Two things regarding this ongoing (civil) flame war: 1. I was wrong about most versions of Linux having the same inheritance behavior as Windows. Dead wrong. And several people have wrote to correct me. Thank you. The search for truth is more important than my ego. <grin> Before I wrote that statement, I dropped into a VM of knoppix that I had on my desktop to test. It's default umask is 000, and thus the normal inheritance rules applied. After many people wrote, I realized I used Foundstone's FSLive distro, which is a variation of Knoppix, intentionally weakened for the classes we teach. It goes to show that one sample finding does not a population make. 2. My bone of contention with the original poster, is not that he's an idiot. He isn't. I'm objecting to his obscure insecurity scenario that he uses to start the discussion (i.e. private folder created under a public folder). How many of you have intentionally created a private folder underneath a public folder, where the public folder gave Modify/Change permissions to the larger group? It's got to be a small minority, and I'd question why even those people did it. I've been a sysadmin for 20 years and never done it. If someone was to come to me and tell me they were going to do it, I'd caution them against it. Not because of the poster's original concern, but because on the onset it looks like bad security policy looking for trouble. I'd recommend that a separate private folder be created every time. Where I have seen public folders used with private folders underneath, the larger group did not have Change/Modify permissions to the parent public folder. They had Read and List, and couldn't modify other people's child folders. That's very common. The rest of his posting is a NTFS permissions 101 class. we've all been taught that if you delete and re-create an object in Windows, even with the same name, it isn't the same object. This applies to files, folders, groups, users...every Windows object without exception. No surprise there. We also know whoever creates the object is the Creator Owner and gets Full Control. It's why Microsoft added the creator Owner SID so that we could change the default behavior if we didn't like it. So, I don't see the big "lesson" in his posting. Now, before I get more people defending the original poster, I think his exact same argument could be applied to a much more common scenario that I see all the time, perhaps in 50% of all companies that I have audited. It is where the Everyone group has Full Control to a public Share. Unless you intend that anyone in your company can change permissions, it's a bad thing to do. And don't start with that Windows makes that the automatic default...that changed in XP. The default Share permission is now Read, and the underlying NTFS permission (which wins in a conflict), has never been Everyone Full Control by default in any version of Windows since NT 4.0. I'd rather the poster take the more popular problem I've mentioned in the paragraph above and make the exact same argument, which is, if you make a security configuration mistake (because all of these scenarios are mistakes pure and simple), other users can use a timing attack and deception to give themselves elevated access to your personal files. It's still a valid lesson, but I'm not mentally tripping over a strange start out assumption. And in the end, the solution is an easy one: 1. Don't intentionally configure security weaknesses. 2. If you absolutely need to give users the ability to create private folders under a public folder where users have Modify/Change or Full Control permissions, you have four easy defenses: a. Change default inheritance b. Enable the Deny-Delete files and subfolders permission. c. Change the Creator Owner SID's default permissions for that folder. d. Make them separate folders. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx *Author of Professional Windows Desktop and Server Hardening (Wrox) * *****************************************************************