Guest JeffG Posted October 1, 2008 Posted October 1, 2008 I have had two similar problems on my system. 1. An application running in one of my user folders has several folders below the folder it runs in. One of these folders is named 'data'. It needed to create a file in data\global. This failed until I created the global folder manually. 2. I have Apache+MySQL+PHP running on my system. PHP was unable to create the folder 'session' in my AppData\Local\Temp\php folder. Again, if I created the session folder manually, PHP was then able to create session files in that folder. What is happening here? Please help. Quote
Guest Paul Montgumdrop Posted October 1, 2008 Posted October 1, 2008 JeffG wrote:<span style="color:blue"> > I have had two similar problems on my system. > > 1. An application running in one of my user folders has several folders > below the folder it runs in. One of these folders is named 'data'. It needed > to create a file in dataglobal. This failed until I created the global > folder manually.</span> I would assume when you did it manually as user/administrator it saw you as the owner of the folder. As opposed to you being a user assessing the folder and the folder was created by other means, like the folder was created without you doing it manually, it viewed you as not being owner of the folder, and you would have had to have taken ownership of the folder as user to fix the problem of permissions. <span style="color:blue"> > > 2. I have Apache+MySQL+PHP running on my system. PHP was unable to create > the folder 'session' in my AppDataLocalTempphp folder. Again, if I created > the session folder manually, PHP was then able to create session files in > that folder.</span> See above. <span style="color:blue"> > > What is happening here? Please help.</span> I also think you should do the test that's being explained in the thread "cannot change Program Files to full control" to see other permission conflict for the user/admin on Vista. Quote
Guest JeffG Posted October 3, 2008 Posted October 3, 2008 "Paul Montgumdrop" wrote: <span style="color:blue"> > > I would assume when you did it manually as user/administrator it saw you > as the owner of the folder. > > As opposed to you being a user assessing the folder and the folder was > created by other means, like the folder was created without you doing it > manually, it viewed you as not being owner of the folder, and you would > have had to have taken ownership of the folder as user to fix the > problem of permissions. > </span> Did you mean accessing? In any case, I would have thought I would be the owner of the folder however it was created. This doesn't answer my question: why can't a program run by me in my own area create another folder beneath the one it's running in? It just doesn't make sense. Quote
Guest Paul Montgumdrop Posted October 3, 2008 Posted October 3, 2008 JeffG wrote:<span style="color:blue"> > > "Paul Montgumdrop" wrote: > <span style="color:green"> >> I would assume when you did it manually as user/administrator it saw you >> as the owner of the folder. >> >> As opposed to you being a user assessing the folder and the folder was >> created by other means, like the folder was created without you doing it >> manually, it viewed you as not being owner of the folder, and you would >> have had to have taken ownership of the folder as user to fix the >> problem of permissions. >></span> > > Did you mean accessing? In any case, I would have thought I would be the > owner of the folder however it was created.</span> No, you are not owner of the folder however it was created. TrustedInstaller could be the owner on some folders in some cases. It's not Administrators group or even your individual user account that is owner of the folder. Or it could be some other User group that is owner that your individual user account is not a part of the group. <span style="color:blue"> > > This doesn't answer my question: why can't a program run by me in my own > area create another folder beneath the one it's running in? It just doesn't > make sense.</span> I suggest that you goto the Security tab for the folders in question, to the Advanced button, and to the Owner tab and see who is the owner of the folder, because apparently, it's not you as a user as a user logging into system with that user-id as user/admin or even Administrators Group. If the Advanced button is not active when you go to the Security tab, then use the built-in Administrator account that is an account that has full admin rights that will enable the Advance button. <http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/> You should set the ownership to a user group that has full rights access. Quote
Guest JeffG Posted October 3, 2008 Posted October 3, 2008 Well, here's the permissions tab for the folder in question: http:/www.enborne.f2s.com/_misc/permissions.jpg And here is the owner tab for the same folder: http:/www.enborne.f2s.com/_misc/owner.jpg Looks like I am the owner and have full permission style_emoticons/ In the Effective permissions tab, user Jeff has all boxes checked. Still confused... Quote
Guest FromTheRafters Posted October 3, 2008 Posted October 3, 2008 Is your program using RunAsInvoker? "JeffG" <JeffG@discussions.microsoft.com> wrote in message news:2DC4E52E-A877-4FFB-9C1F-E127C1CDA711@microsoft.com...<span style="color:blue"> > Well, here's the permissions tab for the folder in question: > http:/www.enborne.f2s.com/_misc/permissions.jpg > > And here is the owner tab for the same folder: > http:/www.enborne.f2s.com/_misc/owner.jpg > > Looks like I am the owner and have full permission style_emoticons/ > > In the Effective permissions tab, user Jeff has all boxes checked. > > Still confused... </span> Quote
