NO_PROPOGATE_INHERIT_ACE in nt acls

Georgina Russell georgy at CSUA.Berkeley.EDU
Tue Jan 22 12:21:03 GMT 2002 

Thanks.
I have some another question ...

It seems that in the translation to Unix mode from NT perms, if any of
GENERIC READ, FILE_READ_DATA, FILE_READ_EA or FILE_READ_ATTRIBUTES are
set in the NT perms, the mode is set to S_IRUSR.   Is that correct?

In the translation from Unix mode to NT perms, S_IRUSR becomes
UNIX_ACCESS_R, which is defined as FILE_GENERIC_READ , which is further
defined to be
(STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|
FILE_READ_EA|SYNCHRONIZE_ACCESS).


It seems like this translation back and forth results in increased
permissions for the NT user in some cases.  (e.g. user only has
FILE_READ_EA, becomes S_IRUSR, and then gets read access to attributes,
data, etc.)  I am misunderstanding something?

Thanks for your help.
-georgy


On Mon, 21 Jan 2002, Gerald Carter wrote:

> On Fri, 18 Jan 2002, Georgina Russell wrote:
>
> >
> > I've been reading through the source and I don't see the
> > NO_PROPOGATE_INHERIT_ACE flag being checked when unpacking security
> > descriptors. However, I do see a #define for it.  Do you plan to support
> > this in the future?  What is the reason for leaving this out?
>
> I'll leave this one to Jeremy....
>
> > Also, I'm having a hard time figuring out how SACL's are supported.
> > It doesn't seem like they are stored on disk.  Is this correct?
>
> Yes.  That it correct.  We map the DACL to a POSIX ACL.
> IMO The correct solution would be to modify Samba's VFS to
> pass the security descriptor to the file system and let it
> through it away (assuming it doesn't care about it).
>
>
>
>
>
>
> chau, jerry
>  ---------------------------------------------------------------------
>  Hewlett-Packard                                     http://www.hp.com
>  SAMBA Team                                       http://www.samba.org
>  --                                            http://www.plainjoe.org
>  "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN 0-672-32269-2
>  --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
>

More information about the samba-technical mailing list