ACL misunderstanding in smbcacls?

Peter Somogyi psomogyi at gamax.hu
Wed May 17 11:33:12 GMT 2006 

Another questions (sorry, I forgot to cc my prev.mail to samba-tech, now it's 
below): 

1. Why is it necessary querying the old security desc in utils/smbcacls.c : 
owner_set ?

2. Why is (SEC_DESC)old.revision and (SEC_DESC)old.type significant? I mean 
why can't we use constant values instead of querying old ones?
Is there any explanation for these fields?

Thanks for your answer in advance.

Peter Somogyi

On Wednesday 17 May 2006 10:25, Peter Somogyi wrote:
> Hi Jeremy,
>
> I'm hacking NFS4 acls under AIX/JFS2 now, and maybe I will have to extend
> its functionality by making parallel the chown-logic. (I'm using smbcacls
> for testing.)
> My problem is:
>
> enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP};
>
> but REQUEST_CHOWN and REQUEST_CHGRP should be flags (SMB protocol lets you
> request changing owner, group and dacls in _one_ request).
>
> What made me a little confusion, is your comment after "ifdef 0" (see
> below).
>
> Do you agree that this comment is obsoleted by making REQUEST_CHOWN and
> REQUEST_CHGRP as flags? (making one function instead of cacl_set +
> owner_set, using WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS flags _only_ when
> needed)
>
> utils/smbcalcs.c:cacl_set:
>
>         /* Denied ACE entries must come before allowed ones */
>         sort_acl(old->dacl);
>
>         /* Create new security descriptor and set it */
> #if 0
>         /* We used to just have "WRITE_DAC_ACCESS" without WRITE_OWNER.
>            But if we're sending an owner, even if it's the same as the one
>            that already exists then W2K3 insists we open with WRITE_OWNER
> access.
>            I need to check that setting a SD with no owner set works
> against WNT
>            and W2K. JRA.
>         */
>
>         sd = make_sec_desc(ctx,old->revision, old->type, old->owner_sid,
> old->grp_sid,
>                            NULL, old->dacl, &sd_size);
>
>         fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS|
> WRITE_OWNER_ACCESS);
> #else
>         sd = make_sec_desc(ctx,old->revision, old->type, NULL, NULL,
>                            NULL, old->dacl, &sd_size);
>
>         fnum = cli_nt_create(cli, filename, WRITE_DAC_ACCESS);
> #endif

More information about the samba-technical mailing list