ACL implementation first draft

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Tue Apr 7 09:40:17 GMT 2009 

> > Hi Volker, Indeed it is a Microsoft Fuction, and the Microsoft 
> function does contain an additional argument - see MS-DTYP 2.5.2.1 
> (The very bottom of page 61). This additional argument is needed for 
> object-specific access checks, and the file system or registry 
> security manager does not need it, but it is absolutely necessary for 
> AD security. I de4cided to intoduce it to avoid code duplication, but 
> if you have worries, we can just write a separate function for LDAP 
> checks. It seems kind of redundant, though - the function just ignores 
> object specific stuff if this argument is null. It may be possible to 
> implement this in a better way - suggestions are appreciated!
> 
> Regards,
> Nadezhda Ivanova
> 
> 
> 
> ----- Original Message -----
> > From: Volker Lendecke <Volker.Lendecke at SerNet.DE> > To: Anatoliy 
> Atanasov <anatoliy.atanasov at postpath.com> > Cc: 
> samba-technical at samba.org <samba-technical at samba.org> > Sent: 07 April 
> 2009 12:23:20 o'clock GMT+0200 Europe;Athens > Subject: Re: ACL 
> implementation first draft
> 
> > > On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: 
> > I  > uploaded our work on ACL implementation at:
> > > git://repo.or.cz/Samba/aatanasov.git
> > > branch: master-acl
> > >
> > > It is based on WSPP documentation and it follows the algorithms
> > described there directly.
> > > The code isn't working, but contains almost all the functionality
> > required for this task.
> > > There are a couple of test cases already added, which run against
> > Windows 2003.
> > > What we didn't implement yet is:
> > > * rename
> > > * delete tree
> > > * some special cases of nTSecurityDescriptor
> > >
> > > In the following days to SambaXP we plan to focus on:
> > > * your feedback
> > > * adding test cases
> > > * testing the code
> >
> > Quick and probably stupid question: Is it really necessary
> > to add another argument to se_access_check? I would think
> > this routine is core to Windows as well, and I thought the
> > way it's written is pretty much carved in stone. Did
> > Microsoft really add an AD-specific argument to that core
> > routine? For this piece, I would really like to do exactly
> > what Microsoft does.
> >
> > Volker

More information about the samba-technical mailing list