| Author |
Message |
Will
Guest
|
 Posted:
Mon Oct 31, 2005 9:51 am Post subject:
Write Attributes and Write Extended Attributes |
|
|
Can someone explain to me why many Windows 2000 applications appear to
require that anyone with read and execute permission has "write attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log for
nearly everyone in the Users group for failing to acquire needed permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that the
users need, the only permissions we have failed to enable for users are
"write attributes" and "write extended attributes". Those permissions
don't seem like something you would want to give users for every file on the
system, and I'm perplexed why Windows would need such permissions on many of
its applications.
--
Will |
|
| Back to top |
|
 |
Roger Abell [MVP]
Guest
|
| Posted:
Tue Nov 01, 2005 1:50 pm Post subject:
Re: Write Attributes and Write Extended Attributes |
|
|
I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you indicate
in the event log. Thus, I am thinking it is some other aspect of the total
system load, MS plus other software, that is operative here. It used to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things, and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??
"Will" <westes-usc@noemail.nospam> wrote in message
news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
| Quote: | Can someone explain to me why many Windows 2000 applications appear to
require that anyone with read and execute permission has "write
attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log for
nearly everyone in the Users group for failing to acquire needed
permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that the
users need, the only permissions we have failed to enable for users are
"write attributes" and "write extended attributes". Those permissions
don't seem like something you would want to give users for every file on
the
system, and I'm perplexed why Windows would need such permissions on many
of
its applications.
--
Will
|
|
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Mon Nov 07, 2005 9:51 am Post subject:
Re: Write Attributes and Write Extended Attributes |
|
|
So what is the workaround to a badly behaved application? I assume it is
setting some environment setting that is inherited whenever it starts some
process? It really does pollute the event log to see constand security
messages of this kind.
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OgW86Wu3FHA.636@TK2MSFTNGP10.phx.gbl...
| Quote: | I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you indicate
in the event log. Thus, I am thinking it is some other aspect of the
total
system load, MS plus other software, that is operative here. It used to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things, and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??
"Will" <westes-usc@noemail.nospam> wrote in message
news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
Can someone explain to me why many Windows 2000 applications appear to
require that anyone with read and execute permission has "write
attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log for
nearly everyone in the Users group for failing to acquire needed
permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that
the
users need, the only permissions we have failed to enable for users are
"write attributes" and "write extended attributes". Those permissions
don't seem like something you would want to give users for every file on
the
system, and I'm perplexed why Windows would need such permissions on
many
of
its applications.
--
Will
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Mon Nov 07, 2005 9:51 pm Post subject:
Re: Write Attributes and Write Extended Attributes |
|
|
At the API level an application can state what permissions
it wants, and it gets back a list of what was avaiable.
Lazy authors just ask for everything, hence failures.
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:sMmdnbU3_eQfQfPeRVn-qg@giganews.com...
| Quote: | So what is the workaround to a badly behaved application? I assume it is
setting some environment setting that is inherited whenever it starts some
process? It really does pollute the event log to see constand security
messages of this kind.
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OgW86Wu3FHA.636@TK2MSFTNGP10.phx.gbl...
I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you indicate
in the event log. Thus, I am thinking it is some other aspect of the
total
system load, MS plus other software, that is operative here. It used to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things, and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??
"Will" <westes-usc@noemail.nospam> wrote in message
news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
Can someone explain to me why many Windows 2000 applications appear to
require that anyone with read and execute permission has "write
attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log
for
nearly everyone in the Users group for failing to acquire needed
permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that
the
users need, the only permissions we have failed to enable for users are
"write attributes" and "write extended attributes". Those permissions
don't seem like something you would want to give users for every file
on
the
system, and I'm perplexed why Windows would need such permissions on
many
of
its applications.
--
Will
|
|
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Tue Nov 08, 2005 1:50 am Post subject:
Re: Write Attributes and Write Extended Attributes |
|
|
I'm looking for possible workarounds for lazy software. One possible
workaround: Microsoft has a Compatibility tab on the startup properties
dialog for each EXE, and maybe we could set this to Windows 95, etc.?
