Fine points of ACL conversion

Richard Sharpe rsharpe at
Thu Aug 1 07:49:02 GMT 2002

On Wed, 31 Jul 2002, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:

> > 1. If it encounters a DENY (negative) ACE that denies any of the bits 
> > requested, it denies access.
> Correct
> > 2. If it encounters ALLOW ACLs that allows any of the bits, 
> > but not all, 
> > it continues? Is this true. Does it accumulate permission 
> > bits until the 
> > requested bits are available and then stop? If a DENY appears 
> > after an ACE 
> > that allows some bits, but not all, presumably, it denies 
> > access. So order 
> > is very important. However, does it accumulate perms.
> It accumulates and continues as long as none of the request bits have been
> denied. If there are no more ACEs and the full set of request bits have not
> been allowed then permission is denied. If a previously allowed bit is
> denied in a later ACE it is still allowed. That is why ACE ordering is
> important.

Hmmmm, the MSDN article I looked at did not say that, but does not address 
that situation either. It kind of implies that any deny bit in the set 
requested causes a deny.

Is that your experience? Do you have a simple program that demonstrates 

Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at

More information about the samba-technical mailing list