ACL implementation first draft
anatoliy.atanasov at postpath.com
Thu Apr 23 10:22:28 GMT 2009
As I understand adding another parameter there is not the best solution for you, and we should probably have a wrapper function that checks for the type of acls as well. Is this how you imagined that?
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Tuesday, April 07, 2009 11:44 AM
To: 'Volker.Lendecke at SerNet.DE'
Cc: Anatoliy Atanasov; samba-technical at samba.org
Subject: Re: ACL implementation first draft
Volker Lendecke schrieb:
> On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote:
>> I uploaded our work on ACL implementation at:
>> branch: master-acl
>> It is based on WSPP documentation and it follows the algorithms described there directly.
>> The code isn't working, but contains almost all the functionality required for this task.
>> There are a couple of test cases already added, which run against Windows 2003.
>> What we didn't implement yet is:
>> * rename
>> * delete tree
>> * some special cases of nTSecurityDescriptor
>> In the following days to SambaXP we plan to focus on:
>> * your feedback
>> * adding test cases
>> * testing the code
> Quick and probably stupid question: Is it really necessary to add
> another argument to se_access_check? I would think this routine is
> core to Windows as well, and I thought the way it's written is pretty
> much carved in stone. Did Microsoft really add an AD-specific argument
> to that core routine? For this piece, I would really like to do
> exactly what Microsoft does.
Yes, AD Security Descriptors are different than NTFS ones, but I think we should have two different public functions and make sure we check the revision number match with what the caller expects.
E.g. se_access_check() should only grant access if the sd has revision NT4. And the se_access_check_ad() function should allow both sd revisions. Both functions could use a static se_access_check_common() function.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1733 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090423/338e27a5/0001-add-a-wrapper-to-check-for-nt4-version-of-acls.obj
More information about the samba-technical