NFSv4 ACL mapping and unintentional deny

Steven French sfrench at us.ibm.com
Wed Feb 22 00:21:56 GMT 2006






Bruce,
> The most useful thing for me right now would be to understand what the
> NFSv4/CIFS differences really are

I find the links below helpful and they seem accurate based on my
experience - but the
experts in this area are some others on the Samba team such as Jeremy
Allison and Jim McDonough.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_mask_format.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_control_lists.asp


In
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/how_dacls_control_access_to_an_object.asp)
 it
claims:
"The system examines each ACE in sequence until one of the following events
occurs:
      An access-denied ACE explicitly denies any of the requested access
      rights to one of the trustees listed in the thread's access token.
      One or more access-allowed ACEs for trustees listed in the thread's
      access token explicitly grant all the requested access rights.
      All ACEs have been checked and there is still at least one requested
      access right that has not been explicitly allowed, in which case,
      access is implicitly denied."


which seems correct.   Also note an interesting recent paper that I just
spotted explaining some of the Windows model and the ways common mistakes
applications make (some of these considerations could apply to
non-Windows):
      http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
AFAIK no compat issues apply to the princeton article or the related Felten
blog but I found the analyses interesting.



Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com


More information about the samba-technical mailing list