Guest Paul Montgumdrop Posted October 3, 2008 Posted October 3, 2008 JeffG wrote:<span style="color:blue"> > Well, here's the permissions tab for the folder in question: > http:/www.enborne.f2s.com/_misc/permissions.jpg > > And here is the owner tab for the same folder: > http:/www.enborne.f2s.com/_misc/owner.jpg > > Looks like I am the owner and have full permission style_emoticons/ > > In the Effective permissions tab, user Jeff has all boxes checked. > > Still confused...</span> No, it should be Jeff(machine-name\jeff) who is the user of the computer, just like Users(machine-name\users) or Administrators(machine-name\administrators) are users of the machine. If you add your user account the one you use to login to the computer as a new user account to the folder (do the checkname) on the ADD or goto <C> and added it there giving that account full rights, then that is the account you should be using and NOT this Jeff/desktop thing. What is this jeff/desktop thing about, because I sure don't know what that is about? :-P How in the heck did that get there? :-P Or you change the ownership to the Administrators Group account, because your login user account if that is user/admin account is part of the Administrators group. One can lead a horse to the water, but one cannot make the horse drink. Here is a test I want you to do. You'll find it at "cannot change Program Files to full control" thread in this NG, do the test . Maybe you won't be so confused. <smile> Quote
Guest Paul Montgumdrop Posted October 3, 2008 Posted October 3, 2008 FromTheRafters wrote:<span style="color:blue"> > Is your program using RunAsInvoker? > > "JeffG" <JeffG@discussions.microsoft.com> wrote in message > news:2DC4E52E-A877-4FFB-9C1F-E127C1CDA711@microsoft.com...<span style="color:green"> >> Well, here's the permissions tab for the folder in question: >> http:/www.enborne.f2s.com/_misc/permissions.jpg >> >> And here is the owner tab for the same folder: >> http:/www.enborne.f2s.com/_misc/owner.jpg >> >> Looks like I am the owner and have full permission style_emoticons/ >> >> In the Effective permissions tab, user Jeff has all boxes checked. >> >> Still confused... </span> > > </span> I believe when a program is running on a machine under the context of a logged in user account, it using the machine-name\user or one of the machine-name\user group accounts. He is trying to use Jeff\desktop or something has set the owner to be Jeff/desktop, when it should be Jeff(machine-name\Jeff) as the owner with Jeff(machine-name\Jeff) having it's permissions set to full rights. Or if his Jeff account is user/admin on the machine, the Administrators group should be the owner of the folder. Quote
Guest JeffG Posted October 3, 2008 Posted October 3, 2008 "Paul Montgumdrop" wrote: <span style="color:blue"> > > No, it should be Jeff(machine-namejeff) who is the user of the > computer, just like Users(machine-nameusers) or > Administrators(machine-nameadministrators) are users of the machine. > > If you add your user account the one you use to login to the computer as > a new user account to the folder (do the checkname) on the ADD or goto > <C> and added it there giving that account full rights, then that is the > account you should be using and NOT this Jeff/desktop thing. What is > this jeff/desktop thing about, because I sure don't know what that is > about? :-P How in the heck did that get there? :-P</span> Hah! I know where the confusion comes from! I have two systems - my Desktop and my Laptop. So I gave them the machine names... Desktop and Laptop style_emoticons/ So Desktop is the machine name. <span style="color:blue"> > One can lead a horse to the water, but one cannot make the horse drink. > > Here is a test I want you to do. You'll find it at "cannot change > Program Files to full control" thread in this NG, do the test . Maybe > you won't be so confused. <smile></span> Well I did it, finally. And like the other guy, it went exactly as you predicted. A little more about the problem I had (have) where the app wouldn't create the folder 'global' under 'data'. In fact it is a LUA function which calls io.open() which in turn calls fopen. The call is effectively fopen("data/global/filename.dsl", "wb"), where the sub-folder global does not yet exist. So if fopen itself cannot create non-existent folders on the fly in a file specification, that is the real problem. As I said, if I create the global folder manually, the file can be created in that folder ok. Quote
Guest JeffG Posted October 3, 2008 Posted October 3, 2008 (Sorry if this is a duplicate, but it seemed like my last posting attempt failed) "Paul Montgumdrop" wrote: <span style="color:blue"> > > No, it should be Jeff(machine-namejeff) who is the user of the > computer, just like Users(machine-nameusers) or > Administrators(machine-nameadministrators) are users of the machine. > > If you add your user account the one you use to login to the computer as > a new user account to the folder (do the checkname) on the ADD or goto > <C> and added it there giving that account full rights, then that is the > account you should be using and NOT this Jeff/desktop thing. What is > this jeff/desktop thing about, because I sure don't know what that is > about? :-P How in the heck did that get there? :-P</span> Hah! I know where the confusion comes from! I have two systems - my Desktop and my Laptop. So I gave them the machine names... Desktop and Laptop style_emoticons/ So Desktop is the machine name. <span style="color:blue"> > One can lead a horse to the water, but one cannot make the horse drink. > > Here is a test I want you to do. You'll find it at "cannot change > Program Files to full control" thread in this NG, do the test . Maybe > you won't be so confused. <smile></span> Well I did it, finally. And like the other guy, it went exactly as you predicted. A little more about the problem I had (have) where the app wouldn't create the folder 'global' under 'data'. In fact it is a LUA function which calls io.open() which in turn calls fopen. The call is effectively fopen("data/global/filename.dsl", "wb"), where the sub-folder global does not yet exist. So if fopen itself cannot create non-existent folders on the fly in a file specification, that is the real problem. As I said, if I create the global folder manually, the file can be created in that folder ok. Quote
