ACL / SDs

[Elrond]

On Wed, Feb 23, 2000 at 08:21:40PM +1100, Michael Stockman wrote:
[...]
> > > The maximum allowed stuff is left (noone have even tried to tell
> me
> > > which bits it should return). Personally, I don't like it very
> much as
> > > I think it's mainly there to facilitate bad coding (tell me what
> you
> > > want or you will get EACCESS :). There 's an example to answer at
> the
> > > end.
> >
> > the say that maximum_allowed works is in SeAccessCheck.
> >
> > if the DesiredAccess parameter is SEC_MAXIMUM_ALLOWED then instead
> of
> > doing a mask-match in each individual ACE to find out whether the
> > permissions desired are allowed, you RETURN the permissions of the
> first
> > ACE against which the user successfully matches.  this is returned
> in the
> > GrantedAccess out-parameter or SeAccessCheck.
> >
> > or the user's group.  or group members.

So that means, that the order of the ACEs _is_ important?
As far, as I understood SDs in NT, the order shouldn't be
important... but maybe that's only for the actual
access-checking.


[...]
> > > Example of ACL, tell me what MAXIMUM ALLOWED should return (and
> why):
> > > ACE allows 0x7FFF
> > > ACE denies 0x0001
> > > ACE allows 0x8000
> > > These three ACEs apply to the user.
> >
> > MAXIMUM_ALLOWED is SeAccessCheck specific.  are you implementing
> this
> > function?
> 
> Yes. If you're correct then 0x7FFF is the right return value. Ok with
> me.

But 0x7fff would go through an actual access_check, cause
the deny _has_ to be evaluated... ACLs are not
short-circuit (AFAIK).

But I don't know either much about MAXIMUM_ALLOWED, so
these are just some thoughts...


    Elrond