DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  delete 

SYSTEMS AFFECTED

  WinNT
  

PROBLEM


    There  is  a  bug  in  NTFS  permissions.  If  you set a file to R
    (read-only) access for Everyone,  users can still delete  the file
    although  Everyone  lacks  D  (delete)  access.  It doesn't matter
    _who_  it  is  set  to  read-only.   The  file  can  be  read-only
    administrators, and you  can still delete  it.  Plus,  even if you
    go into "special"  permissions", and remove  the execute flag,  it
    can _still_ be deleted.

        [c:\]cacls foo
        C:\foo BUILTIN\Administrators:R

        [c:\]del foo
        Deleting C:\foo
             1 file deleted          1,536 bytes freed

        [c:\]dir foo

     Volume in drive C is unlabeled      Serial number is 8494:9621
    4DOS/NT: The system cannot find the file specified.
     "C:\foo"
                    bytes in 0 files and 0 dirs
        265,867,776 bytes free

    This has extremely serious  implications cos this would  allow any
    user who has read  access to a file  to delete it, and  replace it
    with a trojan.

    It's a characteristic of directories that allow anyone with  "Full
    Control"  permission  on  that  directory  to delete files in that
    directory, regardless of the  protections set on the  file itself.
    The idea is that if you  have full control over a directoty,  that
    includes  removing  files  from  that  directory  (i.e.,  deleting
    them).   In  this  regards,  deleting  the  file  is  considered a
    directory operation, not a file operation.



EXPLOIT

  

SOLUTION


    "Apparently, MS has no plans to fill this hole."
    -From Ctrl-Alt-Del column, pg 184., so you are on your own!

    Note that this *doesn't* happen if you have RWXDPO permissions  on
    the  directory.   If  you  have  Full  Control,  then  you have an
    additional  (hidden)  permission  called  File Delete Child (FDC).
    There  is  no  explicit  mechanixm  to  disable  FDC - you have to
    change permissions from Full Control to RWXDPO.