Fine points of ACL conversion
ZINKEVICIUS,MATT (HP-Loveland,ex1)
matt_zinkevicius at hp.com
Thu Aug 1 12:35:04 GMT 2002
From: Richard Sharpe [mailto:rsharpe at ns.aus.com]
> Hmmmm, the MSDN article I looked at did not say that, but
> does not address
> that situation either. It kind of implies that any deny bit
> in the set
> requested causes a deny.
There used to be an MSDN article on "Computing Effective Rights" but my
bookmark seems to be dead now :-(
Microsoft has a "preferred ordering" of ACEs which tells you to always put
denied ACEs before allowed ACEs in an ACL. See the bottom half of
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/order_of_aces_in_a_dacl.asp?frame=true. This is probably why they
don't mention this case, since it doesn't normally occur.
> Is that your experience? Do you have a simple program that
> demonstrates
> that?
We wrote several win32 test applications to test conformance. Also the NT
ACL <-> POSIX ACL code in samba that Jeremy wrote computes effective right
similarly, if I remember right.
Matt Zinkevicius
Software Engineer
Network Storage Array Solutions
Hewlett-Packard
More information about the samba-technical
mailing list