DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  delete 


SYSTEMS AFFECTED

  WinNT

  

PROBLEM


    There  is  a  bug  in  NTFS  permissions.  If  you set a file to R

    (read-only) access for Everyone,  users can still delete  the file

    although  Everyone  lacks  D  (delete)  access.  It doesn't matter

    _who_  it  is  set  to  read-only.   The  file  can  be  read-only

    administrators, and you  can still delete  it.  Plus,  even if you

    go into "special"  permissions", and remove  the execute flag,  it

    can _still_ be deleted.



        [c:\]cacls foo

        C:\foo BUILTIN\Administrators:R



        [c:\]del foo

        Deleting C:\foo

             1 file deleted          1,536 bytes freed



        [c:\]dir foo



     Volume in drive C is unlabeled      Serial number is 8494:9621

    4DOS/NT: The system cannot find the file specified.

     "C:\foo"

                    bytes in 0 files and 0 dirs

        265,867,776 bytes free



    This has extremely serious  implications cos this would  allow any

    user who has read  access to a file  to delete it, and  replace it

    with a trojan.



    It's a characteristic of directories that allow anyone with  "Full

    Control"  permission  on  that  directory  to delete files in that

    directory, regardless of the  protections set on the  file itself.

    The idea is that if you  have full control over a directoty,  that

    includes  removing  files  from  that  directory  (i.e.,  deleting

    them).   In  this  regards,  deleting  the  file  is  considered a

    directory operation, not a file operation.





EXPLOIT

  

SOLUTION


    "Apparently, MS has no plans to fill this hole."

    -From Ctrl-Alt-Del column, pg 184., so you are on your own!



    Note that this *doesn't* happen if you have RWXDPO permissions  on

    the  directory.   If  you  have  Full  Control,  then  you have an

    additional  (hidden)  permission  called  File Delete Child (FDC).

    There  is  no  explicit  mechanixm  to  disable  FDC - you have to

    change permissions from Full Control to RWXDPO.