Ask MetaFilter questions tagged with permissions

Reinstall Windows dealing with NTFS permissions

chrisch — Wed, 21 Oct 2009 14:58:21 -0800

I'm a few weeks away from rebuilding my PC with Windows 7 and need help understanding how to deal with NTFS permissions. I'm a few weeks away from rebuilding my PC with Windows 7. I'm currently using the release candidate of Windows 7 with the following drive configuration:

C:\ - Windows and applications (some data)
D:\ - data drive (including "D:\My Documents\")
Q:\ - external backup drive (Drobo)

All drives are formatted with NTFS and backups of selected directories to Q:\ are done with rsync. I've noticed that some directories on Q:\ are not accessible by the Guest account, meaning that permissions are not consistent on that drive. The machine isn't on a domain.

My plan is to wipe C:\ and reinstall Windows, and leave D:\ and Q:\ alone. My questions are:

- How do I reinstall and prevent ugly situations with NTFS file permissions (i.e., permission denied)?
- Is there a best practices guide for syncing to my backup drive to ease future accessibility from another computer?

Many thanks!

How to Delete Myself ...

keasby — Thu, 15 Oct 2009 11:59:19 -0800

How to transfer administrative control of a SharePoint subsite? I.e. I created the site, assigned new owners, but now need to remove my own access. This seems like it should be pretty straight forward. Unlike homemade chili, it is not.

We have a basic SharePoint team site. Admin asked me to create a private subsite where just the back office staff could store sensitive personnel files. Creating was no problem, and I assigned permission such that only those individuals can view. I even "removed" myself from all of the groups.

Or so I thought. I am not getting access denied when I log into the site.

Help! I don't want to coach a coworker, over the phone, how to do each of the trivial steps it took to make this subsite. Is this something my network admin should be able to do? It may help to know that we are a "virtual firm" so I don't have any tech folks on site to help me, nor can I just "hijack" one of the new owner's accounts.

Thank you!

Why did tar and nc not play nice?

flabdablet — Sat, 26 Sep 2009 17:54:13 -0800

Can anybody immediately see why nc and tar didn't work together the way I expected they would? I wanted to copy an Ubuntu installation from a laptop with one filesystem to a desktop box with two. So I booted an Ubuntu live CD on each and opened terminals; then on the laptop did



sudo su -

mount /dev/sda2 /mnt

cd /mnt

tar c . | nc -l -p 10000

and on the desktop box did



sudo su -

mkfs -t ext3 -L root /dev/sda3

mkfs -t ext3 -L home /dev/sda4

mount /dev/sda3 /mnt

mkdir /mnt/home

mount /dev/sda4 /mnt/home

cd /mnt

nc 192.168.1.3 10000 -q5 | tar xv --numeric-owner

As expected, a huge list of filenames scrolled by on the desktop box as tar extracted the files. When that all stopped, I hit ctrl-D on the desktop end to close nc's standard input; five seconds later the shell prompt returned on the laptop as well. So everything seemed to be working as expected.

After making the necessary corrections to /mnt/boot/grub/menu.lst, /mnt/etc/fstab, /mnt/etc/hosts and /mnt/etc/hostname on the desktop box, I umounted everything and rebooted it, but assorted things were badly amiss. Turns out that a random assortment of vital files had been created with zero length and zero permissions instead of being properly copied.

I have since got the machine-to-machine copy done by mounting the laptop's hard drive in a USB enclosure, plugging it into the desktop box and using cp -av so I'm not looking for ways to get the primary job done any more.

What I would like to know: before I spend more time trying to work out why the tar | nc <--> nc | tar method failed, can anybody see some documented reason why it was doomed to do so?

My god, it's full of permissions.

