idra at samba.org
Wed Nov 22 14:40:33 GMT 2006
On Wed, 2006-11-22 at 15:20 +0100, Volker Lendecke wrote:
> On Wed, Nov 22, 2006 at 09:11:07AM -0500, simo wrote:
> > uhmm a set of deny aces first (invalid users) and then a set of allow
> > aces (valid users), is what comes to mind.
> Sure, that's one approach. But then you also have "hosts
> allow". How do you represent that as a security descriptor?
I see no reason to represent that as a security descriptor, it makes
perfectly sense to keep host access separated.
> > I know that some configuration of ACLs where deny entries are after some
> > allow one would not match, but nobody do that afaik, and we can probably
> > just limit it and document it.
> I'd like to see a concrete proposal first :-)
> With ACLs there have been *many* attempts to sanitize them,
> and so far not many have produced usable results :-)
I know :)
> > I think my main concern is about ACLs right now, we can probably keep
> > everything else more or less the same, but I'd like to take the chance
> > to cleanup stuff as we go if possible.
> Again: Feel free.
> I will concentrate on the smb.conf mechanics first, if we
> later on dump the 'valid users' in exchange for something
> better, this is independent of it I think.
Ok, fair enough, I think that if we can agree we can change something,
this is all we need to go on right now.
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical