generic ACL interface (RFC)

Bob Mastors bob.mastors at
Tue Jul 27 23:00:35 GMT 1999

> i would like to use the same acl interface on "objects" such as pipes,
> smbtrans2 requests, individual msrpc calls and even info levels within
> smbtrans2 or msrpc calls etc as _well_ as files / directories.

Yes this would be a good thing. One problem with unix style file systems
is that access checking and enforcement is done inside the file system.
When acl support is added to unix, it is only used to control
access to files, not to arbitrary objects (at least on solaris).

NT seems to have a seperate security subsystem that is used to
perform access checking. The object still performs the access enforcement,
but uses the trusted security subsystem to perform access checking.
A much nicer model imo.
> i would like to create static (or even dynamic) ACL objects that i can
> reference using a function, to check whether (for example) a user has
> sufficient access rights to enumerate a registry key; delete a user from
> the SAM database; do a NetShareEnum at info level 102 etc.

As capabilities are added to Samba to make up for deficencies in various
unix platforms, it becomes more like an operating system.


More information about the samba-technical mailing list