Where does the file owner on Windows matter, seeing that there are ACLs?

windows file-permissions acl

Coming from a Linux background, I'm used to a file having an owner, and a owning group. Access permissions can be set separately for owner, group, and others, and that's it.

Now on (NT-based) Windows, it's a bit different, because Windows uses ACLs. That means instead of having three lists of permissions (owner, group, rest), I can have as many lists of permissions as I want.

So far, this makes sense. However, why does Windows still have the notion of a file owner? To me it seems that with ACLs, a "file owner" is no longer needed, because all access can be configured via ACLs.

So why does modern Windows still use file ownership? Where does it make a difference who owns a file? As long as two files have the same ACLs, file ownership should not matter - or does it?


Solution 1:

First of all, Linux does have ACLs – POSIX ACLs, which allow setting the permission bits for any number of users and groups. (Patches for RichACL, ACLs very similar to NFSv4 and WinNT, have been submitted repeatedly, but not merged yet.)

Ownership can be used as a sort of safety escape – the owner can always change the object's ACLs, even if the change would be denied otherwise, for example, if someone accidentally removed all ACL entries or denied all changes to everyone. (On Linux only the owner or superuser can change a file's ACLs, since there is no separate "change ACLs" permission.)

Another use of file ownership, on both Windows NT and Linux, is for determining whose quota should the file be counted on, if disk quotas are in use.

Solution 2:

There is a big difference if you look at it from an administrator's perspective.

On Linux root can do everything directly - the account as implicitly all permissions on all objects in the file-system and beyond.

On Windows an administrator does not have permissions to do everything by default - only if you are owner of the object (file, folder registry entry,...) you want to change.

Take for example a folder an administrator needs to change the file permissions. If the admin doesn't have the permission to change the security settings of the folder he needs to take over ownership of the folder before being able to access/change it.

Update:

This feature is important because in an ACL controlled environment there may be the case that a file has an empty ACL which means that no-one has access (default deny principle). In such a case taking over ownership is the only way to get access or to delete the file.

Solution 3:

The object owner always can change the ACLs.

Related

Mac OS X Lion Terminal SSH connection sharing error
Cygwin bash sed locks my files
How do you create a vim key mapping that requires numbers before the hotkey (like <G>)?
Is the L3 cache shared by all cores for a Sandy-Bridge E Xeon CPU?
Why don't I have SQL Profiler on SQL Server Management Studio?
Washing electronics [closed]
How do I list the files installed by a deb package?
Windows: Fastest way of killing a process running on a specific port
How do I set the paper color in LibreOffice Writer?
Is it possible to add an existing Azure VM to an Azure Virtual Network?
How to recursively upload a directory to a WebDAV server through HTTPS from the command line?
How to find out which installer package a given exe/dll belongs to