Playing games with reported permissions - securing mandetory profiles

Andrew Bartlett abartlet at
Wed Nov 27 09:17:00 GMT 2002

After talking to jht today, I've finally got a *much* better
understanding about how mandatory profiles really work...

Because WinNT uses the NT ACLs on the profile in creating the local
mirror, the users and groups that use the profile must have *write*
access to the profile.  Or at least they must appear to!

I need to try this out, and see if I'm missing something here, but I'm
thinking that we should be able to write a pretty simple VFS module,
that fakes up the ACLs, replacing say 'admin' with 'target group' as
read by the client.  This should make Win2k set the local profile
permissions 'correctly', while not allowing users to put porn on a
college-wide desktop...

How does this sound?  Am I at least slightly close to the mark?

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list