Iosephus — Mon, 24 Aug 2009 06:34:39 -0800

Registy editing permissions, group policies and Windows Defender, I think... Windows Defender, I guess I never cared much for you. It sat there disabled for a long time, but anyways I idly tried to turning it back on. Security Center said unable to. Googling lead me to a certain registry key that had to be edited manually (this being Vista Home Basic, wtf Microsoft?), called DisableAntiSpyware that was disabled by group polices or some such. So to regedit we go. Trying to delete the key tells me I don't have the permissions for it. I see the "edit" submenu of regedit should allow me to gain permissions. Nope, after I change to Administrators having full, I can't save it for unknown reasons (says unable to save). And that's as far as my googling led me.

This is certainly not critical (I have no stuff for WD to take care of re: malware or so), but I figured it would be a good time to learn how to do this kind of damned thing regarding registry fiddling. Help?

How do I make a folder in the root of a shared network drive inaccessible over the network but accessible to that computer?

token-ring — Sun, 23 Aug 2009 15:08:18 -0800

I have a 1TB secondary drive in my desktop computer that I have the root of shared over my local network. Inside are 5 folders, all but one of I want to be accessible over the network (one is a backup folder I don't want accessible to other network computers). Before I reinstalled my OS I had figured some way of changing the permissions so that if I was on the desktop itself I could get into the backup folder, but if I was on any other computer on the network I could see the shared drive and modify any folder but the backup one. I just recently reinstalled Windows Vista (Went from 32 bit to 64 bit) and now I can’t remember how I had set the permissions. I have a 1TB secondary drive in my desktop computer that I have the root of shared over my local network. Inside are 5 folders, all but one of I want to be accessible over the network (one is a backup folder I don't want accessible to other network computers). Before I reinstalled my OS I had figured some way of changing the permissions so that if I was on the desktop itself I could get into the backup folder, but if I was on any other computer on the network I could see the shared drive and modify any folder but the backup one. I just recently reinstalled Windows Vista (Went from 32 bit to 64 bit) and now I can’t remember how I had set the permissions.

Does anyone know how I can make that drive shared, and all the folders but the backup one accessible over my local network? I don’t want to set up a different share for each folder and I don’t want to create a separate folder for the shared stuff, I would like to leave the root of the drive shared but with one folder a network user can’t get into.

I am running Windows Vista Business 64 bit edition

tar -pz in Windows?

oblio_one — Fri, 07 Aug 2009 15:49:57 -0800

I'm trying to find a procedure to create a zip file in Windows and preserve Unix file permissions from the original files... I have a set of bash scripts to be archived, originally created on a linux machine with file permissions 755. Some people in our group are using Windows and if they archive the files then pass them back to a Linux user, the file permissions are lost, unzip extracts files with 644 permission, so an additional step is needed to execute them. No problem if the archival was preformed on linux, but not all members of our group are comfortable with it.

Situation is the same whether using the default XP "Send to compressed", or something like winRar or 7-zip, I can't find any option that will respect / preserve the UNIX permissions from Windows, anyone know of a way?

How do I get rid of a Mac user acct w/o losing files?

Piscean — Tue, 21 Jul 2009 16:35:54 -0800

I have a MacBook Pro running Leopard. It has two admin accounts. Some time ago I stopped using account "A" in favor of new account "B" (the reason behind the creation of account B isn't relevant to this question, however). If I delete user account "A," what precautions must I take to ensure the preservation of the files created under "user A," and what automatically happens to the ownership of those files?

insufficient permissions error with OS X

spyke23 — Mon, 20 Apr 2009 10:52:49 -0800

Insufficient permissions error preventing copying files to NAS USB dongle based server from OS X machine I have a clone of an Addonics NAS USB Dongle, and having set it up, I am trying to copy across 1gb or less files from a Mac Mini running OS X 10.5.6 to it, it is 500gb, and the server formats it FAT32 as a matter of course, as this is how it works. However some files will copy, but most will copy then stop, generating an error, stating I have insufficient privileges to copy the file. Can anyone help me sort this issue?

