NT/Unix ACLs

Matthias Wächter matthias at waechter.wol.at
Fri Jul 23 09:08:10 GMT 1999


I don't want to stop the discussion on what should be in the ACLs to be as
compatible as possible to NT's ACLs.

But: Although there is some advantange in using NT's advanced ACLs instead
of Unix's UGO, I see lot more positive effect in using (something like)  
the permission scheme known from Novell (3.x, I had never contact to 4.x).

1. In a directory called DATA, I can not only set who (user or group) has
permission on which subdirectory, but can specify who can _see_ the
directories in the listing of DATA/. This is not possible with NT ACLs.

2. With NT ACLs, specifying access rights, one (the administrator) always
has to set permission on each and every file in the whole tree. When
granting additional rights and selecting "(re)set rights in
subdirectories" using Explorer, the rights of all files and directories
are set to _exactly_ those specified. Not only this needs a lot of time
changing permissions for large and deep trees, any specially set ACL for a
subdirectory or a file located there is reset. Using cacls.exe seems to be
a better way (one can explicitly grant/revoke additional rights), but
using a command line tool, we also could change the way ACLs are stored
and interpreted.

The interesting parts of Netware's ACLs are:

* the inheritance mask for a directory (don't need to specify access masks
for every file in the tree)
* groups in groups (ah yeah, that's what I call group administration!)
* Only directories you have access to can be seen in the tree.
* group membership is effective immediately: f.e. a "dir" prior to
membership may show no directory, a "dir" a few seconds later grants you
the appropriate access (of course, revoking is the same the other way
* ACLs for trees are only stored in one place keeping the ACL database
small and making changes very quick
* the possibility for security holes because of single files forgotten in
the tree with wrong rights is far less than in NT (of course, in Netware
one can also shoot himself in the knee)

Is anybody out there thinking that there is a chance of having best of
both worlds? I don't want to be pointed to a novell emulator! :-)

Sehr Wus,
- Matthias

Bunt ist das Dasein und granatenstark. Und: Volle Kanne, Hoschis!
                         aus: "Bill und Teds verrückte Reise durch die Zeit"

More information about the samba-technical mailing list