NT ACL / Security descriptor checking function
Elrond at Wunder-Nett.org
Sat Feb 12 18:37:41 GMT 2000
On Sun, Feb 13, 2000 at 05:19:11AM +1100, Luke Kenneth Casson Leighton wrote:
> On Sun, 13 Feb 2000, Elrond wrote:
> > On Sat, Feb 12, 2000 at 09:22:53PM +1100, Michael Stockman wrote:
> > [...]
> > > > jeemy has done a perfectly good job of coming up with heuristics to
> > > turn
> > > > VMS security descriptors into a unix file permissions. from what i
> > > > understand, the rules are simple: throw away any bits you can't use.
> > > > they're only going to be useful to us (the remaining bits)
> > > +_anyway_.
> > >
> > > Would that be the NT bits that the file system doesn't support?
> > > Suppose that the file system has bits NT doesn't support, that aren't
> > > ever sent to NT, and that the NT user wouldn't have changed if he had
> > > know about them? There could be reason to apply "diffs" to ACLs rather
> > > than straight sets.
> > Many Unix-filesystems have special bits, that are not
> > easily mapped to NT-ACLs. The sticky and setgid/setuid-bits
> > come to mind.
> they don't map to ACLs, but they do map to security descriptors. there's
Okay... My fault. I mostly say "ACL" and mean SD.
But some of those are hard to map to NT-_SD_s.
sticky (t) on directories can be emulated by doing some
tricks with CREATOR-OWNER.
But I currently don't see the equivalent of setuid/setgid
or stricky-bit on files (also I don't know, what the
current POSIX-semantics for +t on files are)
> an owner ACL, system ACL, parent SID and group SID.
Is there really an "owner ACL"? When I last played on NT
and wrote a "show-sd", there was only an "owner-SID".
And what is a "parent SID"?
> > And the ext2-fs of Linux has some special bits too. "s" for
> > example means, that the contents of the file get's zeroed,
> > when it is being deleted.
> > (Since these are special to that filesystem, you can't
> > modify these bits incidentally with chmod.)
> yaay. excellent! real-world examples!
("man chattr" on your linux box for more of those)
AFAIK freebsd also has some... but since I haven't got any
more access to a freebsd box (and I'm not willing to
install one), I don't know anything there.
More information about the samba-technical