samba_3_0/source/include/rpc_secdes.h ?

[Andrew Tridgell]

Jerry,

 > I checked.  Not there either.  The individual bits are but not the 
 > STANDARD_GENERIC_WRITE combination.  I'm making a low risk change to 
 > Samba3 and will continue to test.  Thanks for the pointer though.

There are 4 billion combinations - we can't have them all in a header!

The idea of the new set of defines is to define all the bits
separately, and only define combinations that have a very specific
meaning for access mask mappings.

The "generic" bits are all mapped to "specific" bits as soon as the
access mask is received by the server. For example, when accessing a
file or directory, the SEC_GENERIC_WRITE bit is mapped to
SEC_RIGHTS_FILE_WRITE, which is a combination of 6 bits. When you then
ask the server "what bits did I ask for?" you don't get the "generic"
bits, you get the mapped bits.

Having a "combination" in a header that combines multiple "generic"
bits is very misleading to anyone reading the header, as it could
imply that these bits have meaning when combined. They don't - the
generic bits are mapped separately before any access checking is done,
and the access check itself never looks at any "generic" bits.

The same thing happens when you set an ACL. The access masks on all
ACEs is mapped from generic to specific before the ACL is stored.

So if there is any code in Samba3 that ever looks at the generic bits
for any other purpose than mapping them to the specific bits then that
is a bug.

The name "STANDARD_GENERIC_WRITE" is also completely silly, as a bit
can either be in the range of "standard" bits (which are masked by
0x00FF0000) or in the range of "generic" bits (which are masked by
0xF0000000). The ranges do not overlap, so the name
STANDARD_GENERIC_WRITE is quite meaningless.

Cheers, Tridge