Windows Rights on files

inheritance and nesting

© 2010-2013 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Introduction
    2. Comparison


Although Microsoft claims that "NTFS is the most POSIX.1 compliant of the supported file systems" there are too many differences to make simple interaction between Linux, Mac OS X and Windows machines possible.

When talking about interoperability we need to take into account the difference between how the data resides on disk and how data is transported to make exchange of data possible. When one formats an USB-stick with NTFS and puts it into a Mac OS X or GNU/Linux machine, the rules of the game to access that data are completely different compared to using FTP to copy files from GNU/Linux to a Windows based FTP server.

The most used protocol to connect Windows machines together to share data is SMB, later named CIFS. This protocol provides file and printer sharing across the network on Microsoft Windows based networks.

The Open Source community has provided a tool to minimize the interaction problems by providing SAMBA, which is a reimplementation of the SMB and CIFS protocols as provided by Microsoft Windows NT based systems (samba version 3.x). Most of the functionality is implemented by reverse enginering the protocol by viewing the data that traveled across the network.

With the ruling by the European Union, Microsoft had to open up their protocols to enable interoperability. Based on the provided protocol descriptions samba version 4.x implementated the Microsoft protocols according to Microsoft specification. Next to that the functionality of Active Directory was added, but that has nothing to do with our interoperability quest.


The table below provides an overview of the access rights used by NTFS and documents the ext2, ext3 or ext4 commands to accomplish the same.
NTFS Description Ext{N} command Notes
Travers Folder/Execute File If this element is set on a Folder it means that a user or group is allowed to traverse the folder, on a file it means the user is allowed to execute the program. chmod +x
List Folder/ Read Data On a folder it means that the contents of the folder can be listed, on a file it means that the content of the file can be viewed chmod +r
Read Attributes Allows or denies viewing the attributes of a file or folder ---
Read Extended Attributes Allows or denies the viewing of extended attributes of a file or folder ---
Create Files/Write Data On a folder it means that a user van create files within that folder, on a file it means that the user can make changes to that file. chmod +w On Ext{N} it also means on a folder that a user is allowed to delete a file in a folder, even when it is not the owner, and on the file that is allowed to delete the file.
Create Folders/Append Data On a folder it means that a user is allowed to create sub-folders, for files it means that the user is allowed to add data to the end of the file, but is my not change, delete or overwrite existing data (log files) File: chattr +a For folders there is no Linux counter part
Write Attributes Allows changing attributes on files or folders in the folder ---
Write Extended Attributes Allows changing extended attributes. ---
Delete Allows deleting of files or folders ---
Delete Subfolders and Files Allows deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. ---
Read Permissions Gives permission to read the permissions on files or folders ---
Change Permissions Gives permission to change the permissions on files or folders ---
Take Ownership Allows or denies taking ownership of the file or folder. ---
Synchronize Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocessing programs. ---

Next to this Windows has the ability (although it is not standard), that rights can be inherited. This means that a change on a higher level directory influences the rights on directories below it. This is not possible on GNU/Linux systems.