Playing games with reported permissions - securing mandetory
abartlet at samba.org
Wed Nov 27 09:17:00 GMT 2002
After talking to jht today, I've finally got a *much* better
understanding about how mandatory profiles really work...
Because WinNT uses the NT ACLs on the profile in creating the local
mirror, the users and groups that use the profile must have *write*
access to the profile. Or at least they must appear to!
I need to try this out, and see if I'm missing something here, but I'm
thinking that we should be able to write a pretty simple VFS module,
that fakes up the ACLs, replacing say 'admin' with 'target group' as
read by the client. This should make Win2k set the local profile
permissions 'correctly', while not allowing users to put porn on a
How does this sound? Am I at least slightly close to the mark?
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/39bfb67a/attachment.bin
More information about the samba-technical