NT ACL / Security descriptor checking function
Luke Kenneth Casson Leighton
lkcl at samba.org
Sat Feb 12 18:08:12 GMT 2000
> implementation of VMS/NT ACLs in which case we will need to use their
> bits (and should they ever change ..., i don't want to think about
> it).
that is highly unlikely. in fact, i think it's safe to say it's never
going to happen. legacy reasons.
> > they're only going to be useful to us (the remaining bits)
> +_anyway_.
>
> Would that be the NT bits that the file system doesn't support?
yep.
> Suppose that the file system has bits NT doesn't support, that aren't
> ever sent to NT, and that the NT user wouldn't have changed if he had
> know about them? There could be reason to apply "diffs" to ACLs rather
> than straight sets.
again, in real-world envirnments, i think it's HIGHLY unlikely that any
ALC-based system in a real OS on which samba is going to be running is
going to support anything beyond that supported in VMS/NT security
descriptors.
on the other hand, what the heck :)
> Which would only be two mapping functions (one read and one write) for
> every kind of ACL we ever want to support.
you have to define it first. and remember, it's a security descriptor we
have to define, not just an acl.
acls are _contained_ in security descriotors.
> > > system sets permissions using the POSIX id. Rationale, samba is
> POSIX,
> > > NT is NT and they meet on the net, not on the POSIX system.
> >
> > please read
> http://cb1.com/~lkcl/cifs/draft-lkcl-sidtouidmap-01.html, i've
> > already covered exactly this issue, i'm not discussing it again in
> detail.
> >
> > please refer to the section that covers VMS ACL to POSIX ACL or unix
> > permission conversion.
>
> I could find no section with relevance to if the identifier in an
> internal ACL representation in samba should be uid/gid/other based or
> SID based. As the rainbow paper said, a POSIX ACL implementation is
hmmm.... ok, i see what you mean.
ok, yes. as long there is maintained a one-to-one mapping between SIDs
and uid/gids, it's ok.
> not restricted to only work with uids and gids, other classes are
> acceptable too which could make them fully NT compatible.
>
> Best regards
> Michael Stockman
> pgmtekn-micke at algonet.se
>
> PS I'm working on some code as we discuss.
great!
please include an owner ACL, system ACL, owner SID and parent SID, because
that is the minimum requirement for VMS/NT security descriptors.
just looking at the stuff in here... the ACLs are revision-controlled,
therefore it should be possible to add different types of ACEs.
yes, it looks like the existing VMS/NT security descriptor system should
be sufficient and extendible.
for example,
uint16 revision = 3 (instead of revision 2)
uint16 size
uint32 num_aces
ACE_REV3* aces
ACE_REV3
{
uint8 grant_or_deny
uint8 inherit_flags
uint16 size
uint32 mask_permissions
DOM_SID sid
NTTIME active_from_time
NTTIME active_until_time
}
basically, this is the same as VMS NT SDs except for the active_from_time.
additionally, if you're writing just an ACL implementation, not a security
descriptor implementation, we can call it revision 3, 4, 5, whatever, and
still store it in a security descriptor.
which is cool.
More information about the samba-technical
mailing list