Permissions

What is the point of a file/folder having an "Owner" if anybody with administrative rights can change the owner, thus allowing them to set permissions for other users/groups? Am I missing something?

I've been playing around with permissions to understand them fully, but that's one thing that I don't get.

I set a folder to only be accessible by my user account (Which is part of the administrators group). Then I went into that folder, and could still change the owner of the files, even though I denied "modify" control over that folder. Even when those "modify" permissions are denied to the whole folder, I can still change the permissions of each file inside of it, so that I can delete it (or change ownership of the files). What's the point?

ALSO, when I review the "Effective Access Permissions" for my user, for that file, it says "Change Ownership" and has an "X" next to it. But, I'm still able to change the ownership of that file. I don't get it. Can anybody shed some light on this? I consider myself pretty knowledgeable about OS's and IT in general (I have Net+, and A+), and some things concerning user permissions just straight out baffle me.

Thanks...

Me denied taking ownership of that file: http://snag.gy/8LYjd.jpg

Me still being able to **change ownership** of the file: http://snag.gy/ghrx0.jpg

Owner has special rights. Depending on the ACL, it might not give you rights to the file or folder, but it should always allow you to manage permissions.

Consider the following:
You have sensitive HR data on a network share. This data should not be viewed by System Administrators, only the HR users. The folder was originally created by a user in the HR Users Group, so the Owner of the folder is UserA.

Administrator1 changes the permissions on the folder to only allow the HR Users Group to have access to the folder.

UserA decides to manage permissions. They mistakenly remove the HR Users Group from the Access Control List. This effectively removes all permissions to the data.

At this point, without being able to take ownership of the folder and grant access correctly, you are locked out of your data.


Taking Ownership is very important to a File Server Administrator. In my career, I've seen many administrators fired for abusing this sort of permission. It's a back door into the file system as a last resort and it should not be abused.

If the data truly should not be viewed by an administrator, it should be encrypted. However, even some encryption methods can be unencrypted by an administrator...

This page: http://technet.microsoft.com/en-us/library/cc732880.aspx

It says that in order for someone to even be ABLE to change permissions, that "Full Control" permissions need to be set. However, in my case, the directory that I'm playing around with doesn't have Full Control. It only has read, write, and RW/Execute. How am I able to even change permissions for these files at all?

I must be missing something, but i have no idea what it is.

Picture of the folder attributes (Showing lack of "Full Control"), but effective access permissions still saying that I'm able to change file permissions: http://snag.gy/kHiGo.jpg

So ANY administrator can change the ownership of any file/folder? Yeah, I can see what you're saying. I just didn't think it would be like that. I also understand that only the owner can change permissions on the file/folder.... ALWAYS. That's what I wasn't getting. Even if the user IS the owner, and that user is denied access, they still ultimately have full control over the file, since they're the owner. Permissions don't really apply to the owner. I get it. I think? Is that correct?

Correction: Permissions DO apply to the owner, except the owner can circumvent this, by changing permissions to allow them to delete the file, etc. Alright, I think I got it.

Correct me if I am wrong, though.

One more thing though: Why are the effective access permissions saying I cannot take ownership of the file, even when I'm already the owner, as shown here: http://snag.gy/jzfzG.jpg ? (This also happens on files where I am not currently the owner, but have administrative rights and *can* take ownership... but it's saying I can't... which is weird. Why does it say that?

Update: Yeah...I think I understand *everything* now... except the fact that effective access permissions say I can't "take ownership"... even when I can.

This is part of why in general you shouldn't have users running as Administrators and should have them running as standard users instead.