NT ACL / Security descriptor checking function
Luke Kenneth Casson Leighton
lkcl at samba.org
Tue Feb 15 23:02:26 GMT 2000
> The generic ACL facility (plus NT mapping) is something I've been
> doing work on here, I just need to get an OK to release it. The SID<->posix
> id mapping stuff I've been doing on my own time.
tim, we're really starting to need that, tim potter is writing a
winbindd_surs, luke howard wrote an nt5ldap_surs, i created sursalgdomonly
from the 2.0.x / TNG code.
we _reallyu_ need a consistent interface / redirector to this stuff.
> The one big gap remaining is what luke needs here -- APIs to check
> and mainipulate NT ACLs.
it's SDs, not just ACLs. i have the packing / unpacking code, i just need
that check-functiopn.
OK!!!! i had someone check the MSDN, it's a very low-level routing in the
NT DDK, called SeAccessCheck:
BOO SeAccessCheck(
IN PSEC_DESC sec_desc
IN PSEC_SUBJECT_CONTEXTS subject_sec_ctxt
IN BOOL subjectcontextlocked,
IN ACCESS_MASK desiredaccess
IN ACCESS_MASK PREVIOSLYgrantedaccess
OUT PPRIVILEGE_SET *privileges
IN PGENERIC_MAPPING gen_+map
IN KPROCESSORT_MOD accessmode,
OUT PACCESS_MASK grantedaccess
OUT NPTSTATUS accessstatus
);
_dis_ da function i need. it takes security descriptor (equivalent to
SEC_DESC_BUF) ,subject's security context (equivalent to vuser_key /
NET_USER_INFO_3 stuff), access_mask desired (SEC_RIGHTS_READ etc), and
returns yes/no, granted access (yes, this is important because it's
possible to request SEC_MAXIMUM_ALLOWED and you only get, say,
SEC_RIGHTS_READ back).
luke
More information about the samba-technical
mailing list