ACL database

Jeremy Allison jeremy at
Mon Mar 26 16:09:05 GMT 2001

M Zinkevicius wrote:
> Hi gang,
> I just started implementing a database (tdb) in samba to hold security
> descriptors (NT ACLs) keyed on filename. I cannot use the POSIX ACL mapping
> since they are a subset of true NT ACLs and result in permission information
> loss, also my current filesystem (ReiserFS on linux) doesn't support POSIX
> ACLs anyway. Obviously the storage/retrieval of the ACLs should be easy
> enough, but will require manual enforcement within Samba itself (I've doing
> this at the vfs wrapper layer). Does anybody see any major problems with
> this design? I already know that I'll have nightmares keeping synced up with
> unix permission changes, but worth the hassle for file system agnostic full
> NT ACL support.

Well I'd prefer you bug Hans to add POSIX ACL support :-). But yes,
the only way to get *full* NT ACL support is the external database.

Getting the exact semantics is hard though - how are you intending
to handle ACL inheritance ?

> Is there any easy way in samba to get an entire security descriptor (ACL,
> ACE's, etc) into one contiguous memory space, which I can use to store the
> tdb value. Can I use parse_sec/sec_io_desc() or parse_sec/sec_io_desc_buf()
> for this?

Yes - sec_io is the way to do this. Look at the new printer code
for details on storing NT ACLs in tdbs.

> Finally, below is a patch that changes
> nttrans/call_nt_transact_query_security_desc() to use the vfs instead of
> making a direct call.

Opp. Thanks for that - I've extended it to vector set_nt_acl
as well - both of those should have been vfs redirected (I
just missed them :-).



Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list