ACL / SDs

Luke Kenneth Casson Leighton lkcl at samba.org
Thu Feb 24 16:51:43 GMT 2000 

> > it's a matter of which you want to do.
> > 
> > do you want: the PDC to tell you what groups the user is in?
> > 
> > do you want: the local unix system to tell you what groups the user is in?
> > 
> 
> In the case of NT, both happen actually.  The PDC will determine what
> global (domain) groups the user is in and tell that to the
> workstation.  The workstation then uses that list (and the user's SID)
> to determine what local groups (aka aliases) the user belongs to.
> Actually, it's slightly more complicated than that, because there are
> the "WellKnownGroups" (Everyone, Network, Interactive, etc.) that can
> also affect local group membership.

oh no...  that's what the "other SIDS" are for in the NET_USER_INFO_3
structure, i bet.

 
> Not sure if that's relevant, but figured I'd throw it out there.

*sigh* thx todd.

> > > Well, even NT has banned them from ACLs. Don't let the fact that the
> > > code is the same in NT hide the fact that the bitmask in ACLs is a
> > > different bitmask from that by which you request a set of permissions.
> 
> Actually, this isn't true; they're not banned at all, AFAICS.  At the
> very least, the SDs for lots of registry keys in NT5 definitely
> contain ACEs with some of the GENERIC_* bits set.  They're primarily
> in inherit-only ACEs, but they're there, none the less.

See GenericPermissions arg of SeAccessCheck.  this is different from bits
16 to 32 in an ACE.

> {
>     int requested = user_request;  // passed in
>     int granted;
> 
>     for (i=0; requested && i< #aces; i++) {
>         if (ace applies to user 
>             && ace applies to object /* i.e. isn't inherit only */) {
>             if (ace is permit type) {
>                 granted = ace.mask & requested;
>                 requested &= ~granted;
>             } else if (ace is deny type) {
>                 if (requested & ace.mask)
>                     break;
>             }
>         }
>     }
>     if (requested) {
>         /* access denied (didn't get granted everything) */
>     } else {
>         /* access permitted */
>     }
> }
> 

todd, i think i need to accumulate granted permissios, so i made it
granted |= ace.mask & requested.

is that right?
 
> for computing maximum allowed:
> 
> {
>     int denied = 0;
>     int granted = 0;
> 
>     for (i=0; i< #aces; i++) {
>         if (ace applies to user 
>             && ace applies to object /* i.e. isn't inherit only */) {
>             if (ace is permit type) {
>                 granted |= ace.mask & ~denied;
>             } else if (ace is deny type) {
>                 denied |= ace.mask & ~granted;
>             }
>         }
>     }
>     return granted;
> }

this looks good.

More information about the samba-technical mailing list