[blacklion]

Linux (and FreeBSD, too) has ACLs for FS.

NT has ACLs for everything. Each handle (read: descriptor) has associated ACLs.

Also, each handle can be waited ("selected") with same system call. No select()/epoll() vs wait() distinctions. Nw Linux has timerfd and procfd and others, but NT had these from birth.

In some way NT is more UNIX ("everything is a file") than UNIX itself.

[mort96]

Hm which things are protected by ACLs on NT but not on Linux? Even though the "everything is a file" thing breaks down quite quickly on Linux, with lots of drivers just using ioctls for everything, you still have to open pretty much everything through their device node in /dev, which is affected by ACLs AFAIK. The only real exception I can think of is network sockets. But I'm probably thinking in a very UNIX-centric way, so there may be classes of things I'm missing

[Const-me]

Here’s some of the Windows things which have these ACLs applied, except obvious ones i.e. files and sockets.

• Disk volumes and physical disks

• Pipes

• Registry keys

• Processes and threads

• Inter-process synchronization primitives like mutexes, semaphores, and mailslots

• Shared memory sections

• Desktops; you need to pass access check before interacting with a desktop. The OS has multiple of them, used for fast user switching, concurrent remote desktop sessions, UAC prompt, logon screen.

• Other, more exotic things like job objects, windows stations, and ALPC ports.

To be fair, some of them are protected with ACLs on Linux because they are mapped into the file system. For example, physical disks are visible in the file system and the kernel does apply these security things to them.

[mort96]

Interesting, thank you.

[feldrim]

Well, for NT -almost- everything is an object.