ACL / SDs
Elrond
Elrond at Wunder-Nett.org
Thu Feb 24 20:18:03 GMT 2000
On Thu, Feb 24, 2000 at 10:25:27PM +1100, John E. Malmberg wrote:
> Bob Mastors <bob.mastors at crosstor.com> wrote:
> > > AFAIK:
> > >
> > > No, for actual access-checking, _all_ ACEs are checked.
> > >
> > > If you have this:
> > > ALLOW all
> > > DENY all
> > > you end up effectively with
> > > DENY all
> > >
> > > the order isn't important and there is no "short-circuit".
> > This does not appear to be a true statement for NT.
> > >From the MSDN Library (Jan 2000):
> > When a process tries to access a securable object,
> > the system steps through the ACEs in the object's DACL
> > until it finds ACEs that allow or deny the requested access.
> > The access rights that a DACL allows a user could vary depending
> > on the order of ACEs in the DACL.
>
> That is very interesting, because unless my memory is very faulty:
>
> Windows NT does not allow you to specify the order of the ACEs in a DACL
> from any GUI or command line utility.
Right.
> It always seems to present them as a sorted list.
Yes and no. The gui-tools mostly sort them. cacls shows
them in the right order.
So it realy looks like, we need testing here... Luke
already said so in another mail.
I tried to test this with cacls on the commandline... but:
*arg* It always appended normal ACEs, and always prepended
those "DENY all"-ACEs... So I couldn't generate the
interesting case.
Off Topic: Does anyone know free nice tools to show and
change SDs unter NT? One that can even handle the order
would be interesting.
BTW: How is that all on VMS? (They keep telling, it's
derived from VMS.) I'm only a bit curious, so you don't
need to get into details, some two/three general lines
would be great.
> -John
> wb8tyw at qsl.net
Elrond
More information about the samba-technical
mailing list