Evaluating Windows Security Descriptors.

Christopher R. Hertel crh at ubiqx.mn.org
Wed Dec 19 20:18:42 GMT 2007 

Volker Lendecke wrote:
> On Wed, Dec 19, 2007 at 01:56:52PM -0600, Christopher R. Hertel wrote:
>> A slightly (only slightly) less cynical version of the same response came to
>> my mind when I first learned that they were doing things this way.  As it
>> turns out, they've been doing this for a while and (much to my surprise) it
>> has worked for them.
> 
> ... until someone goes in and audits what they are doing
> properly.

If the Linux side is only ever using Posix semantics (true until now) then
there is no exposure.  Everything happens in the normal posixy-way in the
kernel.

Things get hairy when (as we are now trying to do) an attempt is made to
expose the Windows semantics via the Linux system through Samba.  Fun, eh?

Thing is, the system has both Windows and Linux/Posix semantics because it
is a distributed file system that runs on both Windows and Linux.  You can
mount the same file system on both platforms.  Atomicity of operations,
locking, meta data management, etc. are all handled within the system
kernels, in conjunction with the meta data server

>> The complex mapping schemes that try to translate Windows to Posix to
>> Windows also have major pain points.  I'm not defending the decision here,
>> it's just empirical--that's what they're doing and have been for a while.
> 
> Well, what's Samba all about? Mapping Windows to Posix. But
> there are certain barriers that you just can NOT cross.

Learning...  Once you explained the problem it was fairly clear.

The problem that they're trying to solve here is the loss of information
when meta data is translated from Windows to Posix and back again.  The
Windows meta data is available within the kernel, so it's a question of
figuring out how best to use it to create the desired results.

I see code that does similar work in Samba 4.  It just stores the
information in EA's rather than a semi-native format.

Thanks again.

Chris -)-----

--
"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list