NT ACL / Security descriptor checking function

Luke Kenneth Casson Leighton lkcl at samba.org
Sat Feb 12 18:08:12 GMT 2000 

> implementation of VMS/NT ACLs in which case we will need to use their
> bits (and should they ever change ..., i don't want to think about
> it).

that is highly unlikely.  in fact, i think it's safe to say it's never
going to happen.  legacy reasons.
 
> > they're only going to be useful to us (the remaining bits)
> +_anyway_.
> 
> Would that be the NT bits that the file system doesn't support?

yep.

> Suppose that the file system has bits NT doesn't support, that aren't
> ever sent to NT, and that the NT user wouldn't have changed if he had
> know about them? There could be reason to apply "diffs" to ACLs rather
> than straight sets.

again, in real-world envirnments, i think it's HIGHLY unlikely that any
ALC-based system in a real OS on which samba is going to be running is
going to support anything beyond that supported in VMS/NT security
descriptors.

on the other  hand, what the heck :)

 
> Which would only be two mapping functions (one read and one write) for
> every kind of ACL we ever want to support.

you have to define it first.  and remember, it's a security descriptor we
have to define, not just an acl.

acls are _contained_ in security descriotors.

> > > system sets permissions using the POSIX id. Rationale, samba is
> POSIX,
> > > NT is NT and they meet on the net, not on the POSIX system.
> >
> > please read
> http://cb1.com/~lkcl/cifs/draft-lkcl-sidtouidmap-01.html, i've
> > already covered exactly this issue, i'm not discussing it again in
> detail.
> >
> > please refer to the section that covers VMS ACL to POSIX ACL or unix
> > permission conversion.
> 
> I could find no section with relevance to if the identifier in an
> internal ACL representation in samba should be uid/gid/other based or
> SID based. As the rainbow paper said, a POSIX ACL implementation is

hmmm.... ok, i see what you mean.

ok, yes.  as long there is maintained a one-to-one mapping between SIDs
and uid/gids, it's ok.



> not restricted to only work with uids and gids, other classes are
> acceptable too which could make them fully NT compatible.
> 
> Best regards
>   Michael Stockman
>   pgmtekn-micke at algonet.se
> 
> PS I'm working on some code as we discuss.

great!

please include an owner ACL, system ACL, owner SID and parent SID, because
that is the minimum requirement for VMS/NT security descriptors.

just looking at the stuff in here... the ACLs are revision-controlled,
therefore it should be possible to add different types of ACEs.

yes, it looks like the existing VMS/NT security descriptor system should
be sufficient and extendible.

for example,

uint16 revision = 3 (instead of revision 2)
uint16 size
uint32 num_aces

ACE_REV3* aces

ACE_REV3
{
	uint8 grant_or_deny
	uint8 inherit_flags
	uint16 size
	uint32 mask_permissions
	DOM_SID sid
	NTTIME active_from_time
	NTTIME active_until_time
}

basically, this is the same as VMS NT SDs except for the active_from_time.

additionally, if you're writing just an ACL implementation, not a security
descriptor implementation, we can call it revision 3, 4, 5, whatever, and
still store it in a security descriptor.

which is cool.

More information about the samba-technical mailing list