ACL Inheritance and merging of ACEs ...

Richard Sharpe realrichardsharpe at gmail.com
Thu Jun 13 20:18:03 MDT 2013 

Hi folks,

There is good evidence from Windows that ACEs are merged when an entry
is added because of CREATOR OWNER or CREATOR GROUP ACEs on a parent.

Consider this parent folder on Windows:

cc1# smbcacls //192.168.56.50/c /test1 -Unimbus-10/labview\ r\&d%xxxxxxxxx
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x9404
OWNER:BUILTIN\Administrators
GROUP:NIMBUS-10\Domain Users
ACL:NIMBUS-10\Administrator:ALLOWED/0x0/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NIMBUS-10\Domain Users:ALLOWED/0x0/0x001200af
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI/0x001000a1

And, as NIMBUS-10\LabVIEW R&D I created a new folder in test1 and got
these permissions:

cc1# smbcacls //192.168.56.50/c /test1/anewfolder -Unimbus-10/labview\
r\&d%xxxxxx
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x8404
OWNER:NIMBUS-10\LabVIEW R&D
GROUP:NIMBUS-10\Domain Users
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO|I/0x001000a1

Why did I get OI|CI|IO on that last entry (ignoring the I flag for the moment)?

That is because this entry:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|/0x001000a1

is actually two entries:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/0x0/0x001000a1
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO/0x001000a1

and because there is also this entry from the CREATOR OWNER ACE on the parent:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL

Windows merged the first non-inheritable entry above, leaving the
entry that says OI|CI|IO.

We need to take a pass across the ACL after we created the new ACL
from inheritance and merge any ACEs that can be merged. Fortunately,
we only need to consider ACEs where the trustee matches the OWNER and
GROUP SIDs on the new object.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list