Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
So NTFS does store premissions?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Thu May 13, 2010 12:31 pm    Post subject: So NTFS does store premissions? Reply with quote

So we do have ACL and ACE in NTFS and so windows (as copied over from Unix); regarding this I have a few questions -

1) If I mount an NTFS partition in Ubuntu (in one PC), I get full rwxrwxrwx permission for that partition (owner and group is root), however in Gentoo I get rwx------ (owner and group is root)...why?...what's wrong? (Notice, this is a question I asked out of curiosity, I know the gid and uid parameters) Ok, I think umask in /etc/profile governsn this?

2) If I change the file permissions manually on a mounted NTFS partition, it should change and the permission should be stored in some sorta cache (the local cache), that means it will be lost if I umount, but the permissions are not changing.
However, if the NTFS filesystem is mounted using fstab, it works... what is hapenning??? :?:

4) Do we have security advantages similar to Linux if using a limited account in windows; till how much extent will it protect? So why does everyone uses administrators account?
_________________
My blog
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46313
Location: 56N 3W

PostPosted: Thu May 13, 2010 7:54 pm    Post subject: Reply with quote

dE_logics,

Both *NIX filesystems and NTFS implement permissions but the permissions sets are not compatible.

Therefore, when you mount an NTFS partition in *NIX, you have to fake the owner, group and permissions.
As you know, this is done at mount time in a number of ways and can be changed later by any user having the required permissions to the mount point.

If you use a limited account on Windows on NTFS (you can install Windows on FAT32 too) you have some protection as limited users cannot install things, even virii.
Everyone uses the admin account from habit ... look at Windows origins, DOS, Win 3.1, Win95 Win98 (all on FAT with no idea of keeping users apart) NT was the first version of windows to use NTFS, as it wasn't aimed at home users. XP provided NTFS as an option.
Windows users are not used to setting up user accounts.

Another reason is that Windows is really a single user operating system. Think about the history. *NIX has been multi-user since its inception and on a multi-user system, you need to authenticate users and keep them apart.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15984

PostPosted: Fri May 14, 2010 2:34 am    Post subject: Reply with quote

NeddySeagoon wrote:
If you use a limited account on Windows on NTFS (you can install Windows on FAT32 too) you have some protection as limited users cannot install things, even virii.
In a strict sense, you are correct that limited users cannot install packages the way an administrator can. However, the default permissions that Windows sets at install allow users to execute code out of their profile directory, so a virus could drop something in ~/My Documents and run from there. It is possible to restrict such behavior, if the system administrator wishes to do so.

Regarding administrator accounts on Windows: this is not entirely the fault of end users. Far too many Windows programs, especially ones released as recently as a few years ago, assume the user will have administrative rights. Such programs then behave poorly or outright fail when run under a limited user account. Users quickly become frustrated with a failure they cannot understand, switch to an administrator account, and stay there when that makes the problem go away. By contrast, most Unix programs will be refused by distribution maintainers if they want administrator privileges, but serve a purpose which should not require administrator rights, so we tend not to encounter such things very often.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Fri May 14, 2010 5:12 am    Post subject: Reply with quote

Ok, thanks for answering.

But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot.

Anyway, no one can stop the 'autorun' to delete the whole user's data. :wink: I'll try and run a few viruses in the limited account too...let's see what happens.


Ok, so one more question remaining -

Quote:
2) If I change the file permissions manually on a mounted NTFS partition, it should change and the permission should be stored in some sorta cache (the local cache), that means it will be lost if I umount, but the permissions are not changing.
However, if the NTFS filesystem is mounted using fstab, it works... what is hapenning???


So why does it happen with fstab?
_________________
My blog
Back to top
View user's profile Send private message
princeoliver
n00b
n00b


Joined: 29 Apr 2010
Posts: 4

PostPosted: Fri May 14, 2010 1:02 pm    Post subject: Reply with quote

I didn't read the topic, sorry, I just want to mention a few interesting notes from ntfs-3g's author that I have in my bookmarks:

http://pagesperso-orange.fr/b.andre/permissions.html
http://pagesperso-orange.fr/b.andre/usermap.html
http://pagesperso-orange.fr/b.andre/secaudit.html
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Fri May 14, 2010 6:47 pm    Post subject: Reply with quote

princeoliver wrote:
I didn't read the topic, sorry, I just want to mention a few interesting notes from ntfs-3g's author that I have in my bookmarks:

http://pagesperso-orange.fr/b.andre/permissions.html
http://pagesperso-orange.fr/b.andre/usermap.html
http://pagesperso-orange.fr/b.andre/secaudit.html


Yeah I did read that. That's how I came to know a bit about it.

Quote:

Building Linux permissions and getting owner and group from an ACL is rather complex, so, when inheritable, the results are kept in a memory cache for further use. This cacheing is very efficient as a single entry has to be maintained for all files which have the same set of permissions, owner and group.


But this is not working with the manual mount.
_________________
My blog
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15984

PostPosted: Sat May 15, 2010 2:23 am    Post subject: Reply with quote

dE_logics wrote:
But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot.
Windows Vista went a long way in that regard. Unfortunately, it was such a debacle that its market penetration is far lower than they would have gotten if they had kept the good parts of XP and just enhanced the security related areas. Windows 7 cleaned up some of Vista's worst mistakes, but Microsoft still does not accept that XP is the most popular Windows they ever made.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sat May 15, 2010 5:23 am    Post subject: Reply with quote

Hu wrote:
dE_logics wrote:
But IMO the restrictive accounts will be in use by default someday. And that day the secirity of windows will increase by quiet a lot.
Windows Vista went a long way in that regard. Unfortunately, it was such a debacle that its market penetration is far lower than they would have gotten if they had kept the good parts of XP and just enhanced the security related areas. Windows 7 cleaned up some of Vista's worst mistakes, but Microsoft still does not accept that XP is the most popular Windows they ever made.


And MS wont give a damn about what users user. Close source.


Microsoft®©™
_________________
My blog
Back to top
View user's profile Send private message
lagaminas
n00b
n00b


Joined: 16 May 2010
Posts: 2

PostPosted: Sun May 16, 2010 2:31 pm    Post subject: Reply with quote

i have same problem :(
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Mon May 17, 2010 2:02 am    Post subject: Reply with quote

Not sure if this is useful but I think there is a file that controls the default options that is assigned to a file system upon mounting or upon creation. I'm not sure where these files might be. I'm looking right now.

Here we go:

Mount command documentation regarding NTFS:

Quote:
uid=value, gid=value and umask=value
Set the file permission on the filesystem. The umask value is given in octal. By default, the files are owned by root and not readable by somebody else.


Not sure what to set these to but umask may be useful.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Thu May 20, 2010 4:45 am    Post subject: Reply with quote

jordanwb wrote:
Not sure if this is useful but I think there is a file that controls the default options that is assigned to a file system upon mounting or upon creation. I'm not sure where these files might be. I'm looking right now.


You mean the .ntfs-3g directory?

Here we go:

Mount command documentation regarding NTFS:

Quote:
uid=value, gid=value and umask=value
Set the file permission on the filesystem. The umask value is given in octal. By default, the files are owned by root and not readable by somebody else.


Yes, I always do that.

Not sure what to set these to but umask may be useful.[/quote]

I put 003...that's generic. 007 is reasonably secure and 077 is the most secure.

On my desktop I have the user 'de' with the ownership as de:root with umask 007 (this is defined in /etc/profile). That keeps me happy.
_________________
My blog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum