When I went through high school we had three segments for our maths and physics exams: we had the basic knowledge part that tested if we new a given fact and could apply it to a straight forward problem, we had the understanding part that tested if we could understand a fact and apply it to a slightly more complex problem and we had a complex reasoning section of the exam which tested a combination of the items we knew and took a large number of steps to get to the final answer. Today I’m hunting around to look for file system permissions and I’ve read something that makes me wonder if there should be that distinction.

The article in question is entitled “Understanding Windows NTFS Permissions” and covers the basics of permissions for NTFS. It covers the fact you have read which is really made up of List Folder/Read Data, Read Attributes, Read Extended Attributes and Read Permissions. It also covers that NTFS permits permissions to be inherited but appears to miss the distinction of “This folder, subfolders and files”, “This folder only”, “Subfolders and files only”, “This folder only” when applied to permissions. Each of these actually impacts how permissions are inherited and applied, surely if you’re trying to understand this then explaining the distinctions here would be great and how they apply. He finishes with an interesting observation on the “precedence” of permissions. Now I find this curious because this is something I’ve been looking at late and I’ve been trying to find something that adequately explains it. Perhaps the author of the particular article is dumbing it down for his readers but it just strikes me as wrong. The author comments the following:

The scenario proves that there is a hierarchy of permissions for NTFS 5.0 resources. The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow

Ok, so its an interesting way of explaining it, but to mimic an annoying kid: why? Microsoft says in a dialog just previous that deny overrules allow so why would they so blatantly change the mind? To do so would mean that you would have to understand how NTFS evaluates permissions and calculates the permissions – but weren’t we reading an article about understanding?

This is the core of my gripe, the article doesn’t particularly give you a depth of insight or understanding in permissions that you couldn’t get by clicking things on and off to observe their behaviour. It treats one mildly non-obvious behaviour but doesn’t explain why NTFS would do this. To be honest I stumbled across this behaviour on another web site which had run into the pitfall of believing that deny overruled everything and was trying to understand why his security model was broken. His article hypothesised something much simpler: the algorithm finds the first explicit permission and uses it, if both are set then use the deny. No complex precedence model, something quite simple. And as Ockham’s Razor goes “the simplest answer is often the best”. But interestingly this also fits into the way NTFS appears to have been designed. For container objects, a permission can be set at a level and it can be determined just how deep it should apply: should it apply to just this container, just to subfolders or just to files? Or should it apply to a combination of those?

Interestingly I’m on the hunt for something that formally explains how NTFS permission inheritance works, I had thought this article would tell me but it doesn’t. It tells me a lot of what I know already but doesn’t actually enhance my understanding. I had read an article a while back that informed me of this ‘quirk’ in the behaviour but at the time didn’t think much of bookmarking it – and it is in fact this article that I’m looking for, and thankfully I just found it.

The article in question is “How IT works: NTFS Permissions” from the November/December 2005 issue of TechNet Magazine. It introduces the concept of “discretionary access control lists” (DACL) and also explains how they work. It explains that the DACL is checked in order until a match is found with the DACL created with denies first, then allows starting with the object and then incrementally for each item it looks for a match until it gets to the end at which point it denies. The single article just cleared up exactly how it worked, why it works and how it behaves explaining the behaviour. At this point I understand how and why it works, not just know that it works in a particular way – this is the difference between understanding and knowing.