ACL / SDs
Elrond
Elrond at Wunder-Nett.org
Wed Feb 23 18:10:07 GMT 2000
On Thu, Feb 24, 2000 at 04:36:20AM +1100, Luke Kenneth Casson Leighton wrote:
[...]
> > > > Example of ACL, tell me what MAXIMUM ALLOWED should return (and
> > why):
> > > > ACE allows 0x7FFF
> > > > ACE denies 0x0001
> > > > ACE allows 0x8000
> > > > These three ACEs apply to the user.
> > >
> > > MAXIMUM_ALLOWED is SeAccessCheck specific. are you implementing
> > this
> > > function?
> >
> > Yes. If you're correct then 0x7FFF is the right return value. Ok with
> > me.
>
> ok, then the ACL above is slightly nonsense, becaue i _think_ that the
> forst ACE is encountered and the others, as a result, ignored.
>
> urr... actually, that's not true. i think the deny ACE is the one that is
> ignored. ur...
>
> interesting exercise!
>
> i _think_ that 0xffff _should_ be returned, but unfortunately, i bet yu
> that 0xfffe is _actually_ returned.
>
> request 0x8000. falls through 1st and 2nd ace, hits 3rd, is granted.
>
> request 0x0001. hits 1st ace, is granted. deny ace _should_ be first in
> the list in this case, your ACL is an example of an ineffective ACL,
> therefore.
AFAIK:
No, for actual access-checking, _all_ ACEs are checked.
If you have this:
ALLOW all
DENY all
you end up effectively with
DENY all
the order isn't important and there is no "short-circuit".
I don't know about the MAXIMUM_ALLOWED thing.
> request 0xffff. hits 1st ace, is denied (too much). hits 2nd ace, is
> denied (0x0001).
>
> hey, that's so cool! it _is_ an effective acl, it's just not obvious
> what's going in, and trying to create a MAXIMUM_ALLOWED is impossible :-)
> :-)
Elrond
More information about the samba-technical
mailing list