Checking Ownership and Permission Data in an NTFS Volume

Updated: Mar 28th, 2016

ntfssecaudit displays the ownership and permissions of a set of files on an NTFS file system, and checks their consistency. It can be started in terminal mode only (no graphical user interface is available) either on Linux or on Windows.

The available options are the same in Linux and Windows though the syntax may be different, and in both cases, you issue in a terminal window a command such as :

ntfssecaudit [options] args
Where options is a combination of :

-a full auditing of security data
-b backup ACLs
-e setting extra backed-up parameters (in conjunction with -s)
-h displaying hexadecimal security descriptors saved in a file
-r recursing in a directory
-s setting backed-up ACLs
-u getting a user mapping proposal
-v verbose (very verbose if set twice)

and args define the parameters and the set of files acted upon.

Typing ntfssecaudit with no args will display a summary of available options.

When acting on a directory or volume, the command may produce a lot of information. It is therefore advisable to redirect the output to a file or pipe it to a text editor for examination.


Windows version


The Windows version of ntfssecaudit is available in the zip compressed file of ntfsprogs tools for Windows. You first have to unzip the file into some directory and you only need the files ntfssecaudit.exe and libntfs.dll. The source file is available in the ntfs-3g_ntfsprogs tarball and advanced-ntfs-3g.md5 file on the download page can be used to check its authenticity. They do not require ntfs-3g to be installed.

On Windows, files and directories designate (implicitly or explicitly) the volume they belong to. Hence, usually, the command has no argument to designate the volume. A single file or directory may be acted upon (wildcards not supported) and, if its name has spaces or special characters, it has to be enclosed in quotes.

Most commands have to be started as an Administrator, and the other applications which use the volume have to be closed if the command has to update an ACL to the volume.

Older versions of the command were called secaudit, with the same options.

The valid combinations of options and args are :

displays in an human readable form the hexadecimal security descriptors saved in file. This can be used to turn a verbose output into a very verbose output.

audits the volume : all the global security data on volume are scanned and errors are displayed. If option -r is present, all files and directories are also scanned and their relations to global security data are checked. This can produce a lot of data.

This option is not effective on volumes formatted for old NTFS versions (pre NTFS 3.0). Such volumes have no global security data.

When errors are signalled, it is advisable to repair the volume with an appropriate tool (such as chkdsk.)

displays the security parameters of file : its interpreted Linux mode (rwx flags in octal) and Posix ACL[1], and its security descriptor if verbose output.

displays the security parameters of all files and subdirectories in directory : their interpreted Linux modes (rwx flags in octal) and Posix ACLs[1], and their security descriptor if verbose output.

recursively extracts to standard output the NTFS ACLs of files in directory.

sets the NTFS ACLs as indicated in backup-file or standard input. The input data must have been created on Windows. The other applications which use the volume have to be closed.
With option -e, also sets extra parameters (currently Windows attrib).

sets the security parameters of file to perms. Perms is the Linux requested mode (rwx flags, expressed in octal form as in chmod), or a Posix ACL[1] (expressed like in setfacl -m). It sets a new NTFS ACL which is effective for Linux and Windows. The other applications which use the same volume have to be closed.

sets the security parameters of all files and subdirectories in directory to perms. Perms is the Linux requested mode (rwx flags, expressed in octal form as in chmod), or a Posix ACL[1] expressed like in setfacl -m). This sets new ACLs which are effective for Linux and Windows. The other applications which use the same volume have to be closed.

displays a proposal for a user mapping file, based on the ownership parameters set by Windows on file, assuming this file was created on Windows by the user to map. The Linux login and group have to be inserted into the displayed information and copied to the file .NTFS-3G\UserMapping where .NTFS-3G is a hidden subdirectory of the root of the partition for which the mapping is to be defined. This will cause the ownership of files created on that volume by this user on Linux to be the same as the original file.


Linux version


On Linux (and OpenIndiana), the ntfssecaudit executable is installed as part of the advanced ntfs-3g package. Its execution requires the full package to be installed.

The NTFS partition has to be unmounted, so the command has an argument to designate the volume, and the file or directory designation has to be relative to the root of the NTFS partition. A single file or directory may be acted upon (wildcards must resolve to a single name), and if its name has spaces or special characters, it has to be enclosed in quotes.

Moreover the command has to be issued as root.

Older versions of the command were called ntfs-3g.secaudit, with the same options.

The valid combinations of options and args are :

displays in an human readable form the hexadecimal security descriptors saved in file. This can be used to turn a verbose output into a very verbose output.

audits the volume : all the global security data on volume are scanned and errors are displayed. If option -r is present, all files and directories are also scanned and their relations to global security data are checked. This can produce a lot of data.

This option is not effective on volumes formatted for old NTFS versions (pre NTFS 3.0). Such volumes have no global security data.

When errors are signalled, it is advisable to repair the volume with an appropriate tool (such as chkdsk on Windows.)

displays the security parameters of file : its interpreted Linux mode (rwx flags in octal) and Posix ACL[1], its security key if any, and its security descriptor if verbose output.

displays the security parameters of all files and subdirectories in directory : their interpreted Linux mode (rwx flags in octal) and Posix ACL[1], their security key if any, and their security descriptor if verbose output.

recursively extracts to standard output the NTFS ACLs of files in directory.

sets the NTFS ACLS as indicated in backup-file or standard input. The input data must have been created on Linux.
With option -e, also sets extra parameters (currently Windows attrib).

sets the security parameters of file to perms. Perms is the Linux requested mode (rwx flags, expressed in octal form as in chmod) or a Posix ACL[1] (expressed like in setfacl -m). This sets a new ACL which is effective for Linux and Windows.

sets the security parameters of all files and subdirectories in directory to perms. Perms is the Linux requested mode (rwx flags, expressed in octal form as in chmod), or a Posix ACL[1] (expressed like in setfacl -m). This sets new ACLs which are effective for Linux and Windows.

displays the security parameters of mounted-file : its interpreted Linux mode (rwx flags in octal) and Posix ACL[1], its security key if any, and its security descriptor if verbose output. This is a special case which acts on a mounted file (or directory) and does not require being root. The Posix ACL interpretation can only be displayed if the full path to mounted-file from the root of the global file tree is provided

displays a proposal for a user mapping file, based on the ownership parameters set by Windows on mounted-file, assuming this file was created on Windows by the user who should be mapped to the current Linux user. The displayed information has to be copied to the file .NTFS-3G/UserMapping where .NTFS-3G is a hidden subdirectory of the root of the partition for which the mapping is to be defined. This will cause the ownership of files created on that partition by the current user to be the same as the original mounted-file.

Note

[1] provided the POSIX ACL option was selected at compile time. A Posix ACL specification looks like "[d:]{ugmo}:[id]:[perms],..." where id is a numeric user or group id, and perms an octal digit or a set from the letters r, w and x. Example : "u::7,g::5,o:0,u:510:rwx,g:500:5,d:u:510:7"



To report any problem, please post to the support forum hosted by Tuxera

Page is maintained by Jean-Pierre André