ACL / SDs
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Feb 24 15:15:13 GMT 2000
On Thu, 24 Feb 2000, John E. Malmberg wrote:
> Bob Mastors <bob.mastors at crosstor.com> wrote:
> > > AFAIK:
> > >
> > > No, for actual access-checking, _all_ ACEs are checked.
> > >
> > > If you have this:
> > > ALLOW all
> > > DENY all
> > > you end up effectively with
> > > DENY all
> > >
> > > the order isn't important and there is no "short-circuit".
> > This does not appear to be a true statement for NT.
> > >From the MSDN Library (Jan 2000):
> > When a process tries to access a securable object,
> > the system steps through the ACEs in the object's DACL
> > until it finds ACEs that allow or deny the requested access.
> > The access rights that a DACL allows a user could vary depending
> > on the order of ACEs in the DACL.
>
> That is very interesting, because unless my memory is very faulty:
>
> Windows NT does not allow you to specify the order of the ACEs in a DACL
> from any GUI or command line utility.
>
> It always seems to present them as a sorted list.
ummm... there is probly some logic in te listbox. it's defntly poss 2 do
damij with, say, cacls.exe or, say, with rpcclient -- if i add sd set
functions. havnt got an acl parser/creater yet so havnt dun it.
More information about the samba-technical
mailing list