Fine points of ACL conversion

ZINKEVICIUS,MATT (HP-Loveland,ex1) matt_zinkevicius at
Wed Jul 31 12:06:01 GMT 2002

> 1. If it encounters a DENY (negative) ACE that denies any of the bits 
> requested, it denies access.


> 2. If it encounters ALLOW ACLs that allows any of the bits, 
> but not all, 
> it continues? Is this true. Does it accumulate permission 
> bits until the 
> requested bits are available and then stop? If a DENY appears 
> after an ACE 
> that allows some bits, but not all, presumably, it denies 
> access. So order 
> is very important. However, does it accumulate perms.

It accumulates and continues as long as none of the request bits have been
denied. If there are no more ACEs and the full set of request bits have not
been allowed then permission is denied. If a previously allowed bit is
denied in a later ACE it is still allowed. That is why ACE ordering is

See my patch that I posted a couple months back where I implemented full NT
security semantics for samba 2.2.3a. This implements NT ACL inheritance as
well, which is where it can get really scary.

Matt Zinkevicius
Software Engineer
Network Storage Array Solutions

More information about the samba-technical mailing list