XP: How do I set permissions for a user account to switch power schemes and create new ones?

mail — Wed, 01 Apr 2009 11:17:02 -0800

XP: How do I set permissions for a user account to switch power schemes and create new ones? By power schemes I mean what you find on the Control Panel -> Power Options -> Power Schemes tab.

This is about a thinkpad specifically in case it makes a difference, but in general I have no idea how to set permissions for things like this. I tried messing around in Gpedit.msc, but I didn't see a relevant template (?).

Remembering permissions

pineappleclock — Fri, 27 Mar 2009 11:06:45 -0800

Is there any FTP client or trickery to remember the UNIX permissions when transferring files from a UNIX machine to a Windows machine? There would need to be a way to chmod the file on the way back as well.

Bonus points if I can recall the owner and group settings. I don't have any type of shell, just FTP access.

Display permissions for a wiki--how specific can you get?

elfgirl — Wed, 11 Feb 2009 06:12:16 -0800

An organizationally obsessed GM wants to create a wiki-like site to house information on his created world. Challenge: he also wants a way to limit what information users can see on a given page, on a user by user basis. My husband, after watching his gamers furiously trying to take notes and constantly ask "what do I know about [blah]", decided that it would be much easier if he could just put all the information about his game world up online somewhere. The most logical format would seem to be a wiki.

His big requirement is that the wiki or CMS app he uses have the ability to decide who can see certain things. Not just certain pages, but even sections of text on certain pages.

For example, if user A goes to the page on ents he sees,

"Ents are large trees that happen to move around and talk. Freaky, no?"

But if user B goes to the page on ents he sees,

"Ents are large trees that happen to move around and talk. Freaky, no? Oh, and by the way, the party met one on day 135 and you had tea together."

Are there any wiki or CMS apps out there that have this type of granularity to their permissions?

Add leaves and fruit, but don't cut the branches

bartleby — Mon, 13 Oct 2008 09:27:56 -0800

On a Windows share with a complex file tree, is there any way to lock down the tree so that folders can be added by all, but the directory structure itself can't be changed? People keep dragging folders or whole sections of a directory tree on a network file server and leaving them inside another location on the tree; so the HR folder and its subfolders suddenly end up inside the Accounting section. (No one admits to moving them, of course.)

Users need to be able to create their own subfolders, and add documents and move them around throughout the tree; but I'm trying to find a way to allow this while also blocking the ability to move folders from one location in the tree to another, or otherwise make change the directory structure.

I'm not coming up with anything; is there something obvious I've missed?

How to merge (not replace) NTFS permissions using Robocopy

MrHappyGoLucky — Wed, 24 Sep 2008 13:27:20 -0800

I am currently attempting to migrate files from an NT 4.0 file server to a NetApp filer appliance. Our current copy process (using Robocopy) will replace the target permissions with the source permissions. We would prefer to merge source permissions with target permissions, leaving any differing target permissions intact. Currently, Robocopy will replace the target permissions with the permissions present on the source, erasing any additions to the file ACLs on the target. We would prefer to merge the source permission ACEs onto the target file ACLs, preserving the additions made on the target files.

I can't seem to find if Robocopy supports this behavior, does anyone have any suggestions on how to accomplish this?

Button won't obey finger

dance — Sat, 16 Aug 2008 04:34:05 -0800

I am working with a laptop with one of those buttons that can enable or disable the wireless functionality. It seems that this button needs to be pressed each time that the computer is turned on, and doesn't just automatically remain on through reboots. The problem is this button will only work if it's pressed by a user with admin rights on XP and the owner is an old gentleman who needs to run Windows from within the confines of a limited user's rights. If he has admin rights the computer is filled with malware within a day. So my question is how can I temporarily elevate a limited user for 30seconds or so to allow him to press this button and for the button to have an effect, or how can I make this button obey his finger regardless of his XP user rights?

Thanks so much!

