File System Access Rights
Both Windows NT and Solaris software support groups and access control lists (ACLs). User accounts are made members of particular groups when the account is created. A user must be a member of at least one group and can be a member of several. ACLs are a more convenient method than using group permissions for denying access to a particular user or group.
Groups and Access Control Lists
One difference between Solaris software and Windows NT is the use of world permissions. Windows NT has the notion of a group called Everyone. By default all users belong to this group. Solaris software does not employ such a group. Instead, Solaris software has the concept of other access rights. A directory whose access rights are set to read/write for other in Solaris software has the same effect as setting read/write to the group Everyone in Windows NT.
FIGURE 2-1 Solaris File Manager Property Sheet
FIGURE 2-1 shows the Solaris File Manager property sheet for a folder named Project. Solaris software has the notion of setting a mask, which dictates what the maximum allowable permissions will be for a given folder and its subfolders. The mask can be changed by the owner of the folder. Using a mask is a convenient method for quickly restricting permission and prevents accidently assigning too high privileges to users or groups.
FIGURE 2-2 shows the Special File Access property sheet found under My Computer. Windows NT provides file permissions similar to those provided by Solaris software. The Delete option in Windows NT is equivalent to setting write permissions on a Solaris directory. A user who does not have directory write privileges in the Solaris operating environment, cannot delete a file in that directory, but can modify one that already exists.
The default behavior in the Solaris operating environment is to allow the owner of a file or folder to change the ownership. This behavior can be changed in Solaris software by setting the RSTCHOWN variable. Solaris software does not have an equivalent to the Take Ownership attribute that is found in Windows NT.
Only file systems formatted as NTFS contain Special File Access properties.
FIGURE 2-2 Special File Access Window
User Account Identification
Both Windows NT and Solaris software associate a number or ID with a user's name. In Solaris software, this numeric identifier is assigned by the system administrator and is called the user ID (UID). The UID is a 16 bit integer assigned to user accounts in the range of 100 - 60000.
Solaris software does not prevent the use of duplicate UIDs, but will issue a warning if an administrator attempts to assign an ID that already exists if the account is created using Admintool. User accounts with the same UID will have the same access rights.
Windows NT creates a security ID (SID) when a new account is created. The SID differs from the Solaris UID in that it is assigned by the system and is not visible to users. A unique SID is created within a Windows NT domain for each user account. If an account with the same name is created in a different NT domain, it will be issued a different SID.
Windows NT also creates a group SID for POSIX compliance. The Group SID specifies a primary group, which POSIX requires. The notion of primary group is not widely used in Windows NT.
Since a unique SID is created for each account, once an account is deleted, the SID is lost forever. Even if a new account is created with the same user name as the previously deleted one, a new SID is generated. Therefore, the recreated user account will not have the same access rights as the previous user.