ACL / SD support
Luke Kenneth Casson Leighton
lkcl at samba.org
Sun Feb 13 20:01:25 GMT 2000
> Contains one allow mask and one deny mask for an entity. This is
> different from how NT does if (different type for allow ACEs and deny
> ACEs), and forces the definition that a deny mask is evaluated before
> the allow mask. This decision is made to allow any rwxrwxrwx
> permission to be mapped to 3 ACEs, which I think would be the obvious
> thing to do.
it may be obvious, however it is a deliberate design restriction that is
unnecessary, if you ask me.
> Flags contains some inheritance stuff. Type specifies if the ACE is
> access controlling, audit controlling or alarm controlling (not
> currently implemented in NT I believe).
> Should we for example want time control, time fields can be added and
> a flag to say timing is in effect. I would rather not have several ACE
... if you have a "type", what is wrong with that? i have tried several
times in samba code to take an initial approach where is simply added
extra structures to a union or just extra members to a structure.
i alway, always, end up replacing it with a "type", void*, size (if not
using malloc) and if no size parameter i have a pointer-to-free function:
it depends on whether you want to static-store the data or dynamic-store
the data. obviously, you can't have a free_function for off-line storage
of a dat structure (read/write to disk).
> Contains the ACEs and a count of them.
> There is no sence of ACL revision, the ACL will contain all data and
> thus the format (revision) is added when the ACL is mapped to NT
> format. I would rather see that internal ACLs that must be stored on
> disk are stored in a revision independent format. After all, all
you're locking yourself into an out-of-date system, before you've even
started. a "revision" number allows you to make the kinds of decisions
to continue supporting what will become legacy systems, whilst still be
able to move forward on more dramatic designs.
the ugo+rwx system is a classic example. noone can get away from it
because there's no room to expand it without a total redesign.
> I have already descided not to include override facilities here (like
> root) and think it is up to the various places where ACLs is checked
> to define their own (possibly shared) override ACL, if that
> functionality is desired.
yes, that's good to have - you want the ACL to be kept simple. adding
"poverrode" facilities complicates the design. if you _want_ override
facilities it should be granted to an ACL-controlled set of users, anyway!
More information about the samba-technical