Quickbooks 2008 removes write permissions on the Samba share

chengjih — Tue, 05 Aug 2008 08:13:05 -0800

XP client removes write permissions on Samba share This is a Samba 3.0.25 running on a CentOS 4 box. The XP client is removing the write permissions for some files in one of the Samba shares upon exiting an application (Quickbooks 2008) accessing those files.

Any ideas on how to fix this? Yes, I'm aware that Intuit doesn't support this configuration.

The configuration for that share is:

path = /home/quickbooks
writable = Yes
browseable = Yes
force create mask = 0660
force directory mask = 0770
oplocks = no
force group = qb_grp
valid users = @qb_grp

Thank you for your help!

.htaccess files and groups

chillmost — Fri, 11 Jul 2008 06:37:30 -0800

I'm configuring some htaccess files for multiple directories and I'm having some problems incorporating groups of authorized users. Say there's 4 directories with protected content in each: 2005, 2006, 2007, 2008

The people that have access are subscribers. Some users have access to all directories, and some users have access only for some. Access is granted based on password or IP address/range.

For this situation I have an .htaccess file similar this in each directory:

AuthType Basic
AuthName "2008 Subscriptions"
AuthUserFile /path/to/password/file/2008.pw
require valid-user
Satisfy any
order deny,allow
allow from 123.123.123.123
allow from 223.223.223.223
allow from 123.156.0.0/16
and so on
and so on
and so on
deny from all

This works perfectly for the situation described above.

The IP addresses in the .htaccess files and users in the password files are pretty static. Once they are in there, they usually stay. However, there is a small group of people, we'll call them editors, that is very dynamic. People are constantly being added to and removed from this list. These editors should have access to all 4 directories. Currently they are given access permission via the password file shown above. This means that if an editor is added or removed, I have to make the change in 4 different files. Sometimes they are accidentally not added or removed to all the lists and then they complain and somebody has to fix it with a lot of back and forth and yada yada.

I want to set up a group just for the editors. I want to have just one list that I have to edit instead of 4 whenever a change is made.

However, from what I find in my searching, the way to add groups is to add the line:

AuthGroupFile /path/to/editors/file/.htgroup

and inside this file add something like:

editors: john sally joe

My questions:
How do I assign passwords to these users?

Does this mean that in addition to maintaining this htgroup file, I need to assign and maintain another password file as well?
-If so, that isn't what I want because I only want to have to edit ONE file for the editors, NOT TWO.

Is this possible?
Am I going about this the wrong way?

How to fix windows premissions for torrented files

Four Flavors — Tue, 17 Jun 2008 16:10:39 -0800

Torrented files can't be read by a remote machine until they are cut/pasted. Why, and how to fix it? I have 2 computers, one of which downloads torrents. The completed directories can be seen by the other computer, but clicking on them gets an 'access denied' error. Moving the directory somewhere else, then moving it back where it was causes the error to go away. This happens long after the file is done & the torrent stopped.

What could be causing this? I use uTorrent, in case it matters. The torrents are downloads of movies I already own on VHS from various trackers. Both machines are windows XP boxes, in the same workgroup. Both users have admin rights on their respective machines, and the share allows all users full access. No users are set to 'deny'.

How can I learn the proper way to deal with permissions on a Windows server when I am clearly a n00b?

bcwinters — Wed, 21 May 2008 12:19:57 -0800

File and folder permissions on Windows Small Business Server 2003: what's the right way to set up a shared folder so it can only be accessed by a particular group? So I'm having a devil of a time setting up permissions on our server at work. I'll try to boil it down to one question.

We have a server running Small Business Server 2003. It's nice and new and shiny.

On the server, we have a D: drive with a folder called "office" that is used for all of our shared files. I have apparently been hit with the Totally Incompetent Stick because I can't for the life of me figure out how to set up a couple of private folders within the share.

