A file created from UNIX side gets some extra permission


Recently we came across a scenario when a file or folder is created from a UNIX client, then in the NTFS permission we can see the everyone group (even if the NTFS permission does not permit everyone group to be included; neither through inheritable permission nor though any other means)


 


This happens because of the following registry key is playing here.


 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerForNFS\CurrentVersion\Mapping\EveryoneGroup “Everyone”


 


If this turns out to be a security concern in your environment; we can replace the “Everyone” by any valid Local Group name.


 


Based on our testing with the below setup:


 



  • Windows 2003 R2 as a Domain controller

  • Windows 2003 R2 as a member server

  • Windows 2008 as a member server

 


Server for NFS is configured on all three Servers.


Create NFS share on all the three Server and configured User Name Mapping on the Domain controller.


 


Replace the above registry key with a domain group on all three server. It works only in case of Domain controller and not in case of Member Servers.



 


Conclusion:


On a member server fetching maps from a Domain controller, the registry changes will not work for domain account. But if User name mapping is configured locally on a member server, the registry changes will work.


 


On a member server fetching maps from a Domain controller the registry changes will work for a local account.

Skip to main content