Posix Extended headers ...
tpot at samba.org
Mon Jul 15 14:54:12 GMT 2002
On Tue, Jul 16, 2002 at 04:30:06AM +0930, Richard Sharpe wrote:
> On Mon, 15 Jul 2002, Joerg Schilling wrote:
> [Added Samba-technical so that this discussion can be recorded]
Please speak slowly and clearly into the microphone.
> > >The SEC_DESC contains the Owner SID and the Primary Group SID of the Owner
> > >of the file, along with the ACL, which can contain both positive ACEs
> > >(allow) and negative ACEs (deny) as well as AUDIT and something else ACEs.
> > Mmm, Audit entries on Solaris are kept in the shadow passwd file.
> I think audit entries are similar to positive or negative ACEs, and simply
> mean that if the specified user/group requested the specified access,
> write a system log entry.
Yes. There's an ACE type called SEC_ACE_TYPE_SYSTEM_AUDIT which does
what you describe. Samba doesn't really support them but you could get
a pretty good idea of how they work and what they do by playing around
with a couple of NT/Win2k systems and ethereal.
> > Having denial ACLs makes it a bit more complex, but if at least the basic
> > idea is the same as with POSIX, then it would be possible to add just two
> > additional ACL descriptors to the TAR header:
> > - Denial default entries (descending information starting from dirs)
> > - Denial access entries
> > These could just look (besides the label) the same as the existing entries.
> That is a neat idea. That would make it work. We would want to record
> user/group names as DOMAIN\name as well, and UID/GID does not necessarily
> make sense.
Storing a sid and rid would perhaps be a better way to do it as you may
not be able to resolve the username or domain due to network problems or
that the sid is a foreign sid from a non-trusted domain.
More information about the samba-technical