ACL / SDs
Elrond at Wunder-Nett.org
Wed Feb 23 12:56:22 GMT 2000
On Wed, Feb 23, 2000 at 08:21:40PM +1100, Michael Stockman wrote:
> > > The maximum allowed stuff is left (noone have even tried to tell
> > > which bits it should return). Personally, I don't like it very
> much as
> > > I think it's mainly there to facilitate bad coding (tell me what
> > > want or you will get EACCESS :). There 's an example to answer at
> > > end.
> > the say that maximum_allowed works is in SeAccessCheck.
> > if the DesiredAccess parameter is SEC_MAXIMUM_ALLOWED then instead
> > doing a mask-match in each individual ACE to find out whether the
> > permissions desired are allowed, you RETURN the permissions of the
> > ACE against which the user successfully matches. this is returned
> in the
> > GrantedAccess out-parameter or SeAccessCheck.
> > or the user's group. or group members.
So that means, that the order of the ACEs _is_ important?
As far, as I understood SDs in NT, the order shouldn't be
important... but maybe that's only for the actual
> > > Example of ACL, tell me what MAXIMUM ALLOWED should return (and
> > > ACE allows 0x7FFF
> > > ACE denies 0x0001
> > > ACE allows 0x8000
> > > These three ACEs apply to the user.
> > MAXIMUM_ALLOWED is SeAccessCheck specific. are you implementing
> > function?
> Yes. If you're correct then 0x7FFF is the right return value. Ok with
But 0x7fff would go through an actual access_check, cause
the deny _has_ to be evaluated... ACLs are not
But I don't know either much about MAXIMUM_ALLOWED, so
these are just some thoughts...
More information about the samba-technical