NT ACL / Security descriptor checking function
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Tue Feb 15 16:31:11 GMT 2000
> -----Original Message-----
> From: Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> Sent: Friday, February 11, 2000 13:47
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: Re: NT ACL / Security descriptor checking function
> On Sat, 12 Feb 2000, David Collier-Brown wrote:
> > Luke Kenneth Casson Leighton wrote:
> > > this was discussed four to five months ago, my recommendation was to
> do it
> > > the other way round: map immediately out as soon as possible to NT
> > > security descriptors, and maintain for as long as possible NT SDs
> > > converting to, say... POSIX or Unix ACls or file permissions.
> > >
> > > reason: you don't want to impose a restriction, in the file-system
> > > example, of mapping to POSIX-based ACLs, only to find later that the
> > > underlying filesystem actually supports a much richer ACL
> > > thatn the [limited] POSIX one, or even fully supports NT security
> > > descriptors, such as the linux NTFS drivers.
> > I mildly agree: I speculate you have two modules,
> > one which just looks up the ACLS in an underlying
> > filesystem that supports them all, or supports
> > a superset. This may well be a stub unless you happen
> > to have linux NTFS handy...
> ok. what you do is you implement vfs-table "modules" that handle
> different filesystem mappings. the API takes NT security descriptor.
> for unix-perms, the vfs-chmodACL function is implemented using jeremy's
> code in nttrans.c it takes a security descriptor, and depending on
> whether the target is a dir or a file, you map it to a subset of unix
> ugo+rwx permissions.
> for POSIX-acl-perms, the vfs-chmodACL function is implemented ccording to
> the guidelines described in www.fas.org/irp/nsa/rainbow/tg020-a.htm or if
> someone want to go through the process of reinventing the wheel, they can.
Augh, I'm a good bit of the way there ... and I cover more than just
POSIX ACLs, too...
More information about the samba-technical