ACLs on Attributes that do not have attributeSecurityGUID

Nadezhda Ivanova nivanova at samba.org
Sun Dec 30 07:56:03 MST 2012 

Hi Andrew,
 As far as I remember, the attributesecurityguid contains the property set
to which the attribute belongs, and some permissions are given per property
set rather than an attribute. We build an object tree with the object as
root, property sets as children and attributes as their children and apply
all permissions, so that when we get to the bottom of the tree we have the
final permissions mask for that attribute. (I really have to think of a way
to optimize this code, I do not particularly like it.) If there isn't
a attributesecurityguid, we add the attribute directly under the ObjectId.
I took a look at the code, and do not see an obvious bug
(acl_check_access_on_attribute
in acl_util.c) which does not mean there isn't one. Do you have a
particular example or even better, a test that fails? That will really help
with debugging.

Regards,
Nadya

On Sun, Dec 30, 2012 at 2:05 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sun, 2012-12-30 at 10:36 +1100, Andrew Bartlett wrote:
> > On Sat, 2012-12-29 at 13:33 +0100, Marc Muehlfeld wrote:
> > > Am 29.12.2012 05:17, schrieb Andrew Bartlett:
> > > > If anybody who was having trouble with read ACLs, particularly
> anybody
> > > > who had to set 'acl:search=false' in the smb.conf could please try
> this
> > > > patch, and report results, it would be most helpful.
> > >
> > > I compiled your patch against 4.0.0.
> > >
> > > A non-domain-admin account is now seeing a bit more than before, but
> not as
> > > much, as before rc6.
> >
> > > But what I'm still missing for my nslcd is the attribute
> unixHomeDirectory.
> > > This non-domain-admins (like my nslcd account) still can only see when
> I set
> > > 'acl:search=false'.
> >
> > This is interesting.  Indeed, we seem to have fixed the other basic
> > attributes, but not the unix attributes.
> >
> > I'll keep searching.
>
> Nadya,
>
> I'm wondering if you might be able to help.  The biggest remaining issue
> with the read ACLs is that some attributes do not show up for normal
> authenticated users.
>
> That is, if the attribute has a attributesecurityguid, it is returned,
> but otherwise it isn't.
>
> I'm still trying to get my head around ACLs on the directory, and how it
> applies to the object tree and all that.
>
> If you have any time to look into this, or pass on some clues, I would
> very much appreciate it.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>

More information about the samba-technical mailing list