I've set up a security group called Personnel. I have added the people who should have access to personnel records to that security group. Now what's the RIGHT way to set a folder so only people in the Personnel group can access it? The way I did it the first time meant that people in that group could open the folder, but then they couldn't access any files or folders within it—and when I went back to the server to try and correct the mistake, my administrator account has been locked out of making changes to any of those files/folders as they no longer seem to have an owner.

Various attempts at reclaiming ownership and resetting permissions have left everything in a confusing state. So I guess what I'm looking for is how to reset a tree of files/folders to a pristine "just the ordinary inherited permissions from above please, kthx" state; how to then properly set their permissions to allow only access from one security group; and how to keep myself from getting into this mess by reading The Most Awesome Book or Website on "How to Grok Windows Permissiony Things" Ever. Thank you.

(I have had a look through this previous post but something about the explanation is just not getting through my thick skull; I may have the admin password but that doesn't make me a real admin.)

OS X file permissions issue

caution live frogs — Tue, 20 May 2008 15:41:37 -0800

OS X Sites folder permissions and a question about flags on the files in bash. What gives? I use my MacBook Pro as a test server, running Apache. I sync my files (two-way sync, using Chronosync) between my Mac and my home Windows system. Sometimes after a sync my test site breaks - I don't have permission to access my own files. Sure, a chmod -R 755 * on my Sites folder fixes it, but why is it happening? I don't need to have files at 755 for them to work on my Linux server, so why does the Mac refuse to deliver any CSS or javascript files unless execute permissions are set?

Finally, this one is driving me nuts: What's the extra flag at the end of the file for in Terminal? When I check file permissions with ls -al some files show as -rwxr-xr-x+, others show as -rwxr-xr-x@, and some are -rwxr-xr-x with no + or @ appended. Nothing I've been able to find online explains what the @ or + flags mean, or why they may be appended to some files but not others. I've never seen similar flags on any Linux system I've used. Should I even care?

I want what's mine

Oktober — Sat, 15 Mar 2008 13:56:45 -0800

Is there any way to bulk-reset the permissions and ownership settings on a volume in Vista? I've attached a data drive (F:) to my system running Vista ultimate, it's been used before on a previous XP and Vista home basic setup, so the security settings are a mess. Files are owned by users that don't exist anymore, inherited permissions are all screwed up, etc. The top of F: is set so that both my Administrator and User accounts have full control, but it's not applying to all of the subdirectories properly. Other than fixing it file by file, is there any way (control panel, command line, utility) to just say that everything under F:/Files/ (for example) is owned by Administrator and User has full control?

Help me keep data out of the wrong hands

Nothing — Thu, 17 Jan 2008 04:35:26 -0800

What are some good resources for designing an access control and permissions system? It has fallen to me to build an access control system from the ground up for my company, now that we have outgrown our previous system. I have a lot of experience with access control systems, but I have never designed one, and I want to make sure I am not missing something important as I go forward.

How to set up group permissions in Windows XP?

Khalad — Wed, 02 Jan 2008 09:23:21 -0800

In Windows, how can I set up a group that has permission to create/edit/delete user accounts? I'm trying to lock down a Windows XP Pro machine as tightly as possible. What I want to do is have a user called 'admin' who users can log in as. This is not a real administrator account; the only thing it should be able to do is create, edit, and delete other user accounts. 'admin' should not have any other extra abilities. The permissions need to be as fine-grained as possible.

This is to meet DoD Navy requirements. My approach until now had been to simply make 'admin' a member of 'Power Users'. But that is not a viable approach since power users can do a whole lot more than just create and delete accounts. The DoD's automated security tool produces gobs of findings about this abuse of 'Power Users'.

So, what I'd like to do is have a group called 'User Administrators', add 'admin' to that group, and set it up so that group has the ability to manage user accounts. This Windows machine is not on a domain and does not have network access, so I only need to (can only) do this using local security policies.

How can I remove items from Wordpress's "Write" SubPanel?

