1

After reading the following page to update myself on how NTFS file, folder, and share permissions work, I am left with a few questions and hope to receive some answers on this group:

http://technet.microsoft.com/en-us/library/bb727008.aspx

The page states that when a permission is dimmed it means such permission is inherited from a parent object (I guess in the case of folders this could mean the parent folder, but what would this mean in the case of files?).

What is the difference between a user and a contact (as mentioned at the top of the given page)?

On my system, besides the basic permissions Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write, there is another permission listed in the access control list of various files, namely the "special authorization" permission. What is this, what is it used for, where does it come from, and why is it not described on any of the various sites that explain attributes pertaining to NTFS files, folders, and shares?

The page states that read permission is needed to run scripts and execute permission is not needed for these on Windows. Presumably by scripts we mean any file which is interpreted as opposed to compile, but with the sheer multitude of file types which can be run on Windows systems, how would I know which ones actually needed execute permissions and which ones didn't?

In the permissions table on the link I posted, is there a typo pertaining to the List folder Contents permission for folders (I didn't think this implied an execute permission)?

Thank you for your help.

John Sonderson
  • 115
  • 4

1 Answers1

3

[Link to the "Microsoft Windows 2000 Administrator's Pocket Consultant"]

You really should be reading more recent documentation. Take this for example.

[parent object:] I guess in the case of folders this could mean the parent folder, but what would this mean in the case of files?

In a rough approximation, the parent object of a file is the folder it is contained in.

What is the difference between a user and a contact

This is a documentation error. Contact objects can be created in Active Directory and are somewhat similar to user objects except that they cannot log in and cannot be granted permissions for resources. You cannot assign NTFS permissions to a contact.

the "special authorization" permission

This is not a permission as such. It is just a check box to indicate that more granular permissions have been granted than the typical Read/Write/Full Control combinations you see in the simplified ACL GUI. Click on the "Advanced permissions" button and take a look at the granular access control entries for details.

how would I know which ones actually needed execute permissions and which ones didn't?

The "execute" permission is not used in native Win32/Win64 applications. It has been included for POSIX compatibility. As you probably are not using software requiring the POSIX APIs (Services for Unix / Interix and dependent software packages), you mostly can ignore the "Execute" permission.

List folder Contents permission for folders [implies an execute permission]

It indeed does - again for POSIX compatibility. In UNIX, the "execute" permission bit on folders actually translates to "list contents". As I noted earlier, Windows does not implement the "Execute" permission anyway, but "List contents" is handled as expected.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Thank you so much for the clarification. On the file or folder Properties -> Security I see the Advanced button at the bottom below the second list box. I also found the following interesting Wikipedia article on Interix: http://en.wikipedia.org/wiki/Interix . In practical terms, what's the difference between running Interix or Windows 7 Ultimate, and using a compatibility layer such as Cygwin? Are such features of Windows 7 Ultimate available on Windows 8.1 (which as I understand is available for free)? – John Sonderson Nov 23 '13 at 00:11
  • Also, getting back to Properties -> Security -> Advanced, I don't see how I can manipulate the "Special Authorizations". Can you please explain or provide a reference? Thanks. – John Sonderson Nov 23 '13 at 00:13
  • @JohnSonderson Cygwin is a userland compatibility layer while the POSIX subsystem/Interix/SUA is built to attach at the Kernel level. As they are different implementations of the same standard API, the practical differences would mainly consist of implementation specifics, but of course both are capable of running `findutils` or `sed`. – the-wabbit Nov 23 '13 at 00:29
  • Re "Special Authorization": as I wrote, this is not a single permission you can grant. It appears checked whenever an object has discrete permissions which deviate from the commonly used "Read", "Write" "Change" and "Full Control" combinations. For example you might add the "Change permissions" bit to a user's "Read" ACE and see the "Special Authorization" being checked in the simplified ACL GUI as a result. – the-wabbit Nov 23 '13 at 00:30