ACL / SDs

Michael Stockman pgmtekn-micke at algonet.se
Fri Feb 25 22:56:49 GMT 2000


Hello,

> > > (Didn't NT also have this unused Alarm-ACL-thingy? Okay,
> > > it's not realy there, so no need to worry.)
> >
> > Yes, NT has it (and doesn't use it). We have it and doesn't use it
as
> > well as we have and doesn't use audit. When someone think of a
good
> > way to implement it (for example a DEBUG statement for audit) then
we
> > have and use it.
>
> Sounds interesting, but I think, we shouldn't do this
> _now_.

I'm not, I'm just designing in the possibility.

> So when you create NT-SDs back from this, you've got to
> sort the dacl-entries into NT-dacl and NT-sacl.

Maybe. Or we'll just leave them where they are and let the remote
system handle it as well as it can (NT should only ignore the entries,
samba would probably understand them).

> So sacl is more like "admin-acl" ?

That is my perception of how NT does it, although the admin has less
power.

> Two things:
>
> What does happen to the ACEs in this acl, when you map to
> NT-SDs?
> (In fact, you created something, that most ACLs don't
>  have... so we now have a superset)

Really, I'm reluctant to restricting what info should be evaluated in
an ACL, so I think that if the info is there, it should be evaluated.

> .. I still have to think, wether I like it, or not... Most
> admins (not the good ones) have problems with those things
> and end up doing bad things... and I like the user having
> full control of the acl.

Tell me 'bout it. But teaching people their job is not my job. And
someone with root access can do it all anyway.

> > There is, both owner and primary group. I don't know if the
owner's
> > ability to change the dacl is so written in stone that we should
force
> > it in the code, or if it should be enabled by any of the ACLs.
>
> I think, it is quite "written in stone". But if you like,
> you could all it do a default racl.

I don't care. Do you want control of this or not, your call? I'm
leaning at it to be written in stone, but it doesn't really affect the
ACL API.

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se





More information about the samba-technical mailing list