Guest Paul Montgumdrop Posted October 3, 2008 Posted October 3, 2008 JeffG wrote:<span style="color:blue"> > (Sorry if this is a duplicate, but it seemed like my last posting attempt > failed) > > "Paul Montgumdrop" wrote: > <span style="color:green"> >> No, it should be Jeff(machine-namejeff) who is the user of the >> computer, just like Users(machine-nameusers) or >> Administrators(machine-nameadministrators) are users of the machine. >> >> If you add your user account the one you use to login to the computer as >> a new user account to the folder (do the checkname) on the ADD or goto >> <C> and added it there giving that account full rights, then that is the >> account you should be using and NOT this Jeff/desktop thing. What is >> this jeff/desktop thing about, because I sure don't know what that is >> about? :-P How in the heck did that get there? :-P</span> > > Hah! I know where the confusion comes from! I have two systems - my Desktop > and my Laptop. So I gave them the machine names... Desktop and Laptop style_emoticons/ > > So Desktop is the machine name. > <span style="color:green"> >> One can lead a horse to the water, but one cannot make the horse drink. >> >> Here is a test I want you to do. You'll find it at "cannot change >> Program Files to full control" thread in this NG, do the test . Maybe >> you won't be so confused. <smile></span> > > Well I did it, finally. And like the other guy, it went exactly as you > predicted. > > A little more about the problem I had (have) where the app wouldn't create > the folder 'global' under 'data'. In fact it is a LUA function which calls > io.open() which in turn calls fopen. The call is effectively > fopen("data/global/filename.dsl", "wb"), > where the sub-folder global does not yet exist. So if fopen itself cannot > create non-existent folders on the fly in a file specification, that is the > real problem. As I said, if I create the global folder manually, the file can > be created in that folder ok. > </span> Then I would think that the program is not using Run As Administrator on the short-cut pointing to the exe, on the exe itself to escalate its privileges to perform the task or the program is not set to user the UAC manifest to have the programs privileges. You remember now, that an user/admin is NOT an user/admin with full rights like on XP. A program runs under the context of the logged in user-account. Your user/admin account the one you got out the box and any new accounts that you may create that are to be an user/admin account is not an admin account that has full rights. Those user/admin accounts have two access tokens assigned to them. One token of admin with full rights is assigned, and another token is assigned with standard user rights. It is the standard user token that is assigned to the user/admin account as default, and user/admin is a standard user until UAC prompts the user/admin to escalate it's privileges to the admin full rights token to run the program with those rights or a task at the moment of escalation, and then the user/admin is returned back to the standard user token. If it is a non user/admin account, then the user is asked to give a user-id/psw to a user/admin account to complete the task. But that also depends on what rights the user account has in NTFS on folders or files as well for any type of an account. Did you see that UAC prompt as user/admin as you went to the Security tab and asked you to allow or disallow your actions, even as user/admin? If you have seen that UAC prompt, then that's when you're given that admin full rights token to complete the task, and you are returned to the standard user token. Even if you disable UAC, user/admin on Vista is not an user/admin that has full rights. The only admin account that has full admin rights is the hidden built-in Administrator account, that same one you see on XP. Now, it could be that this program you are talking about doesn't have the power/privileges to do the task, there is no error trapping in the section of code to inform the user that the requested task the program is trying to do didn't happen, it didn't blow-up and it just didn't do it and kept on executing. So here is some information in general about security on Vista, and what you as a software developer must be aware of in developing solutions to run on Vista. http://technet.microsoft.com/en-us/library/cc709691.aspx http://technet.microsoft.com/en-us/magazine/cc138019.aspx http://www.developer.com/net/net/article.php/3695651 <http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml> <http://channel9.msdn.com/posts/jmazner/How-To-Tell-Vistas-UAC-What-Privelege-Level-Your-App-Requires/> Quote
Guest JeffG Posted October 4, 2008 Posted October 4, 2008 Paul, thanks for your patience and detailed responses. I now have enough information to sort out my problem. Many thanks. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.