Hard Links and Permissions / ACLs

Commenter Lee asked how ACLs are evaluated when an object has multiple hard links. I replied with comments of my own, which turned out to be wrong after I did some experiments. Here is what I found out about hard link permissions and believe to be true.

Can permissions on multiple hard links to the same data be different?

No. Permissions on all hard links to the same data on disk are always identical. The same applies to attributes. That means if you change the permissions/owner/attributes on one hard link, you will immediately see the changes on all other hard links.

Which permissions on the link target are required to create a hard link?

Only the permission “write attributes” (for programmers: FILE_WRITE_ATTRIBUTES) is needed on the target. Whether or not you are the owner of the target is not relevant.

These topics do not seem to be documented anywhere. So how did I find out? I tried it out (on Windows 7 RC).

About the Author

Helge Klein (ex CTP, MVP, and vExpert) worked as a consultant and developer before founding vast limits, the uberAgent company, which was acquired by the Citrix business unit of Cloud Software Group in late 2023. Previously, Helge applied his extensive knowledge in IT infrastructure projects and architected a user profile management product, the successor of which is now available as Citrix Profile Management. Helge is the author of the popular tools Delprof2 and SetACL. He has presented at Citrix Synergy, BriForum, E2EVC, Splunk .conf, and many other events.

1 Comment

BigAlUK

March 22, 2019 at 17:26

Have a care though – hard-links (creating single location files that share data to different access points in multiple directory lists) are not the same as junctions (fooling the upper layers that a directory is not a shortcut, but a real local directory).

In fact re-parse points for folders (esp. re-parse points that are NTFS junctions) are an excellent way to manage differences of required privilege by having a different ACL for each route to a folder. Thus one route can provide “read-only” access to the great unwashed, whilst another “admin” route can allow administrators immediate access to maintenance. But this then applies to ALL the data files in the folder that in themselves do not already impose greater restrictions via their own ACL.

However, the “fun thing” is that they can only “inherit” permissions and restrictions via the folder path through which they were accessed – which then applies in addition to their own ACL. Unless of course, the “inherit from parent” is turned off in the data file’s ACL. What then happens is… er. em, “subject to experimentation”.

Hard Links and Permissions / ACLs

About the Author

1 Comment

Leave a Reply Cancel reply

Related Posts

Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained

Permissions Windows Does Not Show You

Q&A: How to Modify Permissions on Administrative Shares

How to Modify Default Share Permissions and Other Tweaks

Latest Posts

OPNsense HowTo: IPv4 & IPv6 Internet Connectivity With FTTH Modem

Samba File Server: Web Access Through Filebrowser With SSO & HTTPS

Samba File Server With Windows ACLs in a Docker Container

Samba Active Directory as Authelia’s SSO Authentication Backend