ACL / SDs

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Feb 23 01:36:09 GMT 2000 

On Wed, 23 Feb 2000, Michael Stockman wrote:

> Hello,
> 
> Yet again a status report. I have got ACLs running and seeming to work
> (except for maximum allowed). I'm currently doing SDs and would really
> like to know where I can find the NET_USER_INFO3 structure that Luke
> have written about.

grep */*.h NET_USER_INFO3.  shows it's in include/smb.h in user_struct and
in include/rpc_netlogon.h
 
> SDs:
> I'm working on it. Really, it's no big deal. The issue is to obtain

great.  see include/rpc_secdes.h

> the user's uid and gids, but I trust Luke have got them stored
> somewhere.

yes.  user_struct.  the NT-equivalent info, minus the Domain SID (because
NET_USER_INFO3 only stores user_rid, group_rid, n_groups,
member_group_rids*) is in NET_USER_INFO3 usr member of user_struct.

the tricky bit is that strictly speaking we shouldn't be using the local
unix user groups but instead doing this:

int n_unixgroups = user_info3.usr.n_groups;
gid_t *unix_grous = malloc(n_unixgroups * sizeof(gid_t));
for (i = -; i < n_unixgroups; i++)
{
	DOM_SID sid = user_info3.domain_sid;
	sid_append_rid(&sid, user_info3.usr.group_ridmem[i]);
	surs_sid_to_unixid(&sid, SID_NAME_DOMGRP, &unixgroups[i]);
}

_then_ do a setgroups(n_unixgroups, unixgroups);

i think.

hmmm...

> typedef struct __sd
> {
>   uint32 flags;
>   id_entity owner;
>   id_entity group;
>   ACL *dacl;
>   ACL *sacl;
>   ACL *racl;
> } SD;
> The racl is intended to be the root (override) ACL. Since ACLs are
> only stored as pointers, it could be shared between all SDs in a
> module and defined in some config file.
> 
> A trap is that NT apparently can set an ACL pointer to NULL and (with
> a flag set) consider it to be an all allowing ACL. I'm not happy with
> that (and will probably map it).
> 
> The ACLs are evaluated in racl, sacl, dacl order. For access to be
> granted, any of the ACLs must grant complete access.
> 
> ACLs:
> Mostly done. Thanks to the acl_from_str I've been able to test it at
> little and there is also functions to dump an acl in human readable
> format (both with printf and DEBUG).
> 
> The maximum allowed stuff is left (noone have even tried to tell me
> which bits it should return). Personally, I don't like it very much as
> I think it's mainly there to facilitate bad coding (tell me what you
> want or you will get EACCESS :). There 's an example to answer at the
> end.

the say that maximum_allowed works is in SeAccessCheck.

if the DesiredAccess parameter is SEC_MAXIMUM_ALLOWED then instead of
doing a mask-match in each individual ACE to find out whether the
permissions desired are allowed, you RETURN the permissions of the first
ACE against which the user successfully matches.  this is returned in the
GrantedAccess out-parameter or SeAccessCheck.

or the user's group.  or group members.

so, as an ACL writer, you don't need to worry about SEC_MAXIMUM_ALLOWED.
the ONLY person that has to worry about this is the person (or persons)
that implements SeAccessCheck.

> Bit usage in access masks:
> In NT the access mask is 32 bits where the first 16 bits are system
> defined and the last 16 bits specific to the object type.

ah.  really?  interesting.  hmmm.... explains a lot.

> I think we
> should keep (most of) this behaviour, but there are some bits that are
> specific to requests for for permissions and doesn't belong in an ACL
> (eg MAXIMUM_ALLOWED and the generic permissions). Do anyone have any

MAXIMUM_ALLOWED? no.

generic permissions?  no.  again, genericmapping is specific to
SeAccessCheck.  it's one of the arguments to this function, i was
wondering what it was for!

> objections to throwing them out of the internal access_mask and only
> having them in the NT access_mask?

yes.  i told you, the minimum _and_ the maximum requirement is for full SD
support.  nothing more is necessary, and anything less will make it
unusable for generic support.

> Also, some NT bits do in unix correspond to permissions of the
> container rather than to the object. Expect the read_acl / write_acl
> functions to require names of both the file file and the directory
> when the object is a file.
> 
> Read and write functions:
> I haven't started on those yet. They'll be my next task after the SDs
> (at least those that I can do).
> 
> Documentation:
> Some preliminary documentation for the ACL API has been written.
> 
> Best regards
>   Michael Stockman
>   pgmtekn-micke at algonet.se
> 
> Example of ACL, tell me what MAXIMUM ALLOWED should return (and why):
> ACE allows 0x7FFF
> ACE denies 0x0001
> ACE allows 0x8000
> These three ACEs apply to the user.

MAXIMUM_ALLOWED is SeAccessCheck specific.  are you implementing this
function?

thx,

luke

More information about the samba-technical mailing list