I was recently at a training seminar and saw an interesting demonstration about Windows 7 Junction directories.
For some background knowledge, Junction directories are used as a backwards compatibility measure within Windows 7 to help poorly written applications which use static directory paths. In order to see Junction directories you can run "dir /a" from the command prompt. Figure 1 lists all the directories on the root of the C drive. You can identify the junction directories by the
label next to the directory name.
 |
| Figure 1: Listing Junction Directories: dir /a |
Now comes the interesting finding. In Figure 1 you can see that "Documents and Settings" is a Junction to the "Users" directory. Figure 2 shows the result from running: dir C:\Users\
 |
| Figure 2: Listing contents of Users directory: dir C:\Users |
Next we will compare running a directory listing on the Junction directory. Figure 3 shows the results from running: dir C:\"Documents and Settings"
 |
| Figure 3: Listing contents of "Documents and Settings" junction: dir C:\"Documents and Settings" |
Hmm, that is interesting. As you see in Figure 2, there is a directory named "David" in the "Users" directory. Since "Documents and Settings" is a Junction directory to "Users", the "David" directory should be visible within the "Documents and Settings" directory listing. Figure 3 shows when we run: dir C:\"Documents and Settings"\David
 |
| Figure 4: Listing contents of sub-junction directory: dir C:\"Documents and Settings"\David |
Now the big question is, why can I traverse a Junction directory but can not list the contents of a Junction directory. To do this, we are going to run the AccessChk SysInternals Tool.
For more information on the AccessChk tool see the Microsoft TechNet article: http://technet.microsoft.com/en-us/sysinternals/bb664922
Figure 5 shows when the results from the following command: accesschk -l -v -q "C:\Documents and Settings"
 |
| Figure 5: Showing Permissions on Junction Directory: accesschk -l -v -q "C:\Documents and Settings" |
Now you should be able to clearly see the reason that this occurs. By default Junction directories explicitly deny FILE_LIST_DIRECTORY to the "Everyone" group which causes the "File Not Found" result when you attempt to do a directory listing on the "Documents and Settings" junction. However, FILE_TRAVERSE is allowed to the "Everyone" group therefore allowing you to traverse to the "David" directory.
Why did Microsoft decided to implement it this way? That is a very good question. Since Junction Directories are used to support legacy and poorly written applications, I am going to guess that they are trying to force users into the directory structure with limited default rights on junction directories....Just a guess though.
No comments:
Post a Comment