NT ACL / Security descriptor checking function

Michael Stockman pgmtekn-micke at algonet.se
Fri Feb 11 01:25:58 GMT 2000


> well, i mentioned that we needed this function about four, six and
> months ago.  no response.

You frequently fail to fit your explanations into a proper structure.

> now, i take it, that people are starting to realise _why_ it's
> so, if someone implements it, i'll use it.
> deal?

I still think the concept of ACLs haven't been covered completely yet,
but maybe the basic structure is clear enough to make something to
look at (I reserve the right to continue discussion).

> security descriptor code is in rpc_parse/parse_sec.c.  please do not
> modify this code, use it.  add your own wrappers if necessary.

Unless it has changed in TNG (which I will not download), I would
suggest not using it but trying to read it and create a proper
implementation (the one in head isn't pretty).

> you should reference the MSDN for the exact function parameters and
> of the function.  it will be something like this:
> check_access(NET_USER_INFO_3 *user_info, uint32 access_rights,
> SEC_DESC_BUF *security_descriptor).
> user_info contains the user RID, primary group RID and
> array-of-group-member-RIDs.

Is RID really the way to go??? Access checks in samba has so far been
POSIX, RID would break this (and create vast amounts of headache when
samba can properly understand the difference between local accounts
and remote accounts, unless RID means SID).

I think we should create our ACL implementation aiming on (future?)
file support too (one ACL support for all ACLs) and thus have and
internal POSIX based ACL which can map both UNIX ACLs and NT ACLs.

Yes, I'm aware that doing it properly will take some time, but if you
count two days for a hack and two years for someone to get round to a
proper implementation that meets all requirements, which is the

> access_rights is the TYPE of operation being requested
> security descriptor is a list of permitted and/or denied operations
> certain users / groups for certain kinds of rights.
> you should check each entry in the ACL list: if the user (or group
> group members) match one of the ACL entries, the permissions
> should be checked agaoinst access_rights.
> any volunteers, please sort it out amongst yourselfves on the
> samba-technical list.
> no volunteers, i carry on with mapping to unix-files and
> checks until there are.

I could take some rest from my digging in the registry and code (there
is something "funny" going on when opening HKEY_USERS, which I don't
quite understand) and dig in this for a while and see what pops out.
Regardsless of who, remember to think obvious and structure and not
just do something because someone has said something or done something

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se

More information about the samba-technical mailing list