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:eVQXkI#4FHA.1956@TK2MSFTNGP09.phx.gbl...
| Quote: | At the API level an application can state what permissions
it wants, and it gets back a list of what was avaiable.
Lazy authors just ask for everything, hence failures.
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:sMmdnbU3_eQfQfPeRVn-qg@giganews.com...
So what is the workaround to a badly behaved application? I assume it
is
setting some environment setting that is inherited whenever it starts
some
process? It really does pollute the event log to see constand security
messages of this kind.
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OgW86Wu3FHA.636@TK2MSFTNGP10.phx.gbl...
I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you indicate
in the event log. Thus, I am thinking it is some other aspect of the
total
system load, MS plus other software, that is operative here. It used
to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things,
and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??
"Will" <westes-usc@noemail.nospam> wrote in message
news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
Can someone explain to me why many Windows 2000 applications appear
to
require that anyone with read and execute permission has "write
attributes"
and "write extended attributes" permissions enabled? When I turn on
auditing, I see hundreds of messages in the eventviewer security log
for
nearly everyone in the Users group for failing to acquire needed
permissions
on cmd.exe, shell32.dll, etc. In examining the permission list that
the
users need, the only permissions we have failed to enable for users
are
"write attributes" and "write extended attributes". Those
permissions
don't seem like something you would want to give users for every file
on
the
system, and I'm perplexed why Windows would need such permissions on
many
of
its applications.
--
Will
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 am Post subject:
Re: Write Attributes and Write Extended Attributes |
|
|
I do not believe you will find any joy for this issue down that road.
Mostly the app comp tab says, expect this to issue API calls that
are no longer right, which same you will need to remap to the
current APIs. It is not likely to adjust parameters to valid API
calls for acquiring file handles.
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:GLqdnWHjMMg_c_LeRVn-iw@giganews.com...
| Quote: | I'm looking for possible workarounds for lazy software. One possible
workaround: Microsoft has a Compatibility tab on the startup properties
dialog for each EXE, and maybe we could set this to Windows 95, etc.?
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:eVQXkI#4FHA.1956@TK2MSFTNGP09.phx.gbl...
At the API level an application can state what permissions
it wants, and it gets back a list of what was avaiable.
Lazy authors just ask for everything, hence failures.
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:sMmdnbU3_eQfQfPeRVn-qg@giganews.com...
So what is the workaround to a badly behaved application? I assume it
is
setting some environment setting that is inherited whenever it starts
some
process? It really does pollute the event log to see constand security
messages of this kind.
--
Will
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OgW86Wu3FHA.636@TK2MSFTNGP10.phx.gbl...
I do not believe that Windows does need such permissions, as you have
stated. When I enable logging similarly I do not get what you
indicate
in the event log. Thus, I am thinking it is some other aspect of the
total
system load, MS plus other software, that is operative here. It used
to
be pretty common to see software developers being lazy and not using
a minimal list of requested accesses when getting handles to things,
and
that is MS and third-party developers, so perhaps there is some such
residual older software installed ??
"Will" <westes-usc@noemail.nospam> wrote in message
news:e4%23082f3FHA.4076@TK2MSFTNGP15.phx.gbl...
Can someone explain to me why many Windows 2000 applications appear
to
require that anyone with read and execute permission has "write
attributes"
and "write extended attributes" permissions enabled? When I turn
on
auditing, I see hundreds of messages in the eventviewer security log
for
nearly everyone in the Users group for failing to acquire needed
permissions
on cmd.exe, shell32.dll, etc. In examining the permission list
that
the
users need, the only permissions we have failed to enable for users
are
"write attributes" and "write extended attributes". Those
permissions
don't seem like something you would want to give users for every
file
on
the
system, and I'm perplexed why Windows would need such permissions on
many
of
its applications.
--
Will
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in