Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Thu Jul 22 18:59:10 GMT 1999
> -----Original Message-----
> From: Jeremy Allison [SMTP:jallison at cthulhu.engr.sgi.com]
> Sent: Thursday, July 22, 1999 13:28
> To: Cole, Timothy D.
> Cc: 'jallison at cthulhu.engr.sgi.com'; Multiple recipients of list
> Subject: Re: NT file-permissions
> Cole, Timothy D. wrote:
> > Is this an appropriate time to start hashing this stuff out, or
> > there other things that need finishing first?
> Now is definately a good time. Funnily enough I understand
> NT ACLs very well. What I need is a good understanding of
> POSIX ACLs so we can work out what the mapping should be.
> Are you very familiar with POSIX ACLs (or know someone
> who is) ?
Kind of. My familiarity is limited to "second-hand" knowledge,
derived from OS documentation. That being said, here is my understanding of
POSIX.6 makes no recommendations about the internal ordering or
representation of an ACL, and specifies that only POSIX.1 files can have
ACLs. It does, however, require that:
- each ACL entry must contain the following information:
tag type: file owner, owning group, named user, named
qualifier field: user/group id, ignored for all but user or
group tag types
(file owner/owning group are indicated
permissions set: must support a minimum of read, write and
- there are three mandatory entries in any POSIX.6 ACL,
corresponding to the permission
bits, as you would expect:
- owner (tag type of file owner?)
- group (tag type of owning group?)
- world (tag type of other)
- all applicable permissions at the same (highest applicable)
level of specificity are
ored together when checking access. The levels of specificity,
in decreasing order,
- file owner
- named user
- owning group + named groups
- named groups
I don't suppose anyone here on the list has a copy of a POSIX 1003.6
draft and would care to summarize "from the horse's mouth", as it were?
Also, I don't have any information on the specific interfaces that the
POSIX.6 drafts recommend; just that they seem to recommend specific
categories of interfaces to be present...
Anyway, I can already see that the POSIX.6 definition of ACLs isn't
general enough for our purposes; HP-UX's implementation, while obviously
influenced by it, will not map to it very well. vis a vis:
- HP-UX ACL entries contain the following information:
user: named user or 'any'
group: named group or 'any'
permissions set: r, w and x
- three mandatory ACL entries, matching the permission bits
owner - user.% (% = 'any')
group - %.group
world - %.%
- same concept of levels of specificity, although the specific
levels are different:
(I actually think I like the HP-UX scheme better)
Ahhh... just found a reference for the POSIX APIs as they more or
less exist as of draft 13, at least as implemented in Digtal Unix:
More information about the samba-technical