ApplianceWare v.5.3 Complete FAQ – February 24, 2004 – Page 26 of 30
Optifacio Software Services, Inc.
is not possible to offer entirely seamless integration. The most significant differences between these
two kinds of ACLs are:
•
Windows ACLs support over ten different permissions for each entry in an ACL, including
things such as append and delete, change permissions, take ownership, and change ownership.
Current implementations of POSIX.1 ACLs only support read, write, and execute permissions.
•
In the POSIX permission check algorithm, the most significant ACL entry defines the
permissions a process is granted, so more detailed permissions are constructed by adding more
closely matching ACL entries when needed. In the Windows ACL model, permissions are
cumulative, so permissions that would otherwise be granted can only be restricted by DENY ACL
entries.
•
POSIX ACLs do not support ACL entries that deny permissions. A user can be denied
permissions be creating an ACL entry that specifically matches the user.
•
Windows ACLs have had an inheritance model that was similar to the POSIX ACL model. Since
Windows 2000, Microsoft uses a dynamic inheritance model that allows permissions to propagate
down the directory hierarchy when permissions of parent directories are modified. POSIX ACLs
are inherited at file create time only.
•
In the POSIX ACL model, access and default ACLs are orthogonal concepts. In the Windows
ACL model, several different flags in each ACL entry control when and how this entry is inherited
by container and non-container objects.
•
Windows ACLs have different concepts of how permissions are defined for the file owner and
owning group. The owning group concept has only been added with Windows 2000. This leads to
different results if file ownership changes.
•
POSIX ACLs have entries for the owner and the owning group both in the access ACL and in
the default ACL. At the time of checking access to an object, these entries are associated with the
current owner and the owning group of that object. Windows ACLs support two pseudo groups
called Creator Owner and Creator Group that serve a similar purpose for inheritable permissions,