generic ACL stuff

Jeremy Allison jallison at cthulhu.engr.sgi.com
Tue Nov 2 18:47:11 GMT 1999 

Cole, Timothy D. wrote:
> 
>         p.s. Jeremy: the mapping between POSIX ACLs and the intermediate
> reprsentation should be relatively trivial.  I believe Marc is working on
> the POSIX and NT ACL mappings.

Ok, I've had a longer chance to look over the code and think
about it and have a couple of comments I'd like feedback on
if possible.

The current patch uses an intermediate ACL spec to which
all incoming NT ACLs are converted to, and to which all
outgoing disk ACLs must be converted to. This is done in
the upper level Samba code in the modified nttrans.c file.

Firstly, the intermediate ACL spec needs some name changes
to prevent pollution of the global namespace (some of
the current enum names and defines would clash with
Linux and IRIX defines). This is simple enough to do
by adding a SMB_ before all the names :-).

The second comment is a bit more on the design. If we
look at what we're trying to do here, we are attempting
to reversibly map NT ACLs into any one of a number of
different disk ACL representations.

Now converting to an intermediate representation is a
good idea for a set of utility functions to have, as most
of the underlying disk ACLs map very well into this
intermediate representation. However, unless the
intermediate representation is a complete superset of
NT ACLs, then in converting to this representation we
are potentially losing NT ACL information.

I would prefer that the vectored ACL functions take an
NT ACL representation in the (*set)() function and return
an NT ACL representation in the (*get)() function. The mapping
between the NT ACL and the internal representation should
not (IMHO) be seen in the nttrans.c code in Samba, but
should be an internal implementation detail of the vectored functions.

Now we can still use all the work on the intermediate representation
functions by providing the nt_to_acl() and acl_to_nt() and
associated functions as helper functions that may be called
by the vectored code internally, I just don't think they
should be at the Samba nttrans.c level.

I think Luke will agree with me here, as it is definately
his dream to be able to directly access the NT ACLs on
an NTFS partition mounted under a Linux box via Samba.
Preserving the NT ACLs at the vectored code interface
would allow this to be done, using the intermediate
representation would make this more difficult.

Please let me know what you think,

Cheers,

	Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba-technical mailing list