Icacls: Granting WO access to folder

EddieJennings

Before I can respond to the rest, do you mean %PROGRAMFILES(X86)% or %PROGRAMDATA%?

gjacobse

EddieJennings

I don't know the default permissions for this folder off the top of my head, but I'm pretty sure applications either write to this folder or read config files and such from it, so I'm a little surprised you have an application that requires any tinkering with these permissions.

As far as the title of your post is concerned, yes, icacls is a tool you can use. But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network, and users running said application on their workstation can write to this shared folder from within the application?

gjacobse

@eddiejennings
Just need to add the user to the folder with write permissions.

gjacobse

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

IRJ

@gjacobse said in Icacls: Granting WO access to folder:

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

Please tell me this is a joke.

IRJ

If I'm understanding correctly, this is a huge security risk.

Are you considering giving everyone full write access to %PROGRAMDATA%?

IRJ

I guess if you just give it to the liberty data folder it's not as bad. It's amazing how shitty software can be though. It sucks that %PROGRAMDATA% folder has been around since Windows 7 and this vendor still can't figure out how to leverage it properly.

gjacobse

@irj said in Icacls: Granting WO access to folder:

@gjacobse said in Icacls: Granting WO access to folder:

@eddiejennings said in Icacls: Granting WO access to folder:

But there's more to the story it seems. Are you needing to share the %PROGRAMDATA% folder over the network

No - the folder doesn't need to be shared. The DB on the server - needs the path mapped.

Please tell me this is a joke.

Uh - Me thinks that my explanation is missing its mark still -

User needs write access to %programdata%\liberty software.

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

Does this clarify things?

Dashrender

@gjacobse ug - so it uses Access style DB's... it's not making API calls, it's SMBing to the DB file itself.

EddieJennings

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

Dashrender

@eddiejennings said in Icacls: Granting WO access to folder:

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

Where did RDP come into this?

gjacobse

@eddiejennings said in Icacls: Granting WO access to folder:

I would make a group for the users that need to access this folder (even if it's a group with only one user).

User also needs to map two drives (unc\path1 and unc\path2) that are on a server. The folder %programdata%\liberty software is not and does not need to be shared or mapped.

User logs into the server (via RDP?), needs two drives mapped to some other locations that's not %PROGRAMDATA%\liberty software, and needs write access to %PROGRAMDATA%\liberty software on the server, correct?

No RDP in this case. Locally installed application.
Yes - agree that a GPO using a security group would be better -