Windows 7 File Permissions - Force directory permissions recursively to all current and future files

Question

I have a filesystem directory that I primarily access in my regular user mode (a git repository). Occasionally, an elevated "root" user process will create new files somewhere in this directory or a file in some sub-directory. This makes it so I can no longer change all the files myself, and Git will fail pulling changes (unless I run Git as an elevated root user).

I can set the permissions recursively in Windows Explorer every day, but that process takes a long time since have have hundreds of thousands of files it has to reset permissions on.

Is there any way in Windows to make it so a directory will always be writable by all users?

Answer 1

There's no way you can force files and directories created by other users to have certain permissions. They own the files and directories they create, and as the owner they can always set the permissions to whatever they want. What you can do however is ensure that the default permissions used when creating files and directories allow you to access the files and directories.

View the Advanced Security Settings for one of your problem directories by right clicking on it in Explorer and selecting Properties -> Security -> Advanced. Look for the entry that gives you access to the directory (probably either Hostname\\Users or Hostname\\Yourname) and ensure that under the "Applies To" column it says "This folder, subfolders and files". If it doesn't say this then this permission won't be inherited by any subdirectories or files created in the directory.

To fix that go to the top directory of your git repository (or maybe higher if you've been changing permissions of directories above this one) and view it's Advanced Security Settings in Explorer. Press the Change Permissions button and select the entry that gives you permission to access the directory and press Edit. On the dialog that appears change the "Applies To" drop box to "This folder, subfolders and files". Make sure that "Apply these permissions to objects and/or containers within this container only" is unchecked and click OK. You might want to repeat this with any other permission entries that aren't inheritable. Check the "Replace all child object permissions with inheritable permissions from this object" on the Advanced Settings dialog and then press OK. That should make it so anything anyone creates under that directory has, by default, the permissions you've set as inheritable.

This won't stop problem "root" processes (generally called administrator or system processes depending the actual user) from creating files with whatever permissions they want, but generally most processes will use the default permissions when creating files. If you do have a problem with processes explicitly setting the permissions and you can't change their behaviour there isn't much you can do about it. You could move your files to FAT32 or exFAT formatted partition. As these file systems don't support access control lists, you'll never be denied read access to the files. They do support a read-only attribute, so you could still be denied write access if the process explicitly sets the MS-DOS style read-only attribute as well.