Equivalence between UNIX and Windows file permissions

Windows File PermissionsFor those of you who develop or deliver WordPress websites on Windows, it is difficult to get relevant information about file permissions. Unfortunately, the reality is that most servers run on UNIX or Linux enviroments, and these are well documented. We had these problems ourselves, given the fact that we chose to host our website on a less popular platform. So we decided to write an article about it and thus to help those who have similar problems.

First of all let’s discuss the differences between the servers. In general, most websites that are hosted on Windows use either Apache or Microsoft IIS, these servers operate very differently and utilize slightly different models of delivery. Apache generally runs on the host computer as the user that it was installed under, whereas IIS installs under a specific user but will run under IUSR.

By default, UNIX tends to give full access to the user who is the owner of the files and directories, unlike Windows which gives you full access to the “Everyone” group. The first thing that a good Windows Administrator does is to remove this group rights in order to improve security.

Assigning permissions in Windows is reasonably straight forward, but can sometimes get a bit confusing. Right click the folder or file which you want to assign permissions, select “Properties” then “Security” to open the Windows Security Management pane. By selecting any user name listed will display the rights that user has (at the bottom half of the pane). Some permissions might not be available (greyed out), because the user you are logged in with does not have sufficient higher permissions to alter them, or because permissions are inherited from the parent directory where it resides.

Windows permissions/rights scheme
1. Full Control Allows: 1, 2, 3, 4, 5, 6, 7
2. Modify Allows: 2, 3, 4, 5, 6
3. Read & Execute Allows: 3, 4
4. List Folder Contents Allows: 4 (But cannot run programs)
5. Read Allows: 5 (Implies: 4)
6. Write Allows: 6 (Implies: 4)
7. Special Permissions Allows: Combinations

Permissions in Windows can be seen as having similar properties to those of UNIX or Linux, just that they are represented differently. For example, in UNIX / Linux permissions are represented as 644/666 or 755/777, instead of being represented in terms described above. So when you are asked to use 644, this means:

The owner of this file can read and write to it.
The owner’s group can read the file.
Everyone else can read the file.

In windows “Groups” are not used and “Everyone” should have been removed… So this is where Windows and UNIX do not quite equate, but what can be done is to “match” or “correlate” equivalent meanings. This outline is not really going to provide you with a Windows or an NTFS specific permissions guide but more of an understanding of how the commonly quoted numbered UNIX/Linux style permissions correlate on a machine with an NTFS file system.

Files that are placed in the root folder of your website (wwwroot or whichever folder name it has) should be owned by your user account, but only if that user is not what is considered a privileged user like “Administrator” on Windows or “root” on UNIX/Linux. These accounts should not be used in the normal operation of the website.

The recomended security practice is that all FILES should have the following permissions:

Owner:  Read & Write
Group:  Read Only
Others: Read Only

And all DIRECTORIES/FOLDERS should have the following permissions:

Owner: Read, Write & Execute
Group: Read & Execute
Others: Read & Execute

These are not the best security measures, but rather a balance between security, functionality and maintainability.

Windows, unlike UNIX, does not maintain a single ACL for “Execute“, but rather provides “Read & Execute” combined, which does not imply “Write“. But the “Read & ExecuteACL does imply “List Folder Contents“. Therefore, if you only have Read & Write permissions on a folder, but not Execute, you cannot see the contents of that directory and most likely you will have problems when attempting to run the file through a browser.

Unfortunately, a basic understanding of UNIX/Linux file permissions is required in order to correlate with those of Windows. The following table this should help:

UNIX Windows Comments
7 Modify Read, Write & Execute, you should be the owner of the file
6 Read & Write
5 Read & Execute Used for most applications
4 Read Only Security through obscurity is not a good practice
3 Write & Execute Not available through Windows, unless “Special” Permissions is used, not commonly used
2 Write Only Not available through Windows, unless “Special” Permissions is used, not commonly used
1 Execute Only Not available through Windows, unless “Special” Permissions is used, not commonly used

So as a comparison to UNIX mode, when you are quoted something like 644, would need to divide that number into three separate entities:            6 : 4 : 4

Windows equivalent would be something like this:

Owner (6): Read & Write
Group (4): Read Only
Others (4): Read Only

Despite Windows ease of use, permissions mechanism are reasonably complex and very extensive. We hope this example will help you to correlate the UNIX/Linux permissions to those of Windows and eliminate some of the confusion surrounding the equivalence.

Comments are closed.

Comments are closed. If you have any questions or concerns, please use the form on the Contact page.