EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Prevent deletion of special folder

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#6603
Posted: 06/12/2008 07:53:38
by Franck Bonin (Standard support level)
Joined: 09/21/2007
Posts: 27

Hello,

We originally wanted to prevent deletion of a special folder. But special folder content must be removable when deleted individually (think of the protection for System32 special folder to see what we wanted to do). For instance, one of our subfolder in CBFS is equivalent to a public drive shared by multiple users and no one should be able to delete the whole folder by a single "delete" command on that folder, but should be able to add and remove contents in this folder.

IsDirectoryEmpty() callback can't help us, since deletion process delete nodes from leaves to the root (which it's normal).

To achieve this, we plan to use window file security attributes.

We were happy with the following 'simple' solution successfully tested on our real hard drive:

1/ we created a folder named 'C:\root' and modify its security by removing all inherited rights + granted all rights to current user, excepted 'deleting subfolders and files' which where denied. ( security string = O:%USER_SID%D:PAI(D;OICI;DT;;;%USER_SID%)(A;OICI;FA;;;%USER_SID%) )

2/ we create a folder 'C:\root\undeletable' and modify its security by removing all inherited rights + granted all rights to current user excepted 'deleting permission' which where denied. (not exactly the same as parent folder). (security string = O:%USER_SID%D:PAI(D;OICI;SD;;;%USER_SID%)(A;OICI;FA;;;%USER_SID%) )

3/ We put many folders and files under 'C:\root\undeletable'. (they carry a 'all access granted to current user' right protection)

4/ Then we could check that when we attempted to delete folder 'C:\root\undeletable', system deny this access, while all files and folders contained under 'undeletable' folder where preserved.

5/ We could also check that we were allowed to manipulate and delete all child elements individually.

Back to our storage project, we used to implement OnGetFileSecurity() callback to force needed file security for our special folder using the same scheme.
We could check that this callback where properly called when we wanted to see files security with explorer file property window (of course, we checked that we answer nicely).

But when we attempt to delete our 'undeletable' folder, cbfs ignored completely security attributes: OnGetFileSecurity Callback were not called, and the system ordered to delete the whole 'undeletable' file hierarchy, starting from leaves.

Q? :

Is there another way to create an 'undeletable' folder that protects its content that way, using cbfs ?

Or have we found the right way of doing things but we also found a bug in cbfs ?

Problem found on both 32bit cbfs driver v 1.2.24.57 and v 2.0.32.86

We use 32bit c++ api under windows XP pro sp2

Franck Bonin

#6605
Posted: 06/12/2008 08:14:06
by Eugene Mayevski (EldoS Corp.)

I am not sure that I understand your idea. Do you want to protect the folder object from deletion while allowing deletion of the files and subfolders? In this case what prevents you from returning error when the OS wants to delete the protected folder object?


Sincerely yours
Eugene Mayevski
#6606
Posted: 06/12/2008 09:10:48
by Franck Bonin (Standard support level)
Joined: 09/21/2007
Posts: 27

Quote
Eugene Mayevski wrote:
I am not sure that I understand your idea. Do you want to protect the folder object from deletion while allowing deletion of the files and subfolders?


Exactly ! (and allowing read/writing files and subfolders)

Quote

In this case what prevents you from returning error when the OS wants to delete the protected folder object?


because deletion of root folder occurs at the very and of tree deletion. And all of its content has been lost, exacly what we wanted to avoid.

in fact, we just want to prevent user from deleting a special folder, and all of its content, by mistake. (a sort of c:\winnt folder protection scheme)

Franck
#6607
Posted: 06/12/2008 09:29:25
by Eugene Mayevski (EldoS Corp.)

I see, but this is just impossible.

I can easily delete the system folder using Total Commander or FAR Manager.

From File System point of view there's no difference between the operations of deleting a single file and deleting the files one by one.



Sincerely yours
Eugene Mayevski
#6609
Posted: 06/12/2008 13:31:10
by Volodymyr Zinin (EldoS Corp.)

Hello,

Perhaps the OnCanFileBeDeleted callback can help.

