*nix -vs- Windows

[Netopia]

Hello again,

Ok.. I got into a discussion with a friend about permissions in Windows -vs- Linux/Unix/OSX. My feeling is that permissions are much easier and more flexible in Windows than the others. His belief is that under the hood they are the same but that MS hides it and that someone with some creativity could create a GUI in *nix to allow similar permissions to files/folders.

Maybe he's right, but I thought I'd pose the question. Is there an easy way in *nix to, for instance, place permissions on a directory so that:

user 1 has modify
user 2 has read and execute
group 1 has modify
group 2 has full control
group 3 has write
everyone has read

The thing I'm not sure about is the multiple groups with different permissions and the multiple individual users with different permissions. He and I spoke a little about nested groups, but wouldn't the group that holds all the other groups be the one to define permissions? If so, then you wouldn't be able to have different permissions for different groups on a single folder.

If he's right, is there such a GUI out there that makes it as easy as in Windows to mix stuff like this up? Also, anyone know how (or IF) one can administer permissions one Windows boxes from the command prompt? I found cacls.exe ... is that perhaps the only way?

Joe

 

[n0cmonkey]

Windows has more fine grained permissions than the standard unix or unix-like system has.

If you get into trusted systems with will developed ACL systems, things change. If you add in things like SELinux, Linux has even more control than Windows. Utilities like systrace also give some unix-like systems (OpenBSD, NetBSD, Linux, and Mac OS X) an advantage.

 

[bersl2]

POSIX ACLs are now a part (if not integral) of the most common file systems.

 

[n0cmonkey]

Originally posted by: bersl2
POSIX ACLs are now a part (if not integral) of the most common file systems.

For those of us that are too stupid to know this off the top of our heads and too lazy to look it up: what are POSIX ACLs again?

 

[bersl2]

acl
getfacl
setfacl

 

[n0cmonkey]

Originally posted by: bersl2
acl
getfacl
setfacl

Thanks for the links, I was just coming back to answer my own question. 😛

So it's basically close to NTFS, with a couple slight changes. Almost no one really supports this stuff. 😕

 

[spyordie007]

is there such a GUI out there that makes it as easy as in Windows to mix stuff like this up? Also, anyone know how (or IF) one can administer permissions one Windows boxes from the command prompt? I found cacls.exe ... is that perhaps the only way?

I'm not really a software developer however as far as I know the APIs for both the shell and WMI control of the NTFS ACLs are open. So it's probable that there are other GUI and CLI apps that can control these attributes as well as possible to write your own.

As others have pointed out ?Out of the Box? Windows generally has a few more options (such as traversal or attribute access) however *nix based systems can be extended to support more options.

Just thought I?d point out that everything we?re talking about right now is related to the file-level ACLs; I?m not looking to open a can of worms & talk about other OS ACLs.

 

[Nothinman]

My feeling is that permissions are much easier and more flexible in Windows than the others.

More flexible yes, easier no. Infact it's a lot easier to break things horribly with a combination of NTFS ACLs and local policy settings. Most places that I've seen recommend using as few groups in ACLs as possible to make managing them easier, because if you go nuts with groups and ACEs you'll eventually be at a point where you have to dig through multiple groups to see where a certain permission is coming from. At most I can see a reason to have 2 groups on a particular file/directory. One with read access and one with write access, just put the user in the right group for those files and move on. It works with both ACL systems and is nice and simple.

His belief is that under the hood they are the same but that MS hides it and that someone with some creativity could create a GUI in *nix to allow similar permissions to files/folders.

Not really. NTFS permissions are nothing like unix permissions, mainly because there's more of them. Even with POSIX ACLs you only get rwx, you can just apply it to multiple users and groups on the same object now. But yes, a GUI could be written to handle the POSIX ACLs without much work, AFAIK every worthwhile filesystem on Linux supports them now.

Almost no one really supports this stuff.

For the most part there's no need to, the real work is done by the kernel/filesystem driver. Samba supports it directly so that you can edit the ACLs remotely via explorer, but I can't think of any other daemons that would need to explicitly support them.

 

[drag]

Originally posted by: n0cmonkey

Originally posted by: bersl2
acl
getfacl
setfacl

Thanks for the links, I was just coming back to answer my own question. 😛

So it's basically close to NTFS, with a couple slight changes. Almost no one really supports this stuff. 😕

I think that a lot of people support it. Modern versions of Ext3 support it, the kernel supports it, as does a lot of basic file utilities.

I know I got Posix ACLs working just fine in older Fedora versions. I THINK I got them working just fine in Debian.. I may have done a remount on a filing system or compiled a kernel or something like that. I don't remember. I don't think anybody has them turned on by default.

Trouble isn't so much that they aren't supported, you may have to use a version of tar that isn't GNU tar for instance.. star, maybe?, but that for the most part the traditional Unix permission model is all you need.

ACLs are dangerous because they are so easy to foul up. I know I've made pretty bad mistakes time to time with just the normal user/group/world and read/write/execute, I couldn't imagine how difficult it would be to maintain a directory system full of different permissions setup for each individual user, or context, or groups, or combinations of groups, or combinations of all sorts of crap. What a pain in the butt.

Seems that 90% of the time when I think that I may need ACLs, I can find a much better way of doing it just with generic Unix stuff with a little extra thought.

I think that the main reason you'd want to enable ACLs right now is for using SAMBA, which can maintain Active/Directory or NTFS style permissions for Windows users by mapping Windows ACLs to Posix ACLs (they aren't completey compatable, though).

It may be usefull for maintaining a file server for a active and political office enviroment and stuff like that, but baring stuff like that it seems to be a security risk just because ACLs (including Windows ACLs) are so complex and easy to get wrong.

 

[drag]

hmmm... here seems like a good paper describing the differences between standard Unix 'minimal access control lists' that we are all familar with and the extended Posix-compatable 'extended access control lists'.

It also takes about support, which is a bit dated. Kernel 2.6 supports them now by default, or at least officially supports them.

Also talks a bit about CIFS (SMB, windows network file sharing protocol) and SAMBA and ACL's and a bit on how Posix vs Windows extended ACLs differ.

(for instance a major difference is that Windows access lists are cumilative. If you get access list thru one rule, and it can be added to more permissions as you go rule by rule. With Posix only the most specific access list is considured, so it's not cumilative..

With Windows you'd have to use the 'deny' access lists to add permissions in one context, but deny them later with a different context.

Posix doesn't support 'deny', to deny users permissions that otherwise they'd get you would have to use a more specific way of setting permissions like making a rule for that specific user, which is something you can't do in Windows (since Windows is cumilative any user-specific permisiveness would be added to already existing permissions).

It's all very simple 😕 )