NT ACL / Security descriptor checking function

Michael Stockman pgmtekn-micke at algonet.se
Fri Feb 11 20:20:26 GMT 2000 

Hello,

> On Sat, 12 Feb 2000, David Collier-Brown wrote:
>
> > Luke Kenneth Casson Leighton wrote:
> > > this was discussed four to five months ago, my recommendation
was to do it
> > > the other way round: map immediately out as soon as possible to
NT
> > > security descriptors, and maintain for as long as possible NT
SDs before
> > > converting to, say... POSIX or Unix ACls or file permissions.
> > >
> > > reason: you don't want to impose a restriction, in the
file-system
> > > example, of mapping to POSIX-based ACLs, only to find later that
the
> > > underlying filesystem actually supports a much richer ACL
implementation
> > > thatn the [limited] POSIX one, or even fully supports NT
security
> > > descriptors, such as the linux NTFS drivers.
> >
> > I mildly agree: I speculate you have two modules,
> > one which just looks up the ACLS in an underlying
> > filesystem that supports them all, or supports
> > a superset. This may well be a stub unless you happen
> > to have linux NTFS handy...
>
> ok.  what you do is you implement vfs-table "modules" that handle
> different filesystem mappings.  the API takes NT security
descriptor.

Actually, what I want is a "can do it all" ACL implementation. And
that is why we must own the implementation, not be depending on
someone not having this requirement. I don't trust that NT ACLs is a
superset of all ACL implementations.

> for unix-perms, the vfs-chmodACL function is implemented using
jeremy's
> code in nttrans.c  it takes a security descriptor, and depending on
> whether the target is a dir or a file, you map it to a subset of
unix
> ugo+rwx permissions.

Changing the ACL on an ACL capable file system also not necessarily a
trivial thing considering the possibilty that the file system may not
support all bit NT support or it may supprt bits NT doesn't that we
want to preserve.

> for POSIX-acl-perms, the vfs-chmodACL function is implemented
ccording to
> the guidelines described in www.fas.org/irp/nsa/rainbow/tg020-a.htm
or if
> someone want to go through the process of reinventing the wheel,
they can.

POSIX based ACL to me is an ACL that contains the POSIX uids and gids
rather than any other id (RID). This must not be an ACL built from an
rwxrwxrwx kind of permission.

I want this because I think it is the most obvious that we on a POSIX
system sets permissions using the POSIX id. Rationale, samba is POSIX,
NT is NT and they meet on the net, not on the POSIX system.

> for the NTFS driver (which apparently hasn't been trhoguh
development for
> a year, is read-only and is likely to be dropped, i presume the
issue is
> too sticky: i'm not surprised!) or for other SD-perms-based
filesystems,
> the vfs-chmodACL function drops the binary security-descriptor
straight to
> disk.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se

More information about the samba-technical mailing list