19.5.3 Security
The security of an NTFS volume is derived from the Windows object model.
Each NTFS file references a security descriptor, which specifies the owner of the
file, and an access-control list, which contains the access permissions granted
or denied to each user or group listed. Early versions of NTFS used a separate
security descriptor as an attribute of each file. Beginning with Windows 2000,
the security-descriptors attribute points to a shared copy, with a significant
savings in disk and caching space; many, many files have identical security
descriptors.
In normal operation, NTFS does not enforce permissions on traversal of
directories in file path names. However, for compatibility with POSIX, these
checks can be enabled. Traversal checks are inherently more expensive, since
modern parsing of file path names uses prefix matching rather than directoryby-
directory parsing of path names. Prefix matching is an algorithm that looks
up strings in a cache and finds the entry with the longest match—for example,
an entry for fooardir would be a match for fooardir2dir3myfile.
The prefix-matching cache allows path-name traversal to begin much deeper
in the tree, saving many steps. Enforcing traversal checks means that the user’s
access must be checked at each directory level. For instance, a user might lack
permission to traverse fooar, so starting at the access for fooardir
would be an error.