Unix File Permissions Suck

This post was written by marc on April 4, 2005
Posted Under: Technology

I love Unix. I have several Linux servers and when it comes down to it – there is no other OS to use for Web and Email servers. (BSD, Macs and other Unix OS’s are of course included) But in many was the Unix community is hopelessly stuck in the past. And one of many examples of this is the Unix file permissions. Hopelessly primitive – and so entrenched in the minds of the Unix community that you can’t even get then to comprehend anything beyond the limitations they are used to.

My networking experience started with Novell servers and DOS workstations. Novell Netware – as of version 3 – had a rich set of file permissions that allowed for fine grained access permissions. Over the years I started working with Windows which had far less permissions. This was a big step down from Netware – but the real step down was going form Windows down to Linux.

Linux permission are so primitive that it amazes me that they can be of much use at all. Creating security to protect one user from another is nearly impossible. The rules are so primative as to verge on insanity – yet – when discussion this with Unix heads – they just don’t get it.

Unix is built on the concept of one owner and one group for each file or directory. In fact a directory or folder is like a file that contains a list of other files and directories. So permissions to read or write files have no relationship to creating and deleting files because the creating and deleting are controlled by permissions on the folder.

In Unix – there can be a file that I have no permission to either read or write – yet I can delete the file. That is insanity. But if a Unix head is confronted with this – they just don’t get it that it’s insane. They are brainwashed into thinking that this is somehow normal the same way that primitive religions believe throwing virgins into a volcano is normal.

In contrast – on a netware server if you have no read or write access to a file at all, then you certianly can not delete it. In fact under Netware if you can’t write to a file, you can’t delete the file. Now that makes sense! And – if you have no rights to the file, you can’t even see it in a directory listing. If you have no rights under Netware – it’s as if the file isn’t there.

Fine Grained Permissions

Netware also allows for fine grained permissions. I can say – I want these three users and these three groups to have this set of permissions and it works. I can add as many individual permission sets to any file or folder I want. Unix has no such control and it makes it difficult to restrict users for security reasons while giving them enough permissions to do useful work.

Inherited Permissions

Unix has no mechanism for permission inheritence within the file system. Under netware when a user or group is given permissions to a folder – those permission apply by default to all files and directories under that folder. And one can control what is inherited through setting inherited rights masks. Unix has nothing like this. In Unix – if I create a file in someone else’s directories I have to run chown on it to give that person permission to access it. Under Netware – or Windows – they already have those permissions.

Case Sensitive File Names

Another example of unix cult thinking – case sensitive file names suck – are user unfriendly – and create problems maintaining the system It puts the burden on the user to get the case exactly right. Windows is supperior in that you can store file names in mixed case but you don’t have to get it exactly right to match the file. But Unix heads will never agree with you because it requires change and inspite of the fact that they are geniuses – they are among the most resistent to change of any group of people I’ve ever met.

Unix could be Fixed

You can get Netware and Windows like permissions under Linux. What you can do is run Samba and then mount samba shares locally in order to get windows like access. There is also a netware emulator that runs under Linux that gove linux the ability to pretend to be a netware server. So Linux could do the job if the developers would get out of the cult mind and start thinking outside the box.

Conclusion

Linux needs to be forked in a way that creates a Unix like OS with the ease of use of Windows. In order to do that there needs to be fundamental changes in the design concepts where ease of use is one of the most imporant factors. Unix comes from a time where ever byte and every CPU cycle was important and small and simple for the programmer was most important. But we live in a different world now where delivering power to the end user is most important and we have lots of processing power and lots of memory.

What needs to be done is – let the computer be smarter so that the users can move on to higher level work. File permissions need to be fine grained and easy to use. Right now the Linux community is as boxed in by acient code as Windows is processor bound. It’s time for Linux to awaken and get a new vision for the future and make a break with the past.

Not trying to be a bash Unix guy here – but to ignore the problem is to ignore reality. And Linux isn’t a religion for me. It’s a tool that I want to see improve.

Reader Comments

the permission is for security, to make sure no one will install files into your system folder unlike Windows XP, MAC osX has that feature also, no virus can install there without your administrator password ( root )

you have to repair permission about every week and its fast to do, never remove the “received” from packages.

#1 
Written By fido on April 9th, 2005 @ 9:21 pm

I can only speak based on my Linux experience.
Never had problems with permissioning. I have taken the time and effort to correctly set up users and groups that allow for “fine grain” tweaking of permissions.
Owners, groups, and everyone else can have different access types. Its a matter of putting your users in however many groups are necessary to accomplish your permissioning needs. I believe you should revisit user and group configuration.
I dont disagree that the there can be some positive changes made, but I feel on a whole that this article is ill-educated.
And by the way… Your “terms” link is 404, and you sould probably not display your server version and OS flavor on your error pages.

#2 
Written By postalboy on September 14th, 2005 @ 10:39 am

I can not agree more with the original poster — coming from the Unix world originally I remember going into the Netware world and thinking “WOW” — this is how it SHOULD BE done. Unfortunately that big ugly company we all use on our desktops beat Novell into submission for the time being.

It is nuts the hoops I have to jump through to get the same thing I want (already have) on Netware. I have a [ack, ACCESS] database I want to have READ/WRITE access to X user(s), but only READ access to for other users, with the rest NO ACCESS at all.

I can do it through Samba setup/shares, but THAT is nuts too. I have to RESTART the “server” (read: process) just to make a change in the middle of the day on the fly? Never had to do that on Netware. Just getting it setup so a user has READ-ONLY access to a database with having the ability to PROPERLY be able to create the required .ldb file was a interesting feat (symbolic link to the real location) — again, a UGLY hack at best (but it works :).

#3 
Written By Unix-Geek on September 25th, 2005 @ 5:33 pm

I agree completely. I’ve been a linuxgeek for many years and have never been exposed to another file permission system than Unix. Until now when I have to get Samba up and running. In Samba, many groups can have access to one share (file system path). But there is no equivalent in the Unix world! If you have a share storing information about salaries, you could give the groups Accountants and Managers for example permission to that share.

But how do you do it in unix? YOU CAN’T! It is either group X that owns the file path or it is group Y. That is completely stone age and I’m surprised this faulty design haven’t been fixed before.

#4 
Written By bjourne on July 26th, 2006 @ 3:57 am

I know this is an old article (I came via google) but it should be noted that when you wrote the article, linux had ACL support (the name for the permissions type you are talking about)
it was added to the kernel in 2.4, for exactly the reasons you are describing. the new linux mentality is, ‘use the old unless you NEED the new’. So you get the rwx type permissions by default.
I am also unsure why you think linux doesn’t have inherited permissions, because it does. You apply them a little differently, but they are there.

Oh well, just trying to add a little light to a gloomy post that I’ve seen a bunch of 😀

#5 
Written By Clyde on October 9th, 2006 @ 5:19 am

Add a Comment

You must be logged in to post a comment.