generic ACL interface (RFC)

Cole, Timothy D. timothy_d_cole at
Wed Jul 28 21:51:05 GMT 1999

> -----Original Message-----
> From:	Luke Kenneth Casson Leighton [SMTP:lkcl at]
> Sent:	Wednesday, July 28, 1999 16:52
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	RE: generic ACL interface (RFC)
> On Wed, 28 Jul 1999, Cole, Timothy D. wrote:
> > > so, if the HP/UX ACL implementation supports something nice (which
> someone
> > > mentioned that it did, which posix does not) then we can map it to an
> NT
> > > ACE or whatever.
> > > 
> > 	Not always.  Some HP ACEs simply cannot be mapped into NT ACEs at
> > all -- among others, those that contain both a user and a group
> > specification.
> in the security descriptor, in individual ACE entries?  NT does that, too.
> SIDs can represent anything: users, groups, aliases, in any domain.
> whether you can _resolve_ that sid to something useful is another matter
> :-) :-) e.g if you break a trusted domain relationship or reinstall a
> workstation (and thereby destroy / replace its workstation sid).
> in other words, a security descriptor can say "this group has read/write
> permissions; this user has full control; the built-in power user's group
> are allowed full control; administrator of workstation ABC is denied all
> access; etc".
> is that what you mean?
	Not at all.  The thing is, you can't express something like "user X
has read/write access _when he is in group Y_" in a single NT ACE, since
that isn't really meaningful in NT -- in Unix, however, a particular process
can have groups associated with it that its owner is not normally a member
of.  (sgid scripts/binaries, for instance)

	Maybe I'm missing something, though.  How would you express the
following ACL in NT parlance?

	 joe.%     rw-
	 %.radar   r--
	 %.%       ---
	 bob.%     ---
	 bob.radar rw-

	(don't ask me _why_ someone would want to do something like that,
but it IS possible with HP-UX ACLs)

More information about the samba-technical mailing list