NT ACL / Security descriptor checking function

Luke Kenneth Casson Leighton lkcl at samba.org
Thu Feb 10 15:43:08 GMT 2000

well, i mentioned that we needed this function about four, six and twelve
months ago.  no response.

now, i take it, that people are starting to realise _why_ it's needed.
so, if someone implements it, i'll use it.


security descriptor code is in rpc_parse/parse_sec.c.  please do not
modify this code, use it.  add your own wrappers if necessary.

you should reference the MSDN for the exact function parameters and name
of the function.  it will be something like this:

check_access(NET_USER_INFO_3 *user_info, uint32 access_rights,
SEC_DESC_BUF *security_descriptor).

user_info contains the user RID, primary group RID and

access_rights is the TYPE of operation being requested

security descriptor is a list of permitted and/or denied operations to
certain users / groups for certain kinds of rights.

you should check each entry in the ACL list: if the user (or group or
group members) match one of the ACL entries, the permissions (grant/deny)
should be checked agaoinst access_rights.

any volunteers, please sort it out amongst yourselfves on the
samba-technical list.

no volunteers, i carry on with mapping to unix-files and unix-permission
checks until there are.



More information about the samba-technical mailing list