Evaluating Windows Security Descriptors.

Christopher R. Hertel crh at ubiqx.mn.org
Wed Dec 19 20:09:16 GMT 2007 

Regarding the race condition:  Yep, we see the problem.  It has to do with
the need for atomic operations in order to prevent security holes opening up.

Thankfully, AJ tells me that the checks *can* be done in kernel space,
though that will mean writing more code in order to access the correct set
of kernel functions.

This is going to be interesting.  :)

Chris -)-----

AJ Lewis wrote:
> Hey all,
> 
> I'm working with Chris on this at Quantum.
> 
> On Wed, Dec 19, 2007 at 08:35:52PM +0100, Volker Lendecke wrote:
>> On Wed, Dec 19, 2007 at 01:22:13PM -0600, Christopher R. Hertel wrote:
>>> The FS does keep track of both Posix and Windows security information.  The
>>> preference is to apply Posix semantics in Posix environments (NFS, local
>>> users, stuff like that) and Windows semantics in Windows environments.  CIFS
>>> counts as a Windows environment.
>> Others have been there and failed. This is a broken design
>> that your customers will be *very* unhappy with, I've seen
>> that myself. Your complete interoperability story falls to
>> pieces when you tell them that the semantics depends upon
>> what subsystem come from. Look at for example the posix
>> subsystem in Win32. You could not access critical system
>> resources (i.e. the network...) while being trapped in
>> there.
> 
> Are there filesystems that do windows security in a Posix environment?
> I know that the Posix and Windows security don't map well on each other,
> so what is the solution?  Is there a good one?  In this case, we're
> thinking that preserving the system's semantics is the lesser of two
> evils (the other one being trying to map from one to the other on the
> fly) but maybe there's another option that I don't know about.
>  
>> Probably you might be better off going with OpenSolaris and
>> their in-kernel CIFS server.
>>
>> Volker
>>
>> P.S: I know I'm being cynic, but this distinction is a fully
>> and 100% broken idea.
> 
> Thanks,

-- 
"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list