ACL implementation first draft
Stefan (metze) Metzmacher
metze at samba.org
Tue Apr 7 09:44:22 GMT 2009
Volker Lendecke schrieb:
> On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote:
>> I uploaded our work on ACL implementation at:
>> git://repo.or.cz/Samba/aatanasov.git
>> branch: master-acl
>>
>> It is based on WSPP documentation and it follows the algorithms described there directly.
>> The code isn't working, but contains almost all the functionality required for this task.
>> There are a couple of test cases already added, which run against Windows 2003.
>> What we didn't implement yet is:
>> * rename
>> * delete tree
>> * some special cases of nTSecurityDescriptor
>>
>> In the following days to SambaXP we plan to focus on:
>> * your feedback
>> * adding test cases
>> * testing the code
>
> Quick and probably stupid question: Is it really necessary
> to add another argument to se_access_check? I would think
> this routine is core to Windows as well, and I thought the
> way it's written is pretty much carved in stone. Did
> Microsoft really add an AD-specific argument to that core
> routine? For this piece, I would really like to do exactly
> what Microsoft does.
Yes, AD Security Descriptors are different than NTFS ones,
but I think we should have two different public functions and make sure
we check the revision number match with what the caller expects.
E.g. se_access_check() should only grant access if the sd has revision
NT4. And the se_access_check_ad() function should allow both sd
revisions. Both functions could use a static se_access_check_common()
function.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/b0532b0e/signature.bin
More information about the samba-technical
mailing list