NO_PROPOGATE_INHERIT_ACE in nt acls
Georgina Russell
georgy at CSUA.Berkeley.EDU
Tue Jan 22 12:21:03 GMT 2002
Thanks.
I have some another question ...
It seems that in the translation to Unix mode from NT perms, if any of
GENERIC READ, FILE_READ_DATA, FILE_READ_EA or FILE_READ_ATTRIBUTES are
set in the NT perms, the mode is set to S_IRUSR. Is that correct?
In the translation from Unix mode to NT perms, S_IRUSR becomes
UNIX_ACCESS_R, which is defined as FILE_GENERIC_READ , which is further
defined to be
(STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|
FILE_READ_EA|SYNCHRONIZE_ACCESS).
It seems like this translation back and forth results in increased
permissions for the NT user in some cases. (e.g. user only has
FILE_READ_EA, becomes S_IRUSR, and then gets read access to attributes,
data, etc.) I am misunderstanding something?
Thanks for your help.
-georgy
On Mon, 21 Jan 2002, Gerald Carter wrote:
> On Fri, 18 Jan 2002, Georgina Russell wrote:
>
> >
> > I've been reading through the source and I don't see the
> > NO_PROPOGATE_INHERIT_ACE flag being checked when unpacking security
> > descriptors. However, I do see a #define for it. Do you plan to support
> > this in the future? What is the reason for leaving this out?
>
> I'll leave this one to Jeremy....
>
> > Also, I'm having a hard time figuring out how SACL's are supported.
> > It doesn't seem like they are stored on disk. Is this correct?
>
> Yes. That it correct. We map the DACL to a POSIX ACL.
> IMO The correct solution would be to modify Samba's VFS to
> pass the security descriptor to the file system and let it
> through it away (assuming it doesn't care about it).
>
>
>
>
>
>
> chau, jerry
> ---------------------------------------------------------------------
> Hewlett-Packard http://www.hp.com
> SAMBA Team http://www.samba.org
> -- http://www.plainjoe.org
> "Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2
> --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
>
More information about the samba-technical
mailing list