Evaluating Windows Security Descriptors.
Christopher R. Hertel
crh at ubiqx.mn.org
Thu Jan 10 18:37:34 GMT 2008
Volker Lendecke wrote:
> SMB_VFS_[F][GS]ET_NT_ACL are to access the security
> descriptors. They are pretty much equivalents of the nttrans
> query/set security descriptor calls. By default they pass
> back into posix_acls.c which itself then calls back into the
> VFS for the posix-style ACL_GET_FILE & friends. So if you
> file system has NT ACLs then just hook into the NT_ACL vfs
> calls, and just never call posix_acls.c.
Okay, this is making more sense to me now. I was probably making it too
complicated in my head.
> Why don't you put a CreateFile call into the kernel then?
> This is the only place that can reliably do that. You will
> have to have a set_nt_token call as well that tells the
> kernel about the windows style token to use for access
> checks, but I would *strongly* recommend to do that in the
> kernel if you mess with it anyway.
I think we perhaps got sidetracked here by the question of separate
Posix/Windows semantics (though the dire warnings are still greatly
appreciated). I'm avoiding that question myself; the folks with whom I'm
working understand the issues involved much better than I currently do.
...but, I've been digging and don't see a set_nt_token call anywhere. I've
gone through the kernel code and the Samba3 code, but I'm not sure where I
should be looking. Clues would be most welcome.
The note above suggests that the Linux kernel has some understanding of
Windows style meta data. Is that the case or are you referring to the file
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical