8

I fail to grasp the necessity of using concept of owner (ownership) and find clear explanation of its necessity.

What cannot be done without concept of owner(ownership) in filesystem/database object security (permissions) systems? Or, why is it needed?

Update:
I would highly appreciate if you help me understand why in the "An Administrator is not the Administrator' there was a need to set the owner of a file to "Administrator"?

What Administrator in Windows cannot do with a file without being its owner?

Fulproof
  • 183
  • 4

2 Answers2

11

The concept is that on a given "object" (say, a file), you have access permissions which detail who can access the object and under which conditions. The owner is an optimization: usually, among all the users who have permissions for a given object, one of them should have "all the permissions" and be generally considered as responsible for this object.

On Unix systems, traditionally, permissions on file are read, write and execute, and can be granted to three categories of users: the owner (a specific user), the group (each file is marked as being part of a group), and everybody else. This is a system which is not very granular, in that you can single out only a single user; rights for other users will be allocated on a group basis (at least). On modern versions of Unix, there are Access Control Lists which give much more flexibility, in a way similar to what is used in Windows. With ACL, or on Windows, any notion of "owner" is mostly an historical residue. On Windows, the "owner" of a file is any one of the users (or groups) who has "full control" rights on the file, but its purpose is mostly backward compatibility with code which predates ACL.

To sum up, ACL are sufficient for security and ownership is not required, but it often sticks around for interoperability with older code which does not know what an ACL is, but fiddles with "owner identities".

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
1

In a nutshell, ownership properties allow for delegation of certain access rights.

In the context of a filesystem, if I am the owner, I usually want to reserve the read, write, and execute rights for myself. When working in a multi-user environment, I usually want my colleagues to be able to read my file, and perhaps even execute my file, but probably not be able to write to my file. In order to do so, you would need to have the system owner create a group, add some of your colleagues to that group, and then assign that group permissions.

genesys
  • 76
  • 3
  • So, a user in Windows having "Full control" permissions over a file cannot add a group (or a user) and attribute specific permissions for that file without being the owner of that file? – Fulproof Sep 20 '13 at 14:57