ACL implementation first draft

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Thu Apr 23 10:22:28 GMT 2009 

Hi Metze,

As I understand adding another parameter there is not the best solution for you, and we should probably have a wrapper function that checks for the type of acls as well. Is this how you imagined that?

Regards,
Anatoliy

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Tuesday, April 07, 2009 11:44 AM
To: 'Volker.Lendecke at SerNet.DE'
Cc: Anatoliy Atanasov; samba-technical at samba.org
Subject: Re: ACL implementation first draft

Volker Lendecke schrieb:
> On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote:
>> I uploaded our work on ACL implementation at:
>> git://repo.or.cz/Samba/aatanasov.git
>> branch: master-acl
>>
>> It is based on WSPP documentation and it follows the algorithms described there directly.
>> The code isn't working, but contains almost all the functionality required for this task.
>> There are a couple of test cases already added, which run against Windows 2003.
>> What we didn't implement yet is: 
>> * rename
>> * delete tree
>> * some special cases of nTSecurityDescriptor
>>
>> In the following days to SambaXP we plan to focus on:
>> * your feedback
>> * adding test cases
>> * testing the code
> 
> Quick and probably stupid question: Is it really necessary to add 
> another argument to se_access_check? I would think this routine is 
> core to Windows as well, and I thought the way it's written is pretty 
> much carved in stone. Did Microsoft really add an AD-specific argument 
> to that core routine? For this piece, I would really like to do 
> exactly what Microsoft does.

Yes, AD Security Descriptors are different than NTFS ones, but I think we should have two different public functions and make sure we check the revision number match with what the caller expects.

E.g. se_access_check() should only grant access if the sd has revision NT4. And the se_access_check_ad() function should allow both sd revisions. Both functions could use a static se_access_check_common() function.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-add-a-wrapper-to-check-for-nt4-version-of-acls.patch
Type: application/octet-stream
Size: 1733 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090423/338e27a5/0001-add-a-wrapper-to-check-for-nt4-version-of-acls.obj

More information about the samba-technical mailing list