Where does the file owner on Windows matter, seeing that there are ACLs?

Coming from a Linux background, I'm used to a file having an owner, and a owning group. Access permissions can be set separately for owner, group, and others, and that's it.

Now on (NT-based) Windows, it's a bit different, because Windows uses ACLs. That means instead of having three lists of permissions (owner, group, rest), I can have as many lists of permissions as I want.

So far, this makes sense. However, why does Windows still have the notion of a file owner? To me it seems that with ACLs, a "file owner" is no longer needed, because all access can be configured via ACLs.

So why does modern Windows still use file ownership? Where does it make a difference who owns a file? As long as two files have the same ACLs, file ownership should not matter - or does it?

sleske

Posted 2011-12-19T10:00:41.643

Reputation: 19 887

Mostly applied for networking... locals use UAC – Piotr Kula – 2011-12-19T10:31:11.277

3@ppumkin: Windows UAC is only in addition to the ACL system. – user1686 – 2011-12-19T15:22:43.293

@ppumkin: Turn off UAC and then try to overwrite files in System32. ACLs will stop you cold. – surfasb – 2011-12-19T21:40:22.777

Answers

First of all, Linux does have ACLs – POSIX ACLs, which allow setting the permission bits for any number of users and groups. (Patches for RichACL, ACLs very similar to NFSv4 and WinNT, have been submitted repeatedly, but not merged yet.)

Ownership can be used as a sort of safety escape – the owner can always change the object's ACLs, even if the change would be denied otherwise, for example, if someone accidentally removed all ACL entries or denied all changes to everyone. (On Linux only the owner or superuser can change a file's ACLs, since there is no separate "change ACLs" permission.)

Another use of file ownership, on both Windows NT and Linux, is for determining whose quota should the file be counted on, if disk quotas are in use.

user1686

Posted 2011-12-19T10:00:41.643

Reputation: 283 655

@surfasb Echoing his comment. Really good argument for "caring" about ownership. – Erutan409 – 2017-03-03T16:39:24.917

There is a big difference if you look at it from an administrator's perspective.

On Linux root can do everything directly - the account as implicitly all permissions on all objects in the file-system and beyond.

On Windows an administrator does not have permissions to do everything by default - only if you are owner of the object (file, folder registry entry,...) you want to change.

Take for example a folder an administrator needs to change the file permissions. If the admin doesn't have the permission to change the security settings of the folder he needs to take over ownership of the folder before being able to access/change it.

Update:

This feature is important because in an ACL controlled environment there may be the case that a file has an empty ACL which means that no-one has access (default deny principle). In such a case taking over ownership is the only way to get access or to delete the file.

Robert

Posted 2011-12-19T10:00:41.643

Reputation: 4 857

1Does that mean only the owner of a file can change its permissions? Or why is it that an Administrator can take ownership of a file, but cannot change permissions directly? – sleske – 2011-12-19T13:40:11.557

See my updated answer. – Robert – 2011-12-19T14:48:23.230

@sleske: Yes, the owner of an object can always change its permissions. – surfasb – 2011-12-19T21:42:01.073

The object owner always can change the ACLs.

kinokijuf

Posted 2011-12-19T10:00:41.643

Reputation: 7 734

1How do you change the ACL though? – Simon Sheehan – 2011-12-19T20:40:09.897

1Using the security tab in properties. – kinokijuf – 2011-12-20T17:25:40.547