ACL database

Mayers, Philip J p.mayers at ic.ac.uk
Mon Mar 26 09:40:02 GMT 2001 

I suggested this a *long* time ago (couple of years, before the VFS layer
IIRC) and was shot down in flames, for ease-of-use, engineering and
performance reasons. I'll be very interested to see if this works.

Re: the posix permissions - you could just ignore them, and ensure that
they're set to 660 (but then of course you don't want to allow Unix
logins...) - I'm sure there's a security hole there...

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: M Zinkevicius [mailto:mattzink at qwest.net]
Sent: 26 March 2001 09:00
To: samba-technical at lists.samba.org
Subject: ACL database


Hi gang,
I just started implementing a database (tdb) in samba to hold security
descriptors (NT ACLs) keyed on filename. I cannot use the POSIX ACL mapping
since they are a subset of true NT ACLs and result in permission information
loss, also my current filesystem (ReiserFS on linux) doesn't support POSIX
ACLs anyway. Obviously the storage/retrieval of the ACLs should be easy
enough, but will require manual enforcement within Samba itself (I've doing
this at the vfs wrapper layer). Does anybody see any major problems with
this design? I already know that I'll have nightmares keeping synced up with
unix permission changes, but worth the hassle for file system agnostic full
NT ACL support.

Is there any easy way in samba to get an entire security descriptor (ACL,
ACE's, etc) into one contiguous memory space, which I can use to store the
tdb value. Can I use parse_sec/sec_io_desc() or parse_sec/sec_io_desc_buf()
for this?

Finally, below is a patch that changes
nttrans/call_nt_transact_query_security_desc() to use the vfs instead of
making a direct call.

--Matt

--- samba-2.2.0-orig/source/smbd/nttrans.c Wed Jan 31 05:17:13 2001
+++ samba-2.2.0-ntacl/source/smbd/nttrans.c Sun Mar 25 10:04:27 2001
@@ -1620,7 +1620,7 @@
    * Get the permissions to return.
    */

-  if((sd_size = get_nt_acl(fsp, &psd)) == 0)
+  if((sd_size = conn->vfs_ops.fget_nt_acl(fsp, 0, &psd)) == 0)
     return(UNIXERROR(ERRDOS,ERRnoaccess));

   DEBUG(3,("call_nt_transact_query_security_desc: sd_size =
%d.\n",(int)sd_size));

More information about the samba-technical mailing list