acl

NAME

acl - mapping of Windows file permissions to Interix file permissions

DESCRIPTION

Within the Interix subsystem, file ownership on the NTFS file system behaves as the POSIX standard requires. If you do not exchange files between the Interix environment and the Win32 environment, you probably will not notice a difference. If you plan on using both Interix and Windows applications and utilities to access the same files, however, understanding the Windows security model makes it easier to understand interactions between the utilities from one environment and files from another. For example: chown(1), chgrp(1), and chmod(1) might not behave as you expect when used with files created using Windows applications.

User and group information is stored in the Security Access database. Users and groups are stored in the same database, so group and user names must be unique; no group can have a user's name and vice versa. (This database replaces /etc/passwd and /etc/groups files.) Users and groups are created using User Manager or using the MS-DOS net user command. (Example shell scripts to create and remove users are included in the directory /usr/examples/admin.) Users can belong to many groups.

Note that in the NTFS file system, the group and the owner of a file are stored as properties of the file; they are not derived from entries in the discretionary access control list (DACL). The permissions given to the group, the owner, and the and others, however, are derived from entries in the DACL.

Permissions are not implemented the same way on Windows as they are on traditional UNIX systems. UNIX permissions are clearly described in the POSIX standard and in the "Single UNIX Specification." In contrast to the UNIX implementation, the Windows file system underlying the Interix file system uses DACLs consisting of access control entries (ACEs), and the Interix subsystem maps those to the standard permission types. This topic describes that mapping and the Windows permissions that correspond to certain traditional abilities.

WINDOWS OBJECT SECURITY

All objects in Windows on NTFS file system have an owner and a primary group. (Objects can actually be owned by a group rather than a user; this will be discussed later in this topic.) Furthermore, each secure object has a DACL made up of ACEs. Each ACE applies to a particular group or user and either allows or denies a type of access to that group or user. You can see the DACL for a secure object by using the Windows cacls command, or by selecting the object, clicking Properties on the File menu, clicking the Security tab, and then clicking Permissions.

Each user or group with access has its permissions listed with respect to the object. Although the underlying permissions are the same, the names used in Windows NT and Windows 2000 and Windows XP are slightly different, as shown in the following table:

Windows NT Windows 2000 and Windows XP Description
No access Deny full access The user or group cannot open or change the file, even if membership in a group would otherwise allow it.
Read Read and execute The user or group can view or execute the contents of the file, but not change or delete it.
Read The user or group can view the contents of the file, but cannot execute it. (On Windows NT, this permission can be granted as a special access permission.)
Change Modify The user or group can save changes to the file or its attributes, but not its permissions or owner. The user or group can also delete the file.
Full control Full control The user or group has complete control over the file, including changing its permissions or owner.
Special access Special permissions The permissions assigned to the user or group consists of a combination of specific permissions that do not correspond to any of the preceding named permissions.

Directory privileges

Directories have somewhat different permissions from files. In addition to specifying the access permission for the directory itself, directory permissions also specify the default permission inherited by files in that directory:

Windows NT Windows 2000 and Windows XP Description
No access Deny full access The user or group cannot list the files in the directory. Unless the permissions of a particular file explicitly allow it, the user or group cannot access files in the directory.
List List folder contents The user or group can list the files in the directory. Unless the permissions of a particular file explicitly allow it, the user or group cannot access files in the directory.
Read Read and execute The user or group can list the files in the directory. Unless the permissions of a particular file provide otherwise, the user or group can view or execute the contents of files in the directory.
Read The user or group can list the files in the directory. Unless the permissions of a particular file provide otherwise, the user or group can view the contents of files in the directory, but not execute them. (On Windows NT, this permission can be granted as a special access permission.)
Add The user or group can create files in the directory, but not list files in the directory. Files do not inherit permissions from the directory. (There is no corresponding permission in Windows 2000 or Windows XP.)
Write The user or group can create files in the directory, but not list files in the directory. Unless the permissions of a particular file provide otherwise, the user or group can change contents of files in the directory. (On Windows NT, this permission can be granted as a special access permission.)
Add and read The user or group can create and list files in the directory. Unless the permissions on a particular file provide otherwise, the user or group can view or execute the contents of files in the directory, but not change or delete them. (There is no corresponding permission in Windows 2000 or Windows XP.)
Change Change The user or group can create and list files in the directory. Unless the permissions on a particular file provide otherwise, the user or group can read, execute, change, or delete files in the directory.
Full control Full control The user or group has complete control over the directory and, unless individual file permissions specify otherwise, its files, including changing its permissions or owner.

A file created through Interix and viewed using the ls -l command has the following permissions and attributes:

POSIX files are given three ACEs, one for the owner, one for the group, and one for the group Everyone, which represents everyone else. POSIX permissions are represented as follows:

A file created through the Win32 subsystem can have a different number of ACEs associated with it, and those ACEs might not fit well into the categories of user, group, and other. Interix tools will assemble permissions from the available ACEs:

If the ACE used to determine the owner's permissions does not have change permission or take-ownership permission, the utilities chown(1), chgrp(1), and chmod(1) might be hampered.

All objects on a file allocation table (FAT) file system or high-performance file system (HPFS) are owned by the user Everyone and the group Everyone.

SEE ALSO

privileges(5)