How does the Unix file privilege system differ from that of Windows?

filesystems permissions ntfs
8,471

Solution 1

NTFS has Windows ACEs. Unix uses "mode bits" on each file.

On NTFS, each file can have an owner, and zero or more Windows access control entries (ACEs). An ACE consists of a principal (users and groups are principals), a set of operations (Read, Write, Execute, etc.) and whether those operations are allowed or denied. Files can have many ACEs. Other objects in Windows other than files can have ACEs as well, such as registry entries, printer objects, and other things. All ACEs are taken into account when a file operation occurs. Deny takes precedence over allow.

Windows ACEs support inheritance where you can set an ACE for a directory and have it automatically propagate to lower level directories.

Files in Unix have an owning user (owner) and an owning group (owner-group). There are three fixed "principals" which are owner, members of the owning group, and everyone else (a.k.a world). For each principal there are three "bits" which cover read, write, and execute abilities. (these have different meanings for directories than files, see this). These bits determine who can perform what operations. This is called the file's mode and is built into the file (there are no separate ACEs).

Most of the time you are concerned with the "world" permissions, i.e. setting all three bits to 0 for "world" means no one who isn't the owner or group-owner can do anything with the file. Unix permissions only work on the filesystem, but since most objects appear as files you can use permissions to restrict access to disks, printers, etc. Unix permissions are simpler but more "coarse." Unix permissions do not support inheritance and will not affect lower level directories, with the exception of execute permission for directories (I think) which causes newly created files to assume permissions of the directory (but doesn't affect currently created files).

Traditionally Unix files have a single owner and a single owner-group. There are extensions to Linux that add ACEs to files in similar fashion to Windows.

Unix's advantage is only that a simpler system is usually easier to understand and secure, and speed since the filesystem doesn't have to fetch ACEs in addition to inodes when opening files.

Solution 2

One thing that's quite different is that "executable" is a permission under Linux/Unix, not based on the file's name or extension.

This is an advantage over Windows, in that on Linux you can ensure something doesn't get executed by removing executable permissions. No magic extensions matter at all. This is probably one reason why traditional file viruses got exactly nowhere on Unix and Linux.

Share:
8,471

Related videos on Youtube

dbush
Author by

dbush

Updated on September 18, 2022

Comments

  • dbush
    dbush almost 2 years

    Related question: How does the Linux file system/organization differ from Windows?

    I am somewhat familiar with how privileges work when it comes to files and directories - each entry has an owner and group property that represent the owner of the file and the group that the owner belongs to (correct me if I'm wrong).

    How does this differ from the organization of permissions in the NTFS filesystem on Windows? What advantages does Unix's permission system have over NTFS?

  • Random832
    Random832 about 13 years
    That's setgid permission for directories, and it makes files inherit the owner-group, not the permissions.
  • Hello71
    Hello71 about 13 years
    @George: One thing you need to remember is that group is NOT the group of the owner, it is separate. See chgrp(1).
  • LawrenceC
    LawrenceC about 13 years
    @Random832: Thanks for the clarification.
  • Patches
    Patches about 13 years
    Windows actually does have an executable permission, although they defeat the purpose by setting it by default.
  • Shadur
    Shadur about 13 years
    Most distributions nowadays include support for extended Access Control Lists (ACLs) compiled into the various available filesystems by default. The name of the software package needed to access and modify these is generally called acl or facl or something similar, with the two programs named setfacl and getfacl to modify or retrieve access control list settings.
  • RMA
    RMA about 13 years
    Extensions don't matter on windows either.
  • dbush
    dbush about 13 years
    @Logan: Actually, they do have significance on Windows. The file extension determines what program(s) can be used to open it as well as indicating to explorer what type of file it is so that thumbnails can be generated. In the latter case, that could potentially exploit a bug that exists in the thumbnail generator and therefore could compromise a system.
  • RMA
    RMA about 13 years
    @George The same applies to a graphical file manager with a buggy thumb nail previewer on any operating system. My point was that CreateProcess doesn't give two hoots if your program ends in .exe (and this is easy to see by running a program from cmd.exe), but it does indeed care about the execute bit.
  • dbush
    dbush about 13 years
    @Logan: Ah, I see. But that certainly isn't because Windows performs some sort of advanced analysis of the file's header - it simply tries to link and load the file and reports a failure if it cannot.
  • RMA
    RMA about 13 years
    @George, right just like Unix (unless you want to start arguing about whether looking for a shebang is "advanced" or not). I just wanted to make it clear that the file extension has nothing to do with the security model. If you mark an executable non-executable on Windows it has the same effect it does on a unix.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Access for admins is denied on user profile folders on Windows 7
How to check the creator of a file in Windows?
file ownership for new files with administrator - why is it giving ownership to the group administrators?
How to workaround the NTFS Move/Copy design flaw?
Mount device with r/w access to specific user
How to change NTFS ACLs on linux?
chmod and chown a remote NTFS filesystem both fail
Can't write on ntfs partition shared with Windows 10
git init shows 'error: chmod ... .git/config.lock failed: Operation not permitted'
Plex Media Manager sees external NTFS drive but doesn't see directories