Playing games with reported permissions - securing mandetory profiles

[Andrew Bartlett]

After talking to jht today, I've finally got a *much* better
understanding about how mandatory profiles really work...

Because WinNT uses the NT ACLs on the profile in creating the local
mirror, the users and groups that use the profile must have *write*
access to the profile.  Or at least they must appear to!

I need to try this out, and see if I'm missing something here, but I'm
thinking that we should be able to write a pretty simple VFS module,
that fakes up the ACLs, replacing say 'admin' with 'target group' as
read by the client.  This should make Win2k set the local profile
permissions 'correctly', while not allowing users to put porn on a
college-wide desktop...

How does this sound?  Am I at least slightly close to the mark?

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/39bfb67a/attachment.bin