ACL / SDs

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Tue Feb 29 15:29:05 GMT 2000


> -----Original Message-----
> From:	Elrond [SMTP:Elrond at Wunder-Nett.org]
> Sent:	Friday, February 25, 2000 0:19
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: ACL / SDs
> 
> > > You mean the DELETE-attribute, which on unix is w on the
> > > directory?
> > 
> > Yes, and perhaps READ_CONTROL and WRITE_DAC?
> 
> WRITE_DAC is on Unix only allowed to the owner of the
> object and to root.
> 
	And of course to any process with appropriate capabilities set, on
Unices that support capabilities (e.g. Linux)

> READ_CONTROL is a bit different on unix... your partly
> right...
> 
> You need to have +x on _all_ directories, that lead up to
> the object of interest to be able to do a stat() on it. You
> do not need any permissions on the object itself.
> 
> This would mean, you would map AND(x-bits of all parent
> dirs) to READ_CONTROL of the object, but that's wrong:
> 
	Indeed.  This also means that a semantically-correct mapping between
Unix and NT permissions is not possible.  When passing permissions info to
the NT side, you have to resign yourself to just translating the permissions
syntactically as close as you can, and let the user at the other end of the
UI worry about the semantics.



More information about the samba-technical mailing list