NTFS Permissions for parent folder to make subfolders accessible
Solution 1
NTFS does not provide a method to discover such remote sub-folders within itself, assuming that the intermediary folder is truly no-access. To get such intelligence you have to look beyond just the file-system, perhaps by interrogating other files for paths contained in the doucments, or any shortcuts laying about that reference such sub-directories.
Things get more interesting if JohnDoe has elevated access to the machine. At that point examining open file-handles can reveal the presence of hidden directories. If the directory is shared out, the list of open files for the share would also reveal their presence. These methods wouldn't work for 'normal' users though.
Solution 2
Create a junction for subfolder in the root directory.
E:\
E:\folder
E:\folder\subfolder
E:\junction-to-subfolder
Use the command:
MkLink /j "E:\junction-to-subfolder" "E:\folder\subfolder"
Now JohnDoe can see and access that subfolder easily.
EDIT: To remove the junction without affecting the target, use:
RD "E:\junction-to-subfolder"
Related videos on Youtube
maoizm
all bugs can be derived by a highly constrained form of problem solving acting on incomplete data
Updated on September 18, 2022Comments
-
maoizm over 1 year
Quick scenario on a local Windows system.
Drive
E:
is formatted with NTFS has the following layout and permissions:E:\ (JohnDoe) E:\folder (Administrator) E:\folder\subfolder (JohnDoe)
JohnDoe
has read/write access to the root directory.JohnDoe
has read/write accesssubfolder
JohnDoe
does NOT have access tofolder
JohnDoe
does NOT have the ability to alter permissions.
Since
JohnDoe
cannot accessfolder
and thus cannot list the contents, he must type in the pathE:\folder\subfolder
manually. There is is no "clickable" way to get fromE:\
tosubfolder
.Here's the question: Is there any way for
JohnDoe
to discover the existence and path of the accessiblesubfolder
, without being able to list the contents of it's parentfolder
? Assume that he was not told thesubfolder
's name and that the permissions do not change from what is stated above.For the sake of this problem, ignore the possibility of a brute-force attack to guess
subfolder
's name. Only non-brute-force methods are permitted. -
Hand-E-Food over 12 yearsSorry, I read "how can" rather than "if".
-
Scott McClenning over 12 yearsIf the computer the user is using doesn't know of or use the share, the user doesn't know of the share, and no one will tell the user. Then I don't see how the user could discover it exists on their own.
-
Scott McClenning over 12 yearsYour right, I misspoke, not share, but they wouldn't know of the "subfolder" in the share exists. That said, I still stand by that the shouldn't be able to discover it exists short of being told or brute-force (which you excluded). As far as being ambiguous, you didn't reveal much on why such a folder would need to exist. If the user shouldn't find it, why give them access to it?
-
Scott McClenning over 12 yearsIn the testing I've done with a similar setup, no. The external users didn't like not clicking through until we told them just make a shortcut on their desktop so they didn't have to remember the path. Then when done, remove the shortcut. If they didn't, no problem because when their part was done we removed their group from the folder, just in case they returned. Testing is easy, just add an account to the group, login and double check. I had to do that to prove to my bosses this would work. All the group need is "Traverse folder" permission for the screening/guard folder.
-
user1686 over 12 yearsThis is the correct answer for Windows – if you do not have the "Read" permission on
folder
, you cannot list its contents. But note that, even though one would expectfolder\subfolder
to be entirely inaccessible due to lack of the "Traverse" permission onfolder
(corresponding to thex
bit on Unix), by default Windows gives everyone the "Bypass traverse checking" privilege andsubfolder
remains reachable if its full path is known. -
Scott McClenning over 12 years"Everyone" by default is allowed the user right of "Bypass traverse checking" by default. Some places don't allow that setting. As far as you question, it seems unlikely they would find it such a folder. However, if they did, there wouldn't be much to stop them. Security through obscurity isn't much, but I guess sometimes it may be enough.