Quote
Franck Bonin wrote:
in fact, we just want to prevent user from deleting a special folder, and all of its content, by mistake. (a sort of c:\winnt folder protection scheme)

The system folder can't be deleted because when the system is running there are some files are opened in this folder.
#6636
Posted: 06/16/2008 10:39:01
by Franck Bonin (Standard support level)
Joined: 09/21/2007
Posts: 27

Hello,


Quote

From File System point of view there's no difference between the operations of deleting a single file and deleting the files one by one.


I totaly agree with that. Thats why I tryed to find a higher level mechanism:

Quote
I can easily delete the system folder using Total Commander or FAR Manager.

Any way we are satisfied if the solution only works under explorer.

Security attributes could have met our requirements as I wrote before :

Quote
Franck Bonin wrote:
.... Back to our storage project, we used to implement OnGetFileSecurity() callback to force needed file security for our special folder using the same scheme. We could check that this callback where properly called when we wanted to see files security with explorer file property window (of course, we checked that we answer nicely).

But when we attempt to delete our 'undeletable' folder, cbfs ignored completely security attributes: OnGetFileSecurity Callback were not called, and the system ordered to delete the whole 'undeletable' file hierarchy, starting from leaves.


But I still not understand why callback 'OnGetFileSecurity' is not checked prior to allow any delete operation, since security ACL may invalidate such operation.

Franck Bonin
#6638
Posted: 06/16/2008 11:19:39
by Volodymyr Zinin (EldoS Corp.)

Hello,

Quote
Franck Bonin wrote:
But I still not understand why callback 'OnGetFileSecurity' is not checked prior to allow any delete operation, since security ACL may invalidate such operation.

We'll check it now.

Quote
Vladimir Zinin wrote:
Perhaps the OnCanFileBeDeleted callback can help.

Try this variant too.
#6644
Posted: 06/17/2008 03:09:11
by Franck Bonin (Standard support level)
Joined: 09/21/2007
Posts: 27

Hello

Quote
Vladimir Zinin wrote:
Perhaps the OnCanFileBeDeleted callback can help.
Try this variant too.


Remember: we wanted to protect a folder and all of its content from a mistaken 'whole deletion'. And we must allow any deletion of single element inside of it when this is done separately.

I used to try OnCanFileBeDeleted approach but I quickly find its main problem: when we delete an entire folder tree with Explorer (or whatever), OnCanFileBeDeleted Callbacks are fired in the reverse order we wanted to (from the leaves file to the root folder).

Since we can't induce from single leaf deletion attempt, that we are deleting the whole file tree, we can't disallow first (and subsequent) deletion.

Following this process, we finally know that we were deleting the whole file tree at the very end of it, when OnCanFileBeDeleted event is fired on the root folder. But it's too late, because the root folder is now empty.

Franck Bonin
#6650
Posted: 06/17/2008 08:21:25
by Volodymyr Zinin (EldoS Corp.)

I've checked the problem and found the following:
1. Neither the operating system nor CallbackFS don't check security access rights for files and directories. You should do this yourself. For example by the use of the system api function AccessCheck from the OnCreate/OnOpen callbacks (it's enough to check security rights there because if any error returns from these callbacks then a requester won't receive a handle to the file that it's being opened and therefore won't be able to do any operations on the file).
2. Your idea from the first message doesn't work at all. I've reproduced the described directory tree using a NTFS formatted storage and in the case when I tried to delete the "Undeletable" folder with a lot of big size files, the first shown message box wasn't an "access is denied" notification, but there was a message "The folder Undeletable is too big for the Recycle Bin. Do you want to permanently delete it?". I clicked "Yes" and all files and subfolders under the "Undeletable" folder were deleted. And only after that I saw the message box "Cannot remove the folder Undeletable, access is denied".
#20758
Posted: 07/11/2012 08:10:39
by ohad (Standard support level)
Joined: 02/02/2011
Posts: 24

We have the same problem as described above.
Did you change the driver behavior or did you come up with a solution for it?
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 5293 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!