Evaluating Windows Security Descriptors.

Christopher R. Hertel crh at ubiqx.mn.org
Wed Dec 19 19:22:13 GMT 2007 

Volker Lendecke wrote:
> On Tue, Dec 18, 2007 at 05:06:35PM -0600, Christopher R. Hertel wrote:
>> No I'm not tied to S4--quite the contrary.  I was hoping there was Samba4
>> code that could be used as a reference for writing a Samba3 VFS module that
>> could enforce Windows ACLs.  Looking for sec_access_check() in both S3 and
>> S4 I see that there are variations in both trees.  Cool.
>>
>> Here's my basic setup:  I am working on top of a file system that can store
>> Windows Security Descriptors, including all of the ACL information.  (No,
>> it's not a Linux NTFS implementation but it's close enough.)  It also stores
>> Posix UIDs & GIDs but the goal is to access and enforce the Windows
>> semantics via CIFS.  We'll probably wind up writing an opaque VFS module to
>> get this done right.
> 
> Why don't you put a CreateFile call into the kernel then?

There are two functions built into the file system (within the kernel) that
perform Create operations.  I need to defer to one of the developers for
details.

The FS does keep track of both Posix and Windows security information.  The
preference is to apply Posix semantics in Posix environments (NFS, local
users, stuff like that) and Windows semantics in Windows environments.  CIFS
counts as a Windows environment.

> This is the only place that can reliably do that. You will
> have to have a set_nt_token call as well that tells the
> kernel about the windows style token to use for access
> checks, but I would *strongly* recommend to do that in the
> kernel if you mess with it anyway.

So...  the thing is that Linux doesn't need to know about the Windows
semantics.  That's why they'd like to put enforcement into Samba (in a VFS
module).  That will maintain Windows semantics via CIFS over the wire, but
not impact native Linux access.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list