Vista security message



  • I know we've all seen our share of Windows Vista WTFs, but I though this one was exceptional.

     From theregister.co.uk:
     

     

     

    Perfect example of a truly broken and poorly thought out security model. 



  • Well, you...er... just change the permission settings to give yourself the permission to view the permission settings, and then you can... find out what it is you just changed. Or something.

     



  • I may be wrong, but I think what it is, is that you can take ownership of the object, then change permissions to give yourself permission.

    But, you can't see who is the current owner, or give the ownership back to them.

    So, you CAN get access - eg because you're the administrator of the system, but you have to decide whether you should - because who ever is the current object owner will be able to tell what you've done.

    Eg, 'fred' used to be a user on your network, and had restricted access to all his files to himself. Windows allows this, rightly IMHO. Even administrators can't see the files. (If 'fred' was a lawyer or HR or whatever this might be appropriate).

    But, then, 'fred' leaves the company - you have to be able to delete the files somehow - so this gives you that facility. But,  you can't hide the fact that you've done something to the permissions as you'll now be the owner, and people can only 'take' ownership, not 'give' it back.




  • @kimos said:

    I know we've all seen our share of Windows Vista WTFs, but I though this one was exceptional.

     From theregister.co.uk:
     

     

     

    Perfect example of a truly broken and poorly thought out security model. 

    It's not THAT weird, log in as administrator, create new Temp folder, in Security remove all users, you don't have permission to the folder anymore but you can still change them :P (Same thing with the ownership)
     

    It would be like chmodding to 000. 



  • @pscs said:

    I may be wrong, but I think what it is, is that you can take ownership of the object, then change permissions to give yourself permission.
    Indeed. This also applies if you reinstall Windows, you need to reclaim ownership of your files.

    The text on the dialog box does look rather strange when taken out of context, though. I leave you with another amusing Windows error that still crops up in Vista:



    (Caused by trying to read a damaged CD).



  • Actually you can give ownership back, which makes that "ownership" feature completely useless. Search for "subinacl"



  • This reminds me of giving a Linux file 0722 permission -- all users can write to it, but they can't read it.



  • This was an error'd once, I think. Or maybe it was part of some other site. I cant be bothered to look it up, im tired and lazy.......................



  • @pscs said:

    I may be wrong, but I think what it is, is that you can take ownership of the object, then change permissions to give yourself permission.

    But, you can't see who is the current owner, or give the ownership back to them.

    So, you CAN get access - eg because you're the administrator of the system, but you have to decide whether you should - because who ever is the current object owner will be able to tell what you've done.

    Eg, 'fred' used to be a user on your network, and had restricted access to all his files to himself. Windows allows this, rightly IMHO. Even administrators can't see the files. (If 'fred' was a lawyer or HR or whatever this might be appropriate).

    But, then, 'fred' leaves the company - you have to be able to delete the files somehow - so this gives you that facility. But,  you can't hide the fact that you've done something to the permissions as you'll now be the owner, and people can only 'take' ownership, not 'give' it back.


     

    The real WTF is that message in the dialog is confusing. It should say "You don't have permissions to view Properties on the file" and have a  Change Permissions button.



  • What the hell does "all current items" mean? Was the checkbox text supposed to read "Do this for all items in this copy operation"?

    It's disgusting to see so little QA at Microsoft.



  • @benryves said:

    @pscs said:
    I may be wrong, but I think what it is, is that you can take ownership of the object, then change permissions to give yourself permission.
    Indeed. This also applies if you reinstall Windows, you need to reclaim ownership of your files.

    The text on the dialog box does look rather strange when taken out of context, though. I leave you with another amusing Windows error that still crops up in Vista:



    (Caused by trying to read a damaged CD).

    What does that even mean? What's an "Invalid MS-DOS function"?

    I once got this error in Windows XP:

    And still have no clue what it's meant to mean.



  • It's strange but I don't think it's really broken.  The last assignment in my Server 2003 class involved locking down a specific directory as much as possible.  I think I did it right, but it's kind of hard to tell since only the teacher has permission to do anything with it.



  • This might just occasionally be useful. For example, creating logfiles, or a mail/print spool. Yes, there are much better ways of doing it.

    Anyway, at least under Linux, you have to be deliberately trying to shoot yourself in the foot to get it that way.
     



  • This remembers me of Write-Only Memory.     Though, it would make a little sense in an UNIX system, IMHO, if you had something like a logfile where all users would dump info, but only root would read it. 



  • @Renan_S2 said:

    Though, it would make a little sense in an UNIX system, IMHO, if you had something like a logfile where all users would dump info, but only root would read it. 

    It's an old idea, but it doesn't actually work, because there's no good way to synchronise on the message boundaries - a few very old systems tried it for logs, and thSyslog is an example of how to do it right.ey tended to get one message stuffed into the middle of another.



  • @asuffield said:

    ... and thSyslog ... right.ey tended ...

    Oh, oh, if only this is true! Could it be, that I'm not the only person for which Firefox processes input events out of sequence, putting key events in front of mouse events? Click then type can end up as type then click, with the text miles from where it should be.

    Of course, there's a million other explanations but it's always good to know that I'm not alone in experiencing a certain bug, that it's not just my shitty PC doing it.

    It's nice to see, though, that Vista has Try Again for random Explorer errors like "Invalid MS-DOS function" and "Error performing inpage operation" (!)



  • @Daniel Beardsmore said:

    @asuffield said:
    ... and thSyslog ... right.ey tended ...

    Oh, oh, if only this is true! Could it be, that I'm not the only person for which Firefox processes input events out of sequence, putting key events in front of mouse events? Click then type can end up as type then click, with the text miles from where it should be.

    Of course, there's a million other explanations but it's always good to know that I'm not alone in experiencing a certain bug, that it's not just my shitty PC doing it.

    I don't think that is in any way related.


Log in to reply