KpyM Telnet/SSH Server - Forum
Can't cd to folders with Deny Delete NTFS permissions
flabdablet Can't cd to folders with Deny Delete NTFS permissions
 
While playing with KpyM to evaluate it as a possible remote access solution to a school file server by teaching staff, I've found that it won't let me cd to any NTFS folder affected by Deny Delete NTFS permissions.

For example, the folder tree on curricserver contains

/e$/home/classes/4n/Documents/My Pictures

Deny Delete NTFS permissions applied (explicitly and non-recursively) to the 4n and Documents folders to stop accidents from happening. When I ssh or sftp to 4n@curricserver, I can successfully cd to any of

/e$
/e$/home
/e$/home/classes
/e$/home/classes/4n/Documents/My Pictures

but attempts to cd to either of

/e$/home/classes/4n
/e$/home/classes/4n/Documents

cause "can't canonicalize" errors in an sftp client, or "access denied" errors in cmd via ssh.

Both problematic folders are accessible using Windows native tools; there's no problem with access via GUI or cmd for local logons or Windows file shares.

Does the KpyM engine simply assume that the existence of *any* Deny permission is enough to refuse access, or is it in fact attempting to create a file in any folder it cd's into, or is something else going on?


flabdablet
 
Please ignore this error report. Turns out that my file server is currently littered with weirdly broken ACLs, probably due to bugs in Microsoft's icacls utility. Adding and then immediately removing a dummy permission entry to the affected folders using the GUI Security tab makes KpyM work just fine.


flabdablet
 
Also, it turns out I was misled about the ability to access the affected folders via cmd. If I'm logged on to the file server as the administrator, and bring up a cmd window using

runas /user:blarg cmd

where blarg is the same username I was using to log on via KTS, I see exactly the same broken behavior I got before without any KTS involvement at all.

What seems to be causing the trouble is that asking icacls.exe to create a Deny ACE always silently adds Deny Synchronize to whatever Deny controls were specified on the command line. With Deny Synchronize included in the DACL for a given folder, I see the trouble originally reported; without it (which is what happens after using the GUI to create the required Deny Delete permission) everything works.

So now I'm busily fartarsing about with WMI and jscript to write a Deny Delete tool that actually does what I want, and swearing at Microsoft *again*, and thinking fond thoughts about KTS which in fact seems to do *exactly* what it says on the tin, without fuss, fluff or bloat, and will I'm sure handle the remote access job I want it for just *beautifully* once my ACLs are back in shape. Lovely work, Kroum.


Kroum Grigorov
 
Just to clear this out.
KTS does not imply any security restrictions on the running sessions itself.
It just starts the session under the user credentials and leaves the OS itself to take care for user security restrictions, the same OS does for any other process runing under the given account.

Kroum


wanuvowavo
 
The illegal iPhones are treated in a way to open up the code and grades. The jail break is the tactic mention in https://www.nerdywriters.co.uk/ to use the locked iPhones. The company sue against the illegal hacking of the product. The cyber hacking may use the data and information for false purposes.


annaliona
 
I think engine in reality anticipate that the existence of *any* Deny permission is enough to refuse access, or is it in truth trying to https://masteressaywriters.co.uk/ create a file in any folder it cd's into, or is something else happening


lillyamber
 
It simply begins the consultation under the person credentials and leaves the OS itself to take take care of user safety regulations, the same OS does for any https://thedissertationhelp.co.uk/ other procedure runing beneath the given account.


Aidan
 
https://itechrock.net/ is an technology website that provides its users with Apps, gadget news, previews, Apps for PC , and much more


 

© 2007 - 2008 Kroum Grigorov
Powered by phpBB © 2001, 2005 phpBB Group