Michael Stockman pgmtekn-micke at
Wed Feb 23 00:43:07 GMT 2000


Yet again a status report. I have got ACLs running and seeming to work
(except for maximum allowed). I'm currently doing SDs and would really
like to know where I can find the NET_USER_INFO3 structure that Luke
have written about.

I'm working on it. Really, it's no big deal. The issue is to obtain
the user's uid and gids, but I trust Luke have got them stored
typedef struct __sd
  uint32 flags;
  id_entity owner;
  id_entity group;
  ACL *dacl;
  ACL *sacl;
  ACL *racl;
} SD;
The racl is intended to be the root (override) ACL. Since ACLs are
only stored as pointers, it could be shared between all SDs in a
module and defined in some config file.

A trap is that NT apparently can set an ACL pointer to NULL and (with
a flag set) consider it to be an all allowing ACL. I'm not happy with
that (and will probably map it).

The ACLs are evaluated in racl, sacl, dacl order. For access to be
granted, any of the ACLs must grant complete access.

Mostly done. Thanks to the acl_from_str I've been able to test it at
little and there is also functions to dump an acl in human readable
format (both with printf and DEBUG).

The maximum allowed stuff is left (noone have even tried to tell me
which bits it should return). Personally, I don't like it very much as
I think it's mainly there to facilitate bad coding (tell me what you
want or you will get EACCESS :). There 's an example to answer at the

Bit usage in access masks:
In NT the access mask is 32 bits where the first 16 bits are system
defined and the last 16 bits specific to the object type. I think we
should keep (most of) this behaviour, but there are some bits that are
specific to requests for for permissions and doesn't belong in an ACL
(eg MAXIMUM_ALLOWED and the generic permissions). Do anyone have any
objections to throwing them out of the internal access_mask and only
having them in the NT access_mask?

Also, some NT bits do in unix correspond to permissions of the
container rather than to the object. Expect the read_acl / write_acl
functions to require names of both the file file and the directory
when the object is a file.

Read and write functions:
I haven't started on those yet. They'll be my next task after the SDs
(at least those that I can do).

Some preliminary documentation for the ACL API has been written.

Best regards
  Michael Stockman
  pgmtekn-micke at

Example of ACL, tell me what MAXIMUM ALLOWED should return (and why):
ACE allows 0x7FFF
ACE denies 0x0001
ACE allows 0x8000
These three ACEs apply to the user.

More information about the samba-technical mailing list