generic ACL interface (RFC)

Luke Kenneth Casson Leighton lkcl at
Thu Jul 29 16:45:58 GMT 1999

> > in other words, a security descriptor can say "this group has read/write
> > permissions; this user has full control; the built-in power user's group
> > are allowed full control; administrator of workstation ABC is denied all
> > access; etc".
> > 
> > is that what you mean?
> > 
> 	Not at all.  The thing is, you can't express something like "user X
> has read/write access _when he is in group Y_" in a single NT ACE, since
> that isn't really meaningful in NT -- in Unix, however, a particular process
> can have groups associated with it that its owner is not normally a member
> of.  (sgid scripts/binaries, for instance)
> 	Maybe I'm missing something, though.  How would you express the
> following ACL in NT parlance?
> 	 joe.%     rw-
> 	 %.radar   r--
> 	 %.%       ---
> 	 bob.%     ---
> 	 bob.radar rw-

hmmm, i see the light.  you'd have to ignore that capability in HP/UX ACLs
or map to every single group manually or implicitly.  this ACL would
certainly have...

ummm.... what _exactly_ is meant by "user x has read/write access when in
group Y"?????? you mean, the HP/UX designers intended users to be moved
from group to group, and ACLs to change meaning / take this into

good grief :-) :-)


More information about the samba-technical mailing list