NTFS Permissions for parent folder to make subfolders accessible

windows permissions ntfs acl

5,556

Solution 1

NTFS does not provide a method to discover such remote sub-folders within itself, assuming that the intermediary folder is truly no-access. To get such intelligence you have to look beyond just the file-system, perhaps by interrogating other files for paths contained in the doucments, or any shortcuts laying about that reference such sub-directories.

Things get more interesting if JohnDoe has elevated access to the machine. At that point examining open file-handles can reveal the presence of hidden directories. If the directory is shared out, the list of open files for the share would also reveal their presence. These methods wouldn't work for 'normal' users though.

Solution 2

Create a junction for subfolder in the root directory.

E:\
E:\folder
E:\folder\subfolder
E:\junction-to-subfolder

Use the command:

MkLink /j "E:\junction-to-subfolder" "E:\folder\subfolder"

Now JohnDoe can see and access that subfolder easily.

EDIT: To remove the junction without affecting the target, use:

RD "E:\junction-to-subfolder"

5,556

maoizm

all bugs can be derived by a highly constrained form of problem solving acting on incomplete data

Updated on September 18, 2022

Comments

maoizm over 1 year
Quick scenario on a local Windows system.

Drive E: is formatted with NTFS has the following layout and permissions:
```
E:\                  (JohnDoe)
E:\folder            (Administrator)
E:\folder\subfolder  (JohnDoe)
```
- JohnDoe has read/write access to the root directory.
- JohnDoe has read/write access subfolder
- JohnDoe does NOT have access to folder
- JohnDoe does NOT have the ability to alter permissions.
Since JohnDoe cannot access folder and thus cannot list the contents, he must type in the path E:\folder\subfolder manually. There is is no "clickable" way to get from E:\ to subfolder.

Here's the question: Is there any way for JohnDoe to discover the existence and path of the accessible subfolder, without being able to list the contents of it's parent folder? Assume that he was not told the subfolder's name and that the permissions do not change from what is stated above.

_{For the sake of this problem, ignore the possibility of a brute-force attack to guess subfolder's name. Only non-brute-force methods are permitted.}
Hand-E-Food over 12 years

Sorry, I read "how can" rather than "if".
Scott McClenning over 12 years

If the computer the user is using doesn't know of or use the share, the user doesn't know of the share, and no one will tell the user. Then I don't see how the user could discover it exists on their own.
Scott McClenning over 12 years

Your right, I misspoke, not share, but they wouldn't know of the "subfolder" in the share exists. That said, I still stand by that the shouldn't be able to discover it exists short of being told or brute-force (which you excluded). As far as being ambiguous, you didn't reveal much on why such a folder would need to exist. If the user shouldn't find it, why give them access to it?
Scott McClenning over 12 years

In the testing I've done with a similar setup, no. The external users didn't like not clicking through until we told them just make a shortcut on their desktop so they didn't have to remember the path. Then when done, remove the shortcut. If they didn't, no problem because when their part was done we removed their group from the folder, just in case they returned. Testing is easy, just add an account to the group, login and double check. I had to do that to prove to my bosses this would work. All the group need is "Traverse folder" permission for the screening/guard folder.
user1686 over 12 years

This is the correct answer for Windows – if you do not have the "Read" permission on folder, you cannot list its contents. But note that, even though one would expect folder\subfolder to be entirely inaccessible due to lack of the "Traverse" permission on folder (corresponding to the x bit on Unix), by default Windows gives everyone the "Bypass traverse checking" privilege and subfolder remains reachable if its full path is known.
Scott McClenning over 12 years

"Everyone" by default is allowed the user right of "Bypass traverse checking" by default. Some places don't allow that setting. As far as you question, it seems unlikely they would find it such a folder. However, if they did, there wouldn't be much to stop them. Security through obscurity isn't much, but I guess sometimes it may be enough.