In Part 1 of our series on permissions, we talked about access control models, super-users versus regular users, and the concept of least privilege. If you missed that, you can read it here. In Part 2, we’re going to look at how Windows and the *nix operating systems (Linux, Unix, and Macs) deal with file system permissions. While some of the concepts are the same, the implementations are significantly different, so it’s good to understand just what each flavor of operating system does.
Windows has two sets of permissions. One only impacts access over the network, and is referred to as Share Permissions. The other affects access whether it is over the network or through local access and is referred to as NTFS Permissions. The two must agree, or the most restrictive settings will apply.
There are three levels of Share Permissions in Windows.
- Full Control: Users or groups with Full Control can do anything to a file or directory, including assign permissions to others.
- Change: This permission allows users or groups to modify the file or directory, and any attributes of the same. This includes editing a file, setting it to Read Only, or even deleting it.
- Read: This permission is Read Only, but that also conveys the ability to execute it on the machine which the user is interactive on, and also to copy the file to another location.
When you share a directory, you make it available for access over the network. In modern versions of Windows, sharing a directory grants the special group “Everyone,” which is anyone who can connect, Read access. In older versions, that was “Full Control.”
NTFS permissions are much more granular, and apply whether the access is over the network through a share, or local. They include the following.
- Full Control: As the name implies, this is just like in Share Permissions. If you have this, you can do everything.
- Modify: This applies to attributes, not to the contents of a file.
- Read & execute: Implied when Read is granted, but since that conveys execute it’s called out to be sure you understand.
- List folder contents: Applies only to directories, and is implied when Read is granted to a directory.
- Read: Read, including copy.
- Write: Edit, including delete.
- Special permissions, which are seldom if ever used, but include Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create files/write data, Create folders/append data, Write attributes, Write extended attributes, Delete subfolders and files, Delete, Read permissions, Change permissions, and Take ownership.
Windows also has a special permission No Access, which trumps all other permissions. You can have Full Control at both the Share and the NTFS level, and belong to 50 different groups that also have Full Control at both, but if you belong to a 51 group that has been explicitly assigned No Access, that trumps everything and you are locked out from that file or directory.
Windows ACLs can include multiple users and groups, permissions are additive across all relevant entries, and inheritance is the default. Apply permissions at a directory, and they will apply to all files and subdirectories underneath by default, though you can set explicit permissions and block inheritance if you need to. Finally, Windows has attributes that might slow down even an admin, or hide files if the default settings are not changed. An admin may have Full Control, but if the file is set to Read Only, the admin must first change that attribute before making any changes to the file.
You can assign permissions in Windows using the GUI, or the command line tools CACLS or ICACLS.
Whether you are running your favorite flavor of Linux, Unix, Mac OS X, or some other POSIX-compliant system, your permissions model is both simple and straightforward compared to how Windows does things. There are three levels of permission. That’s it. Here they are.
- Read: Denoted by an “r” when you have it, and a “-“ when you don’t, having read permission to a file means you can open a file, view its contents, and copy the file or its contents somewhere else. Having it applied to a directory means you can read the names of files in a directory, but it does not convey to those files like it would in Windows (inheritance.) Read permissions can be noted with a numeric value, 4.
- Write: Denoted by a “w” when you have it, and a “-“ when you don’t, having write to a file means you can modify it or any attribute of it, and this includes deletion or the setting of permissions for others. Write permissions can be noted with a numeric value, 2.
- Execute: Denoted by an “x” when you have it, and a “-“ when you don’t, having execute means that, if the file is executable, you can run the file or script. Execute permissions can be noted with a numeric value, 1.
These values are octal and additive. If you have no permissions at all, that can be noted as a 0. Read+Write would be a 3, and Read+Write+Execute would be a 7.
And they can be applied to three different types of security principal.
- User: an individual user account.
- Group: a group of accounts.
- World: essentially, everyone.
Since permissions in this model can be abbreviated using a sequence of numbers, you can denote the permissions to a file based on three numbers. For directories, you simply add D at the beginning. For example, where none are directories, the first field is -, reading permissions from left to right as user, group, and world;
|Symbolic Notation||Octal Notation||English|
|–wx-wx-wx||0333||write & execute|
|-r-xr-xr-x||0555||read & execute|
|-rw-rw-rw-||0666||read & write|
|-rwxrwxrwx||0777||read, write, & execute|
Triple 7’s (777) means everyone can do everything. That’s rather dangerous, and it’s akin to assigning everyone Full Control in Windows. You can also have different values for different principals. If you had a file on your website you wanted anonymous visitors to read, but only you and the proper security group should be able to edit, you might set permissions 664. You can set permissions through your graphical shell, or using the command line with chmod. You can change ownership with chown. *nix files and directories will only have one user (owner,) one group, and the world, and there is no inheritance.
In the next installment of this series, we will review application permissions.