September 24th, 2013

Wait, so does moving a file recalculate inherited permissions or doesn't it?

A customer had a question about whether moving a file recalculated inherited permissions. They found that on their Windows Server 2008 R2 machine, if they moved a file between directories with different inheritable ACEs, then the security descriptor is recalculated to match the destination folder, if they perform the move from the machine itself. The same thing happens if they go to a machine running Windows 7, However, if they repeat the experiment from a machine running Windows XP or Windows Server 2003, then the security descriptor is preserved across the move. The customer is confused. Why does the behavior change based on the version of Windows running on the client, even though the files themselves are kept on the same server? The explanation is given in a few places:

Even with these explanations, the customer remained confused. “Why does the permission depend on the operating system running on the client? The files are on the server, so regardless of the client operating system, it should be following the rules which apply to the server, right?” There are two different operations here. Suppose I told you, “When you buy clothes from the store, it will have the store sticker on it. You must remove the sticker yourself, and you should also wash the clothes before wearing it the first time, because the store puts powder in the bag to keep the clothes from getting moldy.” You then say, “That is not true. When I go to my closet to get clothes I recently bought from the store, the store stickers are already gone, and there is no powder.” That’s because you live with your parents, and your mother takes your clothes, removes the stickers, washes the clothes, and then hangs them up in your closet. The underlying file system “move” operation preserves the ACLs from the source. On the other hand, if you use Explorer to move the files, then you are not using the underlying file system “move” operation directly. Your mother is moving the files. And when mother Explorer moves the files, she also edits the ACLs based on the nature of the source and destination folders, as described in the aforementioned Knowledge Base articles. Furthermore, different versions of mother Explorer edit the ACLs in different ways. That is why the behavior is dependent upon the client operating system. When you move the file from a client machine connected to the server, the client machine asks the server to move the files (which preserve the ACLs since that’s what the low-level “move” operation does), and then the client machine goes back in and edits the ACLs in a client-specific way.

It is therefore the client operating system which controls how the ACL editing is performed, because it is the client operating system which is editing the ACLs.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.