NT ACL / Security descriptor checking function

Luke Kenneth Casson Leighton lkcl at samba.org
Sat Feb 12 00:07:39 GMT 2000 

On Sat, 12 Feb 2000, Michael Stockman wrote:

> Hello,
> 
> > On Sat, 12 Feb 2000, David Collier-Brown wrote:
> >
> > > Luke Kenneth Casson Leighton wrote:
> > > > this was discussed four to five months ago, my recommendation
> was to do it
> > > > the other way round: map immediately out as soon as possible to
> NT
> > > > security descriptors, and maintain for as long as possible NT
> SDs before
> > > > converting to, say... POSIX or Unix ACls or file permissions.
> > > >
> > > > reason: you don't want to impose a restriction, in the
> file-system
> > > > example, of mapping to POSIX-based ACLs, only to find later that
> the
> > > > underlying filesystem actually supports a much richer ACL
> implementation
> > > > thatn the [limited] POSIX one, or even fully supports NT
> security
> > > > descriptors, such as the linux NTFS drivers.
> > >
> > > I mildly agree: I speculate you have two modules,
> > > one which just looks up the ACLS in an underlying
> > > filesystem that supports them all, or supports
> > > a superset. This may well be a stub unless you happen
> > > to have linux NTFS handy...
> >
> > ok.  what you do is you implement vfs-table "modules" that handle
> > different filesystem mappings.  the API takes NT security
> descriptor.
> 
> Actually, what I want is a "can do it all" ACL implementation. And
> that is why we must own the implementation, not be depending on
> someone not having this requirement. I don't trust that NT ACLs is a
> superset of all ACL implementations.

ok, that's a good enough reason to consider a "higher-level" ACL api.

[i'm going to avoid using "NT" now in case you have something against NT.  
if you had used a word other than "trust", i would not fel the need to do
this].

for example, that rainbow book talks about restricting access on a
per-time-of-day basis, which is fairly... extreme!

my suspicions are that you won't find any real-world ACL implementations
that are any better than the VAX/VMS security model (on which NT is
based).  and if theree are any, it's probably going to be very few
features that do not have VMS-equivalents.

then agian, neither of us are authorities on the subject.

my suggestion would be, simply to avoid duplicating effort to produce an
ACL api that is a [potential] superset of VMS-security descriptors, is to
_use_ VMS-security descriptors as the baseline, until it can be proven
that there exists a real-world ACL impleentation that does more.
 
> > for unix-perms, the vfs-chmodACL function is implemented using
> jeremy's
> > code in nttrans.c  it takes a security descriptor, and depending on
> > whether the target is a dir or a file, you map it to a subset of
> unix
> > ugo+rwx permissions.
> 
> Changing the ACL on an ACL capable file system also not necessarily a
> trivial thing considering the possibilty that the file system may not
> support all bit NT support or it may supprt bits NT doesn't that we
> want to preserve.

jeemy has done a perfectly good job of coming up with heuristics to turn
VMS security descriptors into a unix file permissions.  from what i
understand, the rules are simple: throw away any bits you can't use.
they're only going to be useful to us (the remaining bits) +_anyway_.

it should therefore be a trivial job to examine that code and create, say,
a POSIX-based ACL implementation.

or, john malmberg to do a VMS-based one.


> > for POSIX-acl-perms, the vfs-chmodACL function is implemented
> ccording to
> > the guidelines described in www.fas.org/irp/nsa/rainbow/tg020-a.htm
> or if
> > someone want to go through the process of reinventing the wheel,
> they can.
> 
> POSIX based ACL to me is an ACL that contains the POSIX uids and gids
> rather than any other id (RID). This must not be an ACL built from an
> rwxrwxrwx kind of permission.

yes, i understand this.  by the way, it's SIDs not RIDs.

> I want this because I think it is the most obvious that we on a POSIX
> system sets permissions using the POSIX id. Rationale, samba is POSIX,
> NT is NT and they meet on the net, not on the POSIX system.

please read http://cb1.com/~lkcl/cifs/draft-lkcl-sidtouidmap-01.html, i've
already covered exactly this issue, i'm not discussing it again in detail.

please refer to the section that covers VMS ACL to POSIX ACL or unix
permission conversion.

thx michael,

luke

More information about the samba-technical mailing list