DATE: COMMAND SOURCE: AUTHOR: delete SYSTEMS AFFECTED WinNT PROBLEM There is a bug in NTFS permissions. If you set a file to R (read-only) access for Everyone, users can still delete the file although Everyone lacks D (delete) access. It doesn't matter _who_ it is set to read-only. The file can be read-only administrators, and you can still delete it. Plus, even if you go into "special" permissions", and remove the execute flag, it can _still_ be deleted. [c:\]cacls foo C:\foo BUILTIN\Administrators:R [c:\]del foo Deleting C:\foo 1 file deleted 1,536 bytes freed [c:\]dir foo Volume in drive C is unlabeled Serial number is 8494:9621 4DOS/NT: The system cannot find the file specified. "C:\foo" bytes in 0 files and 0 dirs 265,867,776 bytes free This has extremely serious implications cos this would allow any user who has read access to a file to delete it, and replace it with a trojan. It's a characteristic of directories that allow anyone with "Full Control" permission on that directory to delete files in that directory, regardless of the protections set on the file itself. The idea is that if you have full control over a directoty, that includes removing files from that directory (i.e., deleting them). In this regards, deleting the file is considered a directory operation, not a file operation. EXPLOIT SOLUTION "Apparently, MS has no plans to fill this hole." -From Ctrl-Alt-Del column, pg 184., so you are on your own! Note that this *doesn't* happen if you have RWXDPO permissions on the directory. If you have Full Control, then you have an additional (hidden) permission called File Delete Child (FDC). There is no explicit mechanixm to disable FDC - you have to change permissions from Full Control to RWXDPO.