Windows 在哪里存储 ACL 并且 ACL 是否遵循从一台机器到另一台机器的文件?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/839625/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where does Windows store ACLs and do ACLs follow a file from one machine to another?
提问by flipdoubt
Our app uses a component that requires a license file in the directory with our executable, which happens to be a .NET WinForms app though I think it is immaterial to this question. When installed on some XP Pro machines (just three out of several hundred thus far), the component throws a license exception. So I regenerated the license file and sent it to the component vendor (EMC Captiva), where the vendor claims the error is due to the fact that the "Users" group has no read permissions on the file. The user who encounters the error happens to be a local admin, but that is besides the point as I am still curious about the more general question.
我们的应用程序使用一个组件,该组件需要我们的可执行文件所在目录中的许可证文件,这恰好是一个 .NET WinForms 应用程序,尽管我认为这对这个问题无关紧要。当安装在某些 XP Pro 机器上时(目前只有几百台机器中的三台),该组件会引发许可异常。因此,我重新生成了许可证文件并将其发送给组件供应商 (EMC Captiva),供应商声称错误是由于“用户”组对该文件没有读取权限。遇到错误的用户恰好是本地管理员,但这不是重点,因为我仍然对更普遍的问题感到好奇。
So my question is, are ACLs stored in a file such that they follow the file throughout its life, especially when the license file was generated on my dev machine (machine 1), stored in Subversion (machine 2), checked out of source control by TeamCity (machine 3), packaged into an installer by InstallShield (machine 4), and finally deployed to the customer's machine (machine 5) where it was installed by an Administrator? What about after I generate the file on my dev machine (machine 1), upload it to the component vendor via their support site (machine 2), and the support person downloads it to their machine for inspection (machine 3)?
所以我的问题是,ACL 是否存储在一个文件中,以便它们在整个生命周期中都遵循该文件,尤其是当许可证文件是在我的开发机器(机器 1)上生成、存储在 Subversion(机器 2)中、从源代码控制中签出时由 TeamCity(机器 3),由 InstallShield(机器 4)打包成安装程序,最后部署到客户的机器(机器 5),由管理员安装?在我的开发机器(机器 1)上生成文件,通过他们的支持站点(机器 2)将其上传到组件供应商,然后支持人员将其下载到他们的机器(机器 3)进行检查之后呢?
I do not know this for sure (which is why I am asking it here), but I assumed each Windows machine stores ACLs in some central directory/list/table managed by NTFS rather than stored within the file. What happens to the original file's ACL when it is copied from one machine to another, stored in Subversion, packaged into an MSI, etc? Can someone point me to some good references where I can read up on this?
我不确定这一点(这就是我在这里问的原因),但我假设每台 Windows 机器都将 ACL 存储在某个由 NTFS 管理的中央目录/列表/表中,而不是存储在文件中。当原始文件的 ACL 从一台机器复制到另一台机器、存储在 Subversion 中、打包到 MSI 等时,它的 ACL 会发生什么变化?有人可以指出我可以阅读的一些好的参考资料吗?
回答by Tomalak
ACLs are stored in the part of an NTFS partition that does all the background plumbing - the MFT (Master File Table).
ACL 存储在执行所有后台管道的 NTFS 分区的一部分中 - MFT(主文件表)。
The ACL does not follow a file around, since it is not a part of the file (just like the filename it is metadata). The file can cross partition type boundaries (NTFS->FAT), the ACL cannot.
ACL 不跟随文件,因为它不是文件的一部分(就像文件名一样,它是元数据)。文件可以跨越分区类型边界(NTFS->FAT),ACL 不能。
Now if you movea file within one NTFS partition, you might get the impression that ACLs actually follow the file around. This is because during a move, only the filename in the MFT is actually changed. Everything else stays the same.
现在,如果您在一个 NTFS 分区内移动一个文件,您可能会觉得 ACL 实际上跟随文件。这是因为在移动过程中,实际上只更改了 MFT 中的文件名。其他一切都保持不变。
If you copy a file or move it to another partition or computer (which is actually a copy+delete operation), the copied file will by default inherit the permissions of it's new container (the inheritable ones only, to be precise).
如果您复制文件或将其移动到另一个分区或计算机(这实际上是复制+删除操作),则复制的文件将默认继承其新容器的权限(准确地说,仅限于可继承的)。
However, there are tools that are capable of retaining the ACL of a file after a copy operation (simply by recreating it on the target file after the copy operation) even over partition or computer boundaries. xcopy can do that, among others.
但是,有些工具能够在复制操作后保留文件的 ACL(只需在复制操作后在目标文件上重新创建它),甚至跨越分区或计算机边界。xcopy 可以做到这一点,等等。
But since an ACL can contain SIDs that are "domain owned", an ACL entry might not actually be meaningful to the target computer that is not part of the same domain (for example when taking home an NTFS-formatted USB drive). In that case the ACL entry will have no effect.
但是,由于 ACL 可以包含“域拥有”的 SID,因此 ACL 条目对于不属于同一域的目标计算机实际上可能没有意义(例如,将 NTFS 格式的 USB 驱动器带回家时)。在这种情况下,ACL 条目将不起作用。
Other SIDs are "well known", like the "SYSTEM" SID. These will actually be recognized across domain borders.
其他 SID 是“众所周知的”,例如“SYSTEM”SID。这些实际上将被跨域识别。
