file permission changes

Posted on 2008-06-20
22
223 Views
Last Modified: 2013-12-04
Is there a way to prevent the owner/creator of a file to modify the file permissions?   I'd like to maintain the inherited permissions from the folder in which it is created.
0
Comment
Question by:gamagldba
  • 9
  • 6
  • 4
  • +1
22 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21831351
if you deny creator owner under your inherited permissions full control does that work
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21831389
You can remove the security tab to stop the owner/creator modifying permissions - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_234741
0
 

Author Comment

by:gamagldba
ID: 21831429
I've removed creator owner and added the specific account with limited permissions.  I tried not allowing change permissions and also tried denying change permissions and neither have worked.  When the account(SQL2005 service account writing trace files) creates the file it removes all permissions(except admin) and has full control.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21831454
If you remove the security tab then they can't modify permissions !
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831473
Apologies this is a little different you cannot alter the permissions of the sql server service accoutn trace files, by definition the account needs full access to them? However the sql server service account should never be logged into by a user so shoudl never see any problems arise?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21831491
These suggestions are all workarounds, which can be easily bypassed. Owner always has Change Permissions permission even if you set explicit Full control Deny or file/folder.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831506
Please be advise dthis scenario being described is not standard in teh lsightest it relates to teh sql server service account and shoudl not be confused with anything to do with normal permissioning!!
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21831514
... NOT if you remove the security tab with a group policy...
0
 

Author Comment

by:gamagldba
ID: 21831515
The service account is writing to a centralized location where I'm collecting trace files from many servers.  I then need to read those files using another account - this is where I have the permissioning issue.  I'm trying to avoid making this "reading" account an administrator.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831538
The creator owner of these files is a service account that isnt logged into so the modfication of permissions by these files is irrelevant other than the fact that the user wants to read them in a non admin account, to do that you need to add regular user read write

0
 

Author Comment

by:gamagldba
ID: 21831612
I've added the "reading" account to the folder where the file is being written and given permissions to this account. When the file is created by the sql service account it removes any folder permissions and substitutes it's own permissions.
Will the suggestion to remove the Security tab prevent programatic permission changes?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21831622
If you remove security tab with GPO you can't change permissions from command prompt? ;)

Comment ID 21831538 from slam69 should work if permissions are set to apply to "This folder, subfolder nad files" for specific non admin account.

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 50 total points
ID: 21831631
No - I originally thought you mean a user was changing the permissons, in which case it would
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 50 total points
ID: 21831650
So your saying that SQL ignores permissions inheritance or overwrittes existing permissions? If they are overwritten, you could overwrite them again with scheduled script.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831654
yup yup i do agree most of the things suggested here would work if this related to a standard user acocuntbut as its a service account generated file this is not the case and will not follow the normal rules and fixes
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831690
you could do that but the service account will always have full control to these files as the creator owner. an dyeas yuou could have ascheduled script over write them, but i would have though the only people who will be reading the trace logs will be sql dbas, who usually are local admins on their own machines by a metter of necessity and usually local admins on the machines hosting the sql server hence why i have never seen this be an issue, if it is then move the trace files back to the local location where the DBA's can read them as local admins and take copies of the files ot put them in a central repository keeping teh originals insitu.... still dont know why you would want to do this but thats the way i would do it
0
 

Author Comment

by:gamagldba
ID: 21831750
Yes, it's turning off inheritance and overwriting permissions.  btw this happens for trace files. If I create a job output file it keeps inheritance.  And only sql 2005; sql 2000 doesn't do this.  Must be a way to protect the trace files from interogation.

I've thought of changing the permissions back before I read them, but then the reader would need more permissions then necessary.   Making him an admin works around this....
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831783
who is reading the files? i really would think the people who are using the trace files would usually be local admin on their machiens anyway, havent seen this be an issue before to be frank!!
0
 

Author Comment

by:gamagldba
ID: 21831786
The reading account is actually a service account for another sql instance where the trace files will be loaded into tables.   The plan is to have a scheduled job load trace files.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831837
then there is your issue, you have not kept a standardised sql service account otherwise this wouldnt have become an issue!! Not too sure of a way of getting round this

I would dump the idea and load the trace files as and when you wish to use them, its not that intensive a task anyway not sure why you would want to carry it out?
0
 

Author Comment

by:gamagldba
ID: 21832023
1 service account would make for easier administration, but it's not our policy.   If that one account somehow gets disabled, it would cause problems across our whole environment.  

The reason for the centralized scheduled loading is so that we could more easily administer and generate audit/usage reports  that reflect all our many servers.  This would also allow for adhoc reporting by management.   I didn't expect this snag.

So it appears that it's not possible to prevent permission changes by the file owner.  I guess the solutions would be to overwrite permissions or make the reader an admin on the collection box.

thanks for all the comments.
0
 
LVL 25

Accepted Solution

by:
slam69 earned 150 total points
ID: 21833148
thats exactly iut what you want to do is nto possible in the steps you are trying you either need one service accoutn as is standard or to alter the permissionso fthe files once produced.

hopefully the comments are enough for you to close the question, sometimes we are unable to tell you what you want to hear but at least you know what you need to dof rom here

please remember to close teh question
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now