TheDonF — Wed, 14 Nov 2007 07:40:38 -0800

I need to customise Wordpress's "Write" SubPanel to remove all of the advanced options. I'm adapting Wordpress (2.3.1) into a multi-user app and need to hide all of the advanced writing options (discussion, password, slug and so on). I've tried a couple of extensions:

1: custom write panel which doesn't want to play with 2.3.x; and
2: clutter free which does exactly what I want but only on a user-by-user basis rather than hiding things from either everyone or an entire role

I've tried searching the source to see if there's anything obvious in the PHP that I can just comment out, but nothing. The Wordpress manual states there's an option in the admin screens, but that isn't there on my install, which is the latest version of Wordpress.

Hope me.

Help me help users identify themselves properly to mysql

Tuwa — Sat, 29 Sep 2007 16:41:10 -0800

How do I pass this password in the correct form to MySQL? O'Reilly's PHP & MySQL proposes an authentication system with a login form which collects data, sends it to logincheck.php, hashes the password with md5(trim()), and checks it and the username against a function in authenticate.php.

authenticate.php uses the user 'lucy' to check authentication.users for a single correct user/password combination, allows access if there is one and only one match, and redirects the user to login.php if not.

Additional user data is stored in the database 'mysql'. The password there is not hashed with md5 but with the password() function.

I can pass the authentication challenge, getting the message that I am logged in as the user I want to be logged in as, but I can't actually interact with the database. What I get instead is the message "Access denied for user 'Oscar'@'localhost' (using password: YES)."

After far too long thinking about it I've realized that I can't interact with the database because I've got the session password stored as an md5 hash and am passing it back to the other pages, hashed, for all database interactions after login. (I think that's right--it seems intuitively right, since I definitely don't want everyone logged in as root and since the whole point of having additional users is to be able to grant and revoke permissions).

The trouble (I think) is that the mysql table doesn't expect an md5 hash; it expects whatever encryption MySQL's password() function uses.

The password() function works in MySQL but not in PHP.

I can't help feeling that this is an elemental question since the book didn't even go to the trouble of explaining how it's done, but it's been deviling me for the last few days and every site I've consulted seems to take it for granted that people know how to do this. And, well, I don't. So: how do I get the password in the form that MySQL wants it so that the password will match?

Also, is this three-table really the best structure for all this data, and if so, why? With a main database, an authentication database to check against, and an mysql database governing permissions it seems like it would be a chore to add and remove users as necessary. Is this structure necessary because of a security concern? Would it be okay to move the authentication details into the main database and grant 'lucy' SELECT on only that one table?

Read-Only USB drive, WTF?

misha — Sun, 02 Sep 2007 10:10:16 -0800

Can I do anything with this read-only USB flash drive, or should I just write it off as a lost cause? I received a USB flash drive from a sponsor of an event I attended, which I thought was fantastic because I could use the storage space. However, the drive is "read-only". I have a Windows desktop running XP and a MacBook Pro. This is the info my disk utility gave me on the device (with the serial number removed):
Name : USB Flash Disk Media
Type : Disk
Disk Identifier : disk1
Media Name : USB Flash Disk Media
Media Type : Generic
Connection Bus : USB
Connection Type : External
USB Serial Number : xxxxxxxxxxxxxxxxxxx
Partition Type : FDisk_partition_scheme
Locked : Yes
Writable : No
Ejectable : Yes
Mac OS 9 Drivers Installed : No
Location : External
Total Capacity : 126.9 MB (133,038,080 Bytes)
S.M.A.R.T. Status : Not Supported
Disk Number : 1
Partition Number : 0

I don't have any use for the promo stuff on the USB flash drive. So, should I just chuck it, or is there a way to edit the permission from "read-only"? I can't erase it as is. Would it be illegal for me to alter this, anyway? Consider my level of tech savvy to be that of "novice." Thanks!