From owner-freebsd-security Wed Jun 16 3:20:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9]) by hub.freebsd.org (Postfix) with ESMTP id F2FD314EE2 for ; Wed, 16 Jun 1999 03:20:38 -0700 (PDT) (envelope-from alla@sovlink.ru) Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133]) by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id OAA01201; Wed, 16 Jun 1999 14:28:08 +0400 (MSD) Message-ID: <37677A12.D26816C3@sovlink.ru> Date: Wed, 16 Jun 1999 14:18:58 +0400 From: Alla Bezroutchko X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: Barrett Richardson Cc: freebsd-security@FreeBSD.ORG Subject: Re: reading files. References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > On Tue, 15 Jun 1999, Juergen Nickelsen wrote: > > David Shaw wrote on freebsd-security: > > > It's true that the NT Administrator can't read files that he doesn't > > > have permission for, but since Administrator controls the ACLs, if he > > > can't read something, he can trivially just change the permissions and > > > give himself access! > > He can't without taking over the ownership of the file, i. e. he can, > > but the original owner can tell afterwards. > Out of curiosity, can the owner's files be backed up via tape or some > other means? If so, couldn't an admin achieve the same access via an > API or some other mechanism? Yes they can. There is a system wide user right called "Back up files and directories". That means that user account that has been granted this right can circumvent permissions using some API call. Supposedly ntbackup uses this feature, but it looks like it is broken (I was unable to use it properly). -- Alla Bezroutchko Sovlink LLC Systems Administrator Moscow, Russia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message