[PATCH] Dynamic share permission change detection.(updated)
boyang
boyang at samba.org
Tue Dec 1 19:27:28 MST 2009
Volker Lendecke wrote:
> On Mon, Nov 30, 2009 at 09:14:45PM +0800, boyang wrote:
>
>>> No, we can't ignore those. It should be possible to use the
>>> "valid users", "read list" and the other access control
>>> parameters to create a security descriptor. SDs are
>>> expressive enough to cover all these cases.
>>>
>>> We definitely need to minimize the work in
>>> open_file_ntcreate to the absolute minimum, otherwise our
>>> performance will just go down the tube. It might be
>>> difficult to code up the secdesc from a general share
>>> definition, but there is no other way.
>>>
>>>
>> I see. We need map functions to map those parameters to security
>> descriptors.
>>
>
> Yes. And then we need a "struct security_descriptor *share_sd;"
> as part of connection_struct.
>
Since there might be %xx characters in lp_xxx_user() lists, the security
descriptor might be different for each vuid. :-) So, instead of storing
one sd for each vuid, we store the access check result for each vuid.
And we use the result to have a very quick check in open_file_ntcreate.
Most of the access checking work is done in msg handler, which won't put
too much burden on the center loop. Is this acceptable?
Patch is in the attachment, please review and comment. :-)
> Volker
>
--
Bo Yang, Software Engineer, Suse Labs
GPG-key-ID 538C4C1A
Samba Team boyang at samba.org http://www.samba.org/
SUSE Linux boyang at suse.de http://www.novell.com/
More information about the samba-technical
mailing list