NT ACL / Security descriptor checking function

[Cole, Timothy D.]

> -----Original Message-----
> From:	Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> Sent:	Friday, February 11, 2000 13:47
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: NT ACL / Security descriptor checking function
> 
> On Sat, 12 Feb 2000, David Collier-Brown wrote:
> 
> > Luke Kenneth Casson Leighton wrote:
> > > this was discussed four to five months ago, my recommendation was to
> do it
> > > the other way round: map immediately out as soon as possible to NT
> > > security descriptors, and maintain for as long as possible NT SDs
> before
> > > converting to, say... POSIX or Unix ACls or file permissions.
> > > 
> > > reason: you don't want to impose a restriction, in the file-system
> > > example, of mapping to POSIX-based ACLs, only to find later that the
> > > underlying filesystem actually supports a much richer ACL
> implementation
> > > thatn the [limited] POSIX one, or even fully supports NT security
> > > descriptors, such as the linux NTFS drivers.
> > 
> > 	I mildly agree: I speculate you have two modules,
> > 	one which just looks up the ACLS in an underlying
> > 	filesystem that supports them all, or supports
> > 	a superset. This may well be a stub unless you happen
> > 	to have linux NTFS handy...
> 
> ok.  what you do is you implement vfs-table "modules" that handle
> different filesystem mappings.  the API takes NT security descriptor.
> 
> for unix-perms, the vfs-chmodACL function is implemented using jeremy's
> code in nttrans.c  it takes a security descriptor, and depending on
> whether the target is a dir or a file, you map it to a subset of unix
> ugo+rwx permissions.
> 
> for POSIX-acl-perms, the vfs-chmodACL function is implemented ccording to
> the guidelines described in www.fas.org/irp/nsa/rainbow/tg020-a.htm or if
> someone want to go through the process of reinventing the wheel, they can.
> 
	Augh, I'm a good bit of the way there ... and I cover more than just
POSIX ACLs, too...