Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components

Richard Sharpe realrichardsharpe at gmail.com
Sat Mar 31 13:10:19 MDT 2012


On Sat, Mar 31, 2012 at 11:36 AM, Michael Adam <ma at sernet.de> wrote:
> Jerry,
>
> I think you misread "inheritable" (i.e. the OBJECT_INHERIT or
> CONTAINER_INHERIT ace flags) for "inherited" (the INHERITED_ACE flag).

OK, so I still think that the code has an error, but it was provoked
by what I was doing.

In this case I am returning a DACL that has two entries on it, one
with CI, OI and I.

It is likely that I do not need that I bit, and now I see a way around
the issue, however, in light of the info Jerry has provided, Samba
should not just drop the existing ACEs on the end. It should sort them
into the canonical order, it seems to me.

So, I should amend the bug I filed with the correct info, and perhaps
Jerry could add his comments to that bug.

(Hey, Jerry, nice to see you commenting here again.)

> Gerald Carter wrote:
>> On 3/30/2012 3:20 PM, Richard Sharpe wrote:
>>
>> > From observing what W2K08 does and having tweaked the code, it seems
>> > pretty clear that the inheritable entries added should come first.
>> >
>> > I still have to test that W2K03 is happy, though, and should probably
>> > look at Win7.
>>
>> Hey Richard,
>>
>> Are you sure about that?
>>
>> http://technet.microsoft.com/en-us/library/cc961994.aspx
>>
>> "The preferred order of ACEs in a DACL is called the canonical order.
>> For Windows 2000, the canonical order is the following:
>>
>> * All explicit ACEs are placed in a group before any inherited ACEs.
>>
>> * Within the group of explicit ACEs, access-denied ACEs are
>>   placed before access-allowed ACEs.
>>
>> * Inherited ACEs are placed in the order in which they are
>>   inherited. ACEs inherited from the child object's parent come
>>   first, then ACEs inherited from the grandparent, and so on
>>   up the tree of objects."
>>
>>
>>
>> Cheers, Jerry
>>
>
>
>
> --
> Michael Adam <ma at sernet.de>
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list