Current approaches to ACL handling

Christopher R. Hertel crh at
Mon Oct 8 14:52:14 MDT 2012

On 10/08/2012 03:19 PM, Marc Muehlfeld wrote:
> Am 08.10.2012 18:05, schrieb Christopher R. Hertel:
>> There is an inherent mismatch between the semantics of Windows ACLs and the
>> models available in Linux/Unix, including the RichACL model.  There will
>> never
>> be a pure 1:1 mapping.
> Sorry, if this is a stupid question from someone who isn't a developer:
> What about if the underlaying filesystem is NTFS? I mean if I e. g. have my
> sysvol share on a NTFS formated partition on my s4 server. Wouldn't this be
> a way where a mapping to unix ACLs are needless?
> With ntfs-3g utils I can get the IDs of files on my NTFS volume:
> # ntfs-3g.secaudit -vv bootmgr | grep ':dec'
>      O:dec S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
>      G:dec S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

Yes, that would give you Windows ACLs in the file system.

I am always ready to be hit with the clue-bat, but where I think there would 
be trouble is in managing and enforcing those ACLs on the Linux side.  Local 
users, NFS users, etc. ...  how do those interact?

I'm sure that the NTFS file system for Linux already has a way of mapping 
the Windows ACLs to expected Linux/POSIX behaviors.  If so, I'm fairly sure 
it would be another "adaptation", probably ignoring some permissions and 
making guesses about others.  What happens, for instance, if a Linux process 
creates a file on a mounted NTFS file system:

   path = "/mnt/wind/Users/Default/My Documents/";
   open( path, O_CREAT | O_TRUNC | O_WRONLY, 0764 );

I ask because I don't actually know the answer.  I'm not sure how the Linux 
NTFS file system would interpret the above and what ACL it would create in 
NTFS to represent it.

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list