NTFS Permissions - Create Files and Folder but prevent Deletion and Modification

windows ntfs permissions shared-folders

Solution 1:

Through a process of trial and error, I have found that by NOT granting 'Write Attributes', this has the effect of preventing a user from modifying/deleting existing files (which is what I want). However, I would really like an explanation as to precisely why this works.

This is a function of precisely how a file modification occurs. When you modify a file, the operating system doesn't actually modify the file you're editing. It replaces the file you're editing with the copy you changed. So, essentially, a file modification takes a copy of the original file, loads it into memory (where you modify it), deletes the original file, and creates a new file with the same name in the same place. This is why NTFS Delete permissions are required to modify files - in fact, if you check the Advanced permissions on an NTFS object, there is no Modify permission - a modification is really just a delete and a write.

So, in order to create that new copy of a file, it has to write the file attributes of this new file... and, of course, writing attributes requires the Write attributes NTFS permission. So that is why you can't modify a file without having the Write attributes NTFS permission.

Specifically, thanks to a chat with Fitzroy, the NTFS file attribute that needs to be written under the user's security context (that can't be, without the Write Attributes permission), when modifying a file, but not when creating a completely new one, would be the file's LastModificationTime. This is a part of the Standard Information attribute, according to one of the Microsoft Core Team developers.

Solution 2:

It's true: not having the 'Write Attributes' permission results in the user being unable to modify its files. And according to Microsoft documentation it doesn't make sense. But modifying a file doesn't imply deletion and recreation of it. When an application opens a file for modification the operating system doesn't delete the file. But, what the OS does is locking the file to prevent concurrent modification. My guess is that locking the file falls under 'changing file attributes' concept. Thus, not being able to change attributes results in not being able to modify the file.

For the second part of your question, I can't reproduce that. There are two different permissions which apply to a folder: 'Create Files/...' and 'Create Folders/...' and they worked according to documentation during my tests.

Related

How can I install Windows 7 without dvd or usb, on linux?
Outlook 2003: how to forward messages and not lose the sender/recipient email addresses
Use PC internet on mobile phone via bluetooth
Shutdown without sudo user password in ubuntu
How do you hide Windows 7 Explorer Toolbar and Property Bar?
4.00GB (3.25GB usable) in Windows 7 x64
UAC being turned off once a day on Windows 7
How do I autohide the top panel in Unity?
Are Snap and Flatpak apps safe to install? Are they "official", approved or tested for a particular distro version?
How to install photoshop cs6?
What should I do to get Ubuntu dual-boot with Windows 10 on this Toshiba laptop?
Nautilus can set desktop wallpaper. How can it set login and lock screen wallpaper?