NT file-permissions

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Thu Jul 22 18:59:10 GMT 1999 

> -----Original Message-----
> From:	Jeremy Allison [SMTP:jallison at cthulhu.engr.sgi.com]
> Sent:	Thursday, July 22, 1999 13:28
> To:	Cole, Timothy D.
> Cc:	'jallison at cthulhu.engr.sgi.com'; Multiple recipients of list
> SAMBA-TECHNICAL
> Subject:	Re: NT file-permissions
> 
> Cole, Timothy D. wrote:
> 
> >         Is this an appropriate time to start hashing this stuff out, or
> are
> > there other things that need finishing first?
> 
> Now is definately a good time. Funnily enough I understand
> NT ACLs very well. What I need is a good understanding of
> POSIX ACLs so we can work out what the mapping should be.
> 
> Are you very familiar with POSIX ACLs (or know someone 
> who is) ?
> 
	Kind of.  My familiarity is limited to "second-hand" knowledge,
derived from OS documentation.  That being said, here is my understanding of
the requirements:

	POSIX.6 makes no recommendations about the internal ordering or
representation of an ACL, and specifies that only POSIX.1 files can have
ACLs.  It does, however, require that:

	  - each ACL entry must contain the following information:

	             tag type: file owner, owning group, named user, named
group, other

	      qualifier field: user/group id, ignored for all but user or
group tag types
	                       (file owner/owning group are indicated
elsewhere)

	      permissions set: must support a minimum of read, write and
search/execute

	  - there are three mandatory entries in any POSIX.6 ACL,
corresponding to the permission
	    bits, as you would expect:

	        - owner (tag type of file owner?)
	        - group (tag type of owning group?)
	        - world (tag type of other)

	  - all applicable permissions at the same (highest applicable)
level of specificity are
	    ored together when checking access.  The levels of specificity,
in decreasing order,
	    are:

	        - file owner
	        - named user
	        - owning group + named groups
	        - named groups
	        - "other"

	I don't suppose anyone here on the list has a copy of a POSIX 1003.6
draft and would care to summarize "from the horse's mouth", as it were?
Also, I don't have any information on the specific interfaces that the
POSIX.6 drafts recommend; just that they seem to recommend specific
categories of interfaces to be present...

	Anyway, I can already see that the POSIX.6 definition of ACLs isn't
general enough for our purposes; HP-UX's implementation, while obviously
influenced by it, will not map to it very well.  vis a vis:

	   - HP-UX ACL entries contain the following information:

	             user: named user or 'any'
	            group: named group or 'any'
	  permissions set: r, w and x

	   - three mandatory ACL entries, matching the permission bits

	           owner - user.% (% = 'any')
	           group - %.group
	           world - %.%

	   - same concept of levels of specificity, although the specific
levels are different:

	           - user.group
	           - user.%
	           - %.group
	           - %.%

	(I actually think I like the HP-UX scheme better)

	Ahhh... just found a reference for the POSIX APIs as they more or
less exist as of draft 13, at least as implemented in Digtal Unix:

	
http://www.unix.digital.com/faqs/publications/base_doc/DOCUMENTATION/HTML/AA
-Q0R2D-TET1_html/sec.c225.html

More information about the samba-technical mailing list