generic ACL interface (RFC)
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Wed Jul 28 21:51:05 GMT 1999
> -----Original Message-----
> From: Luke Kenneth Casson Leighton [SMTP:lkcl at switchboard.net]
> Sent: Wednesday, July 28, 1999 16:52
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: RE: generic ACL interface (RFC)
> On Wed, 28 Jul 1999, Cole, Timothy D. wrote:
> > > so, if the HP/UX ACL implementation supports something nice (which
> > > mentioned that it did, which posix does not) then we can map it to an
> > > ACE or whatever.
> > >
> > Not always. Some HP ACEs simply cannot be mapped into NT ACEs at
> > all -- among others, those that contain both a user and a group
> > specification.
> in the security descriptor, in individual ACE entries? NT does that, too.
> SIDs can represent anything: users, groups, aliases, in any domain.
> whether you can _resolve_ that sid to something useful is another matter
> :-) :-) e.g if you break a trusted domain relationship or reinstall a
> workstation (and thereby destroy / replace its workstation sid).
> in other words, a security descriptor can say "this group has read/write
> permissions; this user has full control; the built-in power user's group
> are allowed full control; administrator of workstation ABC is denied all
> access; etc".
> is that what you mean?
Not at all. The thing is, you can't express something like "user X
has read/write access _when he is in group Y_" in a single NT ACE, since
that isn't really meaningful in NT -- in Unix, however, a particular process
can have groups associated with it that its owner is not normally a member
of. (sgid scripts/binaries, for instance)
Maybe I'm missing something, though. How would you express the
following ACL in NT parlance?
(don't ask me _why_ someone would want to do something like that,
but it IS possible with HP-UX ACLs)
More information about the samba-technical