# So NTFS does store premissions?

## dE_logics

So we do have ACL and ACE in NTFS and so windows (as copied over from Unix); regarding this I have a few questions - 

1) If I mount an NTFS partition in Ubuntu (in one PC), I get full rwxrwxrwx permission for that partition (owner and group is root), however in Gentoo I get rwx------ (owner and group is root)...why?...what's wrong? (Notice, this is a question I asked out of curiosity, I know the gid and uid parameters) Ok, I think umask in /etc/profile governsn this?

2) If I change the file permissions manually on a mounted NTFS partition, it should change and the permission should be stored in some sorta cache (the local cache), that means it will be lost if I umount, but the permissions are not changing.

However, if the NTFS filesystem is mounted using fstab, it works... what is hapenning???  :Question: 

4) Do we have security advantages similar to Linux if using a limited account in windows; till how much extent will it protect? So why does everyone uses administrators account?

----------

## NeddySeagoon

dE_logics,

Both *NIX filesystems and NTFS implement permissions but the permissions sets are not compatible.

Therefore, when you mount an NTFS partition in *NIX, you have to fake the owner, group and permissions.

As you know, this is done at mount time in a number of ways and can be changed later by any user having the required permissions to the mount point.

If you use a limited account on Windows on NTFS (you can install Windows on FAT32 too) you have some protection as limited users cannot install things, even virii.

Everyone uses the admin account from habit ... look at Windows origins, DOS, Win 3.1, Win95 Win98 (all on FAT with no idea of keeping users apart) NT was the first version of windows to use NTFS, as it wasn't aimed at home users.  XP provided NTFS as an option.

Windows users are not used to setting up user accounts.

Another reason is that Windows is really a single user operating system. Think about the history. *NIX has been multi-user since its inception and on a multi-user system, you need to authenticate users and keep them apart.

----------

## Hu

 *NeddySeagoon wrote:*   

> If you use a limited account on Windows on NTFS (you can install Windows on FAT32 too) you have some protection as limited users cannot install things, even virii.

 In a strict sense, you are correct that limited users cannot install packages the way an administrator can.  However, the default permissions that Windows sets at install allow users to execute code out of their profile directory, so a virus could drop something in ~/My Documents and run from there.  It is possible to restrict such behavior, if the system administrator wishes to do so.

Regarding administrator accounts on Windows: this is not entirely the fault of end users.  Far too many Windows programs, especially ones released as recently as a few years ago, assume the user will have administrative rights.  Such programs then behave poorly or outright fail when run under a limited user account.  Users quickly become frustrated with a failure they cannot understand, switch to an administrator account, and stay there when that makes the problem go away.  By contrast, most Unix programs will be refused by distribution maintainers if they want administrator privileges, but serve a purpose which should not require administrator rights, so we tend not to encounter such things very often.

----------

## dE_logics

Ok, thanks for answering.

But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot.

Anyway, no one can stop the 'autorun' to delete the whole user's data.  :Wink:  I'll try and run a few viruses in the limited account too...let's see what happens.

Ok, so one more question remaining - 

 *Quote:*   

> 2) If I change the file permissions manually on a mounted NTFS partition, it should change and the permission should be stored in some sorta cache (the local cache), that means it will be lost if I umount, but the permissions are not changing.
> 
> However, if the NTFS filesystem is mounted using fstab, it works... what is hapenning???

 

So why does it happen with fstab?

----------

## princeoliver

I didn't read the topic, sorry, I just want to mention a few interesting notes from ntfs-3g's author that I have in my bookmarks:

http://pagesperso-orange.fr/b.andre/permissions.html

http://pagesperso-orange.fr/b.andre/usermap.html

http://pagesperso-orange.fr/b.andre/secaudit.html

----------

## dE_logics

 *princeoliver wrote:*   

> I didn't read the topic, sorry, I just want to mention a few interesting notes from ntfs-3g's author that I have in my bookmarks:
> 
> http://pagesperso-orange.fr/b.andre/permissions.html
> 
> http://pagesperso-orange.fr/b.andre/usermap.html
> ...

 

Yeah I did read that. That's how I came to know a bit about it.

 *Quote:*   

> 
> 
> Building Linux permissions and getting owner and group from an ACL is rather complex, so, when inheritable, the results are kept in a memory cache for further use. This cacheing is very efficient as a single entry has to be maintained for all files which have the same set of permissions, owner and group.

 

But this is not working with the manual mount.

----------

## Hu

 *dE_logics wrote:*   

> But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot.

 Windows Vista went a long way in that regard.  Unfortunately, it was such a debacle that its market penetration is far lower than they would have gotten if they had kept the good parts of XP and just enhanced the security related areas.  Windows 7 cleaned up some of Vista's worst mistakes, but Microsoft still does not accept that XP is the most popular Windows they ever made.

----------

## dE_logics

 *Hu wrote:*   

>  *dE_logics wrote:*   But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot. Windows Vista went a long way in that regard.  Unfortunately, it was such a debacle that its market penetration is far lower than they would have gotten if they had kept the good parts of XP and just enhanced the security related areas.  Windows 7 cleaned up some of Vista's worst mistakes, but Microsoft still does not accept that XP is the most popular Windows they ever made.

 

And MS wont give a damn about what users user. Close source.

Microsoft®©™

----------

## lagaminas

i have same problem  :Sad: 

----------

## jordanwb

Not sure if this is useful but I think there is a file that controls the default options that is assigned to a file system upon mounting or upon creation. I'm not sure where these files might be. I'm looking right now.

Here we go: 

Mount command documentation regarding NTFS:

 *Quote:*   

> uid=value, gid=value and umask=value
> 
>     Set the file permission on the filesystem. The umask value is given in octal. By default, the files are owned by root and not readable by somebody else.

 

Not sure what to set these to but umask may be useful.

----------

## dE_logics

 *jordanwb wrote:*   

> Not sure if this is useful but I think there is a file that controls the default options that is assigned to a file system upon mounting or upon creation. I'm not sure where these files might be. I'm looking right now.

 

You mean the .ntfs-3g directory?

Here we go: 

Mount command documentation regarding NTFS:

 *Quote:*   

> uid=value, gid=value and umask=value
> 
>     Set the file permission on the filesystem. The umask value is given in octal. By default, the files are owned by root and not readable by somebody else.

 

Yes, I always do that.

Not sure what to set these to but umask may be useful.[/quote]

I put 003...that's generic. 007 is reasonably secure and 077 is the most secure.

On my desktop I have the user 'de' with the ownership as de:root with umask 007 (this is defined in /etc/profile). That keeps me happy.

----------

