Evaluating Windows Security Descriptors.

Christopher R. Hertel crh at ubiqx.mn.org
Tue Dec 18 23:06:35 GMT 2007 

Volker,

Thanks!

No I'm not tied to S4--quite the contrary.  I was hoping there was Samba4
code that could be used as a reference for writing a Samba3 VFS module that
could enforce Windows ACLs.  Looking for sec_access_check() in both S3 and
S4 I see that there are variations in both trees.  Cool.

Here's my basic setup:  I am working on top of a file system that can store
Windows Security Descriptors, including all of the ACL information.  (No,
it's not a Linux NTFS implementation but it's close enough.)  It also stores
Posix UIDs & GIDs but the goal is to access and enforce the Windows
semantics via CIFS.  We'll probably wind up writing an opaque VFS module to
get this done right.

The file system is available via all of the standard system calls (it's
implemented as a Linux VFS) but there are also a set of functions exposed
via ioctl() and fcntl(), and a library for using those functions to set and
get file system specific information.

So it seems all of the pieces are there.  I don't know how much massaging is
done to the from-the-wire data before the VFS layer gets it but I assume
your changes to create_file() are intended to avoid Posix/Windows semantic
conversion issues.

I'm interested in anything else you can tell me.

Thanks again.

Chris -)-----

Volker Lendecke wrote:
> On Tue, Dec 18, 2007 at 01:33:36PM -0600, Christopher R. Hertel wrote:
>> So...  Let's say I've got a file system that can store (one way or 'nother)
>> Windows style Security Descriptors with all of the CACLs and DACLs and SIDs
>> and such-like.
>>
>> Having that information isn't very useful unless I can enforce Windows-style
>> access controls (through a custom VFS layer).  My question:  Is there code
>> in Samba4 that can interpret (and, therefore, enforce) Windows access controls?
> 
> sec_access_check()? BTW, the changes I recently made to S3
> (create_file()) are also driven by efforts to put exactly
> what you want into S3.
> 
>> This all goes back to a question I asked several months ago about building a
>> VFS layer that could store, access, and interpret Windows ACLs.
> 
> Well, GET_NT_ACL and SET_NT_ACL are the operations in the S3
> VFS that are exactly made to do what you want. Or are you
> tied to S4? There you have the RAW_FILEINFO_SEC_DESC
> sub-calls of smb_fileinfo and smb_setfileinfo.
> 
> Volker

-- 
"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list