Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Preventing file permission changes

Posted on 2008-06-20
22
Medium Priority
?
246 Views
Last Modified: 2013-12-04
Is there a way to prevent the owner/creator of a file to modify the file permissions?   I'd like to maintain the inherited permissions from the folder in which it is created.
0
Comment
Question by:gamagldba
  • 9
  • 6
  • 4
  • +1
22 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21831351
if you deny creator owner under your inherited permissions full control does that work
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21831389
You can remove the security tab to stop the owner/creator modifying permissions - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_234741
0
 

Author Comment

by:gamagldba
ID: 21831429
I've removed creator owner and added the specific account with limited permissions.  I tried not allowing change permissions and also tried denying change permissions and neither have worked.  When the account(SQL2005 service account writing trace files) creates the file it removes all permissions(except admin) and has full control.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 70

Expert Comment

by:KCTS
ID: 21831454
If you remove the security tab then they can't modify permissions !
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831473
Apologies this is a little different you cannot alter the permissions of the sql server service accoutn trace files, by definition the account needs full access to them? However the sql server service account should never be logged into by a user so shoudl never see any problems arise?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21831491
These suggestions are all workarounds, which can be easily bypassed. Owner always has Change Permissions permission even if you set explicit Full control Deny or file/folder.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831506
Please be advise dthis scenario being described is not standard in teh lsightest it relates to teh sql server service account and shoudl not be confused with anything to do with normal permissioning!!
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21831514
... NOT if you remove the security tab with a group policy...
0
 

Author Comment

by:gamagldba
ID: 21831515
The service account is writing to a centralized location where I'm collecting trace files from many servers.  I then need to read those files using another account - this is where I have the permissioning issue.  I'm trying to avoid making this "reading" account an administrator.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831538
The creator owner of these files is a service account that isnt logged into so the modfication of permissions by these files is irrelevant other than the fact that the user wants to read them in a non admin account, to do that you need to add regular user read write

0
 

Author Comment

by:gamagldba
ID: 21831612
I've added the "reading" account to the folder where the file is being written and given permissions to this account. When the file is created by the sql service account it removes any folder permissions and substitutes it's own permissions.
Will the suggestion to remove the Security tab prevent programatic permission changes?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21831622
If you remove security tab with GPO you can't change permissions from command prompt? ;)

Comment ID 21831538 from slam69 should work if permissions are set to apply to "This folder, subfolder nad files" for specific non admin account.

0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 150 total points
ID: 21831631
No - I originally thought you mean a user was changing the permissons, in which case it would
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 150 total points
ID: 21831650
So your saying that SQL ignores permissions inheritance or overwrittes existing permissions? If they are overwritten, you could overwrite them again with scheduled script.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831654
yup yup i do agree most of the things suggested here would work if this related to a standard user acocuntbut as its a service account generated file this is not the case and will not follow the normal rules and fixes
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831690
you could do that but the service account will always have full control to these files as the creator owner. an dyeas yuou could have ascheduled script over write them, but i would have though the only people who will be reading the trace logs will be sql dbas, who usually are local admins on their own machines by a metter of necessity and usually local admins on the machines hosting the sql server hence why i have never seen this be an issue, if it is then move the trace files back to the local location where the DBA's can read them as local admins and take copies of the files ot put them in a central repository keeping teh originals insitu.... still dont know why you would want to do this but thats the way i would do it
0
 

Author Comment

by:gamagldba
ID: 21831750
Yes, it's turning off inheritance and overwriting permissions.  btw this happens for trace files. If I create a job output file it keeps inheritance.  And only sql 2005; sql 2000 doesn't do this.  Must be a way to protect the trace files from interogation.

I've thought of changing the permissions back before I read them, but then the reader would need more permissions then necessary.   Making him an admin works around this....
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831783
who is reading the files? i really would think the people who are using the trace files would usually be local admin on their machiens anyway, havent seen this be an issue before to be frank!!
0
 

Author Comment

by:gamagldba
ID: 21831786
The reading account is actually a service account for another sql instance where the trace files will be loaded into tables.   The plan is to have a scheduled job load trace files.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21831837
then there is your issue, you have not kept a standardised sql service account otherwise this wouldnt have become an issue!! Not too sure of a way of getting round this

I would dump the idea and load the trace files as and when you wish to use them, its not that intensive a task anyway not sure why you would want to carry it out?
0
 

Author Comment

by:gamagldba
ID: 21832023
1 service account would make for easier administration, but it's not our policy.   If that one account somehow gets disabled, it would cause problems across our whole environment.  

The reason for the centralized scheduled loading is so that we could more easily administer and generate audit/usage reports  that reflect all our many servers.  This would also allow for adhoc reporting by management.   I didn't expect this snag.

So it appears that it's not possible to prevent permission changes by the file owner.  I guess the solutions would be to overwrite permissions or make the reader an admin on the collection box.

thanks for all the comments.
0
 
LVL 25

Accepted Solution

by:
slam69 earned 450 total points
ID: 21833148
thats exactly iut what you want to do is nto possible in the steps you are trying you either need one service accoutn as is standard or to alter the permissionso fthe files once produced.

hopefully the comments are enough for you to close the question, sometimes we are unable to tell you what you want to hear but at least you know what you need to dof rom here

please remember to close teh question
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question