ACL formats used by sharesec in 4.2

Christof Schmitt cs at
Thu Apr 23 10:44:20 MDT 2015


i noticed that the ACL output printed by sharesec has been changed
through this commit:

commit 4a9d64e37a72cd1384c1e8db54532b8e850715cd
Author: David Disseldorp <ddiss at>
Date:   Mon May 26 14:38:24 2014 +0200

    sharesec: use NDR security descriptor print fns
    Signed-off-by: David Disseldorp <ddiss at>
    Reviewed-by: Jeremy Allison <jra at>
    Reviewed-by: Volker Lendecke <vl at>

While i understand the goal to share code, now the input format of
sharesec is different than the output format:

Setting a share-level ACL uses the old format:
# sharesec test -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL

Quering it returns the NDR dump:
# sharesec test -v
    : struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x8004 (32772)
               0: SEC_DESC_OWNER_DEFAULTED 
               0: SEC_DESC_GROUP_DEFAULTED 
               1: SEC_DESC_DACL_PRESENT    
               0: SEC_DESC_DACL_DEFAULTED  
               0: SEC_DESC_SACL_PRESENT    
               0: SEC_DESC_SACL_DEFAULTED  
               0: SEC_DESC_DACL_TRUSTED    

This is probably not very useful. Should we revert the patches to return
to the old output format?

The manpage still lists the old output, but updating the manpage would
be a minor issue after deciding how the output should look like.

The other option would be using the sddl format, but that is difficult
to input manually:

# sharesec test -S 'D:(A;;0x001f01ff;;;WD)(A;;0x001f01ff;;;S-1-5-21-1866488690-1365729215-3963860297-17724)'
# sharesec test -V


More information about the samba-technical mailing list