ACL database

[M Zinkevicius]

Hi gang,
I just started implementing a database (tdb) in samba to hold security
descriptors (NT ACLs) keyed on filename. I cannot use the POSIX ACL mapping
since they are a subset of true NT ACLs and result in permission information
loss, also my current filesystem (ReiserFS on linux) doesn't support POSIX
ACLs anyway. Obviously the storage/retrieval of the ACLs should be easy
enough, but will require manual enforcement within Samba itself (I've doing
this at the vfs wrapper layer). Does anybody see any major problems with
this design? I already know that I'll have nightmares keeping synced up with
unix permission changes, but worth the hassle for file system agnostic full
NT ACL support.

Is there any easy way in samba to get an entire security descriptor (ACL,
ACE's, etc) into one contiguous memory space, which I can use to store the
tdb value. Can I use parse_sec/sec_io_desc() or parse_sec/sec_io_desc_buf()
for this?

Finally, below is a patch that changes
nttrans/call_nt_transact_query_security_desc() to use the vfs instead of
making a direct call.

--Matt

--- samba-2.2.0-orig/source/smbd/nttrans.c Wed Jan 31 05:17:13 2001
+++ samba-2.2.0-ntacl/source/smbd/nttrans.c Sun Mar 25 10:04:27 2001
@@ -1620,7 +1620,7 @@
    * Get the permissions to return.
    */

-  if((sd_size = get_nt_acl(fsp, &psd)) == 0)
+  if((sd_size = conn->vfs_ops.fget_nt_acl(fsp, 0, &psd)) == 0)
     return(UNIXERROR(ERRDOS,ERRnoaccess));

   DEBUG(3,("call_nt_transact_query_security_desc: sd_size =
%d.\n",(int)sd_size));