Evaluating Windows Security Descriptors.
Christopher R. Hertel
crh at ubiqx.mn.org
Fri Jan 4 17:30:29 GMT 2008
Thanks. That helps.
What still confuses me, however, is how the information is actually used.
Is it simply another path (accessed via the Windows GUI, I assume) between
CIFS semantics and the stored POSIX semantics?
There's code (I think you or Jeremy aimed me in the right direction) to
evaluate the ACEs. Is that really only used to determine which files are
Volker Lendecke wrote:
> On Thu, Jan 03, 2008 at 04:14:36PM -0600, Christopher R. Hertel wrote:
>> Okay, so I hate to bring this thread back to life but, if we put aside the
>> question of where enforcement takes place...
>> I see in the Samba3 VFS code that there are two GET and two SET operations
>> for NT ACLs. Are these simply there to accommodate get and set calls via
>> SMB? If NT ACLs are available to Samba at the VFS layer, how are they used?
> SMB_VFS_[F][GS]ET_NT_ACL are to access the security
> descriptors. They are pretty much equivalents of the nttrans
> query/set security descriptor calls. By default they pass
> back into posix_acls.c which itself then calls back into the
> VFS for the posix-style ACL_GET_FILE & friends. So if you
> file system has NT ACLs then just hook into the NT_ACL vfs
> calls, and just never call posix_acls.c.
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical