File and Directory Ownership
by Ed Sawicki - ALC Press

Authors note: This article focuses on Linux because of its recent popularity. Note that all Unix systems behave in the same or similar way in terms of file and directory ownership.

This article shows how three different operating systems - NT, NetWare and Linux - differ in how file and directory ownership is handled. It shows that NT's method of handling ownership results in potential difficulties for the system administrator. These difficulties are avoided with NetWare and Linux.

Throughout this article keep in mind that NetWare is a centralized system where an administrator has ultimate control over the file server and users can do little to diminish the administrator's power. NT's design favors peer-to-peer networking where a great deal of control is placed in the hands of individual users. This may be appropriate for either of the following environments.

  1. In a small office where there is no network or system administrator.
  2. In an environment where the computer users are savvy enough to understand the details and consequences of shared information and where there is a spirit of cooperation amongst the users. A rogue user could cause quite a disruption.
Linux/Unix is flexible enough to work well in both centralized and peer-to-peer environments.

We'll take a look at NetWare first since this web site is focused at the business networking user and NetWare has dominated this market for quite a few years. There's evidence to suggest that it still does.

NetWare Ownership

Every file and directory in a NetWare file system has an owner associated with it. Generally, the owner is the user that created the file or directory. A superuser (the Supervisor or Admin account) can change this and assign ownership to another user. You may assume that the owner of a file has some basic rights to use the file but you'd be wrong. Ownership in NetWare is not a rights or permissions mechanism - it's an accounting mechanism. Ownership is necessary in order for two NetWare features to function. These are:
  • Disk space quotas - NetWare allows you to limit the amount of disk space a user may consume on a volume. You can assign every user a different disk quota and you can assign quotas on a per volume basis. This works because NetWare knows who the owners of files are and can compute a user's disk space consumption. If NetWare sees that a user has exhausted his or her disk quota, it will not allow the user to create new files on the volume or allow existing files to grow beyond the disk blocks they already occupy.
  • Disk space accounting - NetWare accounting allows you to charge a user for the amount of disk space he or she consumes. To do this, it must know how much disk space belongs to the user.
Ownership does not necessarily guarantee that the owner can access the file. In NetWare, your ability to access a file is controlled by your trustee rights to the file - not by your ownership of the file. NetWare provides the administrator tools to assign users trustee rights to files and directories. Trustee rights are more granular than either NT or Linux, allowing an administrator to assign combinations of rights that are not possible with the other two operating systems.

It's worth mentioning that NetWare also allows the creation of mini-superusers who can control the trustee rights of specified groups of ordinary users. The superuser controls the power delegated to the mini-superusers. NetWare administration is one of its strong points. NT lags substantially behind in this area. Even the Linux/Unix NIS is not as functional.

NT Ownership

Like NetWare, the NT user that creates a file or directory becomes its owner. While NT does not have disk quota capabilities built-in, disk quota products are available for NT from third party companies such as NTP Software's Quota Manager for Windows NT product. Third party disk quota products use the ownership as the basis for restricting a user's disk space just like NetWare. (Note that third party disk quota products for NT have some fundamental problems resulting from their less than perfect integration into the NTFS file system.)

This is where the similarities end. With NT, the owner controls the permissions that can be applied to the file or directory. Normally, files that are created by a user have default permissions that allow certain access to everyone. The owner can easily change these permissions to allow or deny greater or lesser access to anyone. The owner can also deny access to an administrator!

Even though a user can deny access to an administrator, the administrator can regain access to the file by taking ownership of the file away from the user. The trick is to know that ownership needs to be taken back.

Hiding a directory

If you're the administrator and the owner of a directory has taken away your permissions to the directory, you cannot see the contents of the directory - even though you can still see the directory name. You therefore have no idea how many files are in the directory or how much disk space is being consumed by that directory and its contents. If you try to open the directory, you'll see a message box that says the directory is not accessible and that "Access is denied".

The solution is to take ownership of the directory away from the user. You do this by clicking on the directory properties, selecting the Security tab and clicking on the Ownership button. You'll then be asked if you want to overwrite the current owner. Once you have ownership of the directory and its contents, this does not necessarily give you access to files. You may first have to assign permissions to the files before you or others can access them.

You're not able to determine who the owner of the directory is. If you try, you'll see the message "Unable to retrieve the owner". This means that files can be stored on the server and the administrator may not be able to determine their origin. I can imagine senarios where the administrator and/or the company can be at legal risk.

The possibility of a NT-aware virus gobbling up disk space will likely occur to some virus author. If the virus created massive files and removed all permissions from the files, you'd have a bit of work to do to free up the disk space.

Linux ownership

Linux is more like NetWare than NT in terms of ownership but there are some differences. While NetWare has one owner for each file and directory Linux has two. One owner is a user while the other owner is a group. Linux combines the concepts of ownership and permissions into one though it's still possible to think of them as separate as in NetWare.

Each of these two owners (the user and the group owners) can be assigned any or all of the following permissions. There's also a way to assign everyone else (users and groups that are not owners) any and all of these permissions as well.

  • read
  • write
  • execute

The administrator (the root user) always has all permissions to all files and directories and is not subject to the permissions mechanism mentioned above.

Like NetWare, the Linux administrator is always in control and a user cannot deny him acess to files or directories. This works well in a centralized network where it's desireable that the administrator always be in control. It also works well in a peer-to-peer network where the administrator is the user.

Back