Fine points of ACL conversion

ZINKEVICIUS,MATT (HP-Loveland,ex1) matt_zinkevicius at
Thu Aug 1 12:35:04 GMT 2002

From: Richard Sharpe [mailto:rsharpe at]
> Hmmmm, the MSDN article I looked at did not say that, but 
> does not address 
> that situation either. It kind of implies that any deny bit 
> in the set 
> requested causes a deny.

There used to be an MSDN article on "Computing Effective Rights" but my
bookmark seems to be dead now :-(

Microsoft has a "preferred ordering" of ACEs which tells you to always put
denied ACEs before allowed ACEs in an ACL. See the bottom half of
curity/order_of_aces_in_a_dacl.asp?frame=true. This is probably why they
don't mention this case, since it doesn't normally occur.

> Is that your experience? Do you have a simple program that 
> demonstrates 
> that?

We wrote several win32 test applications to test conformance. Also the NT
ACL <-> POSIX ACL code in samba that Jeremy wrote computes effective right
similarly, if I remember right.

Matt Zinkevicius
Software Engineer
Network Storage Array Solutions

More information about the samba-technical mailing list