KpyM Telnet/SSH Server - Forum
Can't cd to folders with Deny Delete NTFS permissions
flabdablet Can't cd to folders with Deny Delete NTFS permissions
 
While playing with KpyM to evaluate it as a possible remote access solution to a school file server by teaching staff, I've found that it won't let me cd to any NTFS folder affected by Deny Delete NTFS permissions.

For example, the folder tree on curricserver contains

/e$/home/classes/4n/Documents/My Pictures

Deny Delete NTFS permissions applied (explicitly and non-recursively) to the 4n and Documents folders to stop accidents from happening. When I ssh or sftp to 4n@curricserver, I can successfully cd to any of

/e$
/e$/home
/e$/home/classes
/e$/home/classes/4n/Documents/My Pictures

but attempts to cd to either of

/e$/home/classes/4n
/e$/home/classes/4n/Documents

cause "can't canonicalize" errors in an sftp client, or "access denied" errors in cmd via ssh.

Both problematic folders are accessible using Windows native tools; there's no problem with access via GUI or cmd for local logons or Windows file shares.

Does the KpyM engine simply assume that the existence of *any* Deny permission is enough to refuse access, or is it in fact attempting to create a file in any folder it cd's into, or is something else going on?


flabdablet
 
Please ignore this error report. Turns out that my file server is currently littered with weirdly broken ACLs, probably due to bugs in Microsoft's icacls utility. Adding and then immediately removing a dummy permission entry to the affected folders using the GUI Security tab makes KpyM work just fine.


flabdablet
 
Also, it turns out I was misled about the ability to access the affected folders via cmd. If I'm logged on to the file server as the administrator, and bring up a cmd window using

runas /user:blarg cmd

where blarg is the same username I was using to log on via KTS, I see exactly the same broken behavior I got before without any KTS involvement at all.

What seems to be causing the trouble is that asking icacls.exe to create a Deny ACE always silently adds Deny Synchronize to whatever Deny controls were specified on the command line. With Deny Synchronize included in the DACL for a given folder, I see the trouble originally reported; without it (which is what happens after using the GUI to create the required Deny Delete permission) everything works.

So now I'm busily fartarsing about with WMI and jscript to write a Deny Delete tool that actually does what I want, and swearing at Microsoft *again*, and thinking fond thoughts about KTS which in fact seems to do *exactly* what it says on the tin, without fuss, fluff or bloat, and will I'm sure handle the remote access job I want it for just *beautifully* once my ACLs are back in shape. Lovely work, Kroum.


Kroum Grigorov
 
Just to clear this out.
KTS does not imply any security restrictions on the running sessions itself.
It just starts the session under the user credentials and leaves the OS itself to take care for user security restrictions, the same OS does for any other process runing under the given account.

Kroum


 

© 2007 - 2008 Kroum Grigorov
Powered by phpBB © 2001, 2005 phpBB Group