Posix Extended headers ...

Joerg Schilling schilling at fokus.gmd.de
Tue Jul 16 06:27:54 GMT 2002

>From tpot at samba.org Mon Jul 15 23:51:30 2002

>> > >The SEC_DESC contains the Owner SID and the Primary Group SID of the Owner 
>> > >of the file, along with the ACL, which can contain both positive ACEs 
>> > >(allow) and negative ACEs (deny) as well as AUDIT and something else ACEs.
>> > 
>> > Mmm, Audit entries on Solaris are kept in the shadow passwd file.
>> I think audit entries are similar to positive or negative ACEs, and simply 
>> mean that if the specified user/group requested the specified access, 
>> write a system log entry.

>Yes.  There's an ACE type called SEC_ACE_TYPE_SYSTEM_AUDIT which does
>what you describe.  Samba doesn't really support them but you could get
>a pretty good idea of how they work and what they do by playing around
>with a couple of NT/Win2k systems and ethereal.

I don't have a NT/Win2k system available for direct use. For this reason, I 
also did not yet implement ioctl based SCSI transport into libscg :-(

>> > Having denial ACLs makes it a bit more complex, but if at least the basic
>> > idea is the same as with POSIX, then it would be possible to add just two 
>> > additional ACL descriptors to the TAR header:
>> > 
>> > -	Denial default entries (descending information starting from dirs)
>> > 
>> > -	Denial access entries
>> > 
>> > These could just look (besides the label) the same as the existing entries.
>> That is a neat idea. That would make it work. We would want to record 
>> user/group names as DOMAIN\name as well, and UID/GID does not necessarily 
>> make sense.

>Storing a sid and rid would perhaps be a better way to do it as you may
>not be able to resolve the username or domain due to network problems or
>that the sid is a foreign sid from a non-trusted domain.

Could you explain what sid/rid is please?


 EMail:joerg at schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
       js at cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
       schilling at fokus.gmd.de		(work) chars I am J"org Schilling
 URL:  http://www.fokus.gmd.de/usr/schilling   ftp://ftp.fokus.gmd.de/pub/unix

More information about the samba-technical mailing list