ACL database

[Richard Sharpe]

At 08:05 PM 3/26/01 -0500, Jeremy Allison wrote:
>Jason Haar wrote:
>> 
>> Can someone comment on the difference between POSIX ACLs support and NT
>> ACLs? I mean, I'm hearing VERY LOUDLY here that emulating "full" NT ACLs
under
>> Samba will be VERY expensive and complex.
>
>POSIX ACLs are sane :-). NT ones aren't :-). It's 
>actually quite complex, I'm in the process of writing
>a white paper to explain how the mapping works and
>what it will and won't do.
>
>The main difference is that NT ACLs are order dependent,
>POSIX ones aren't.
>
>Under NT, an ACL of
>
>DENY jason (all)
>ALLOW everyone (all)
>
>is *completely* different from
>
>ALLOW everyone (all)
>DENY jason (all)

Hmmm, I think that VMS did this as well. However, I am too lazy to go
upstairs and pull out the VMS doco I have :-)

>Under POSIX they are the same, and mean what
>you'd expect (ie. user jason has no access,
>everyone else does). Under NT, the first ACL
>will be the same as the POSIX one, in the second
>one the DENY will be completely ignored.
> 
>> What is missed out on by using POSIX ACLs?
>
>POSIX ACLs only have rwx bits, not all the complex
>bits NT ACLs have. But very few people understand
>or use the complex bits in NT ACLs, so you won't
>be losing much.

This, too, reflects the VMS heritage in Windows NT, in my view :-)

>Jeremy.
>
>-- 
>--------------------------------------------------------
>Buying an operating system without source is like buying
>a self-assembly Space Shuttle with no instructions.
>--------------------------------------------------------
>

Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.ethereal.com)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba