NT file-permissions
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Thu Jul 22 18:59:10 GMT 1999
> -----Original Message-----
> From: Jeremy Allison [SMTP:jallison at cthulhu.engr.sgi.com]
> Sent: Thursday, July 22, 1999 13:28
> To: Cole, Timothy D.
> Cc: 'jallison at cthulhu.engr.sgi.com'; Multiple recipients of list
> SAMBA-TECHNICAL
> Subject: Re: NT file-permissions
>
> Cole, Timothy D. wrote:
>
> > Is this an appropriate time to start hashing this stuff out, or
> are
> > there other things that need finishing first?
>
> Now is definately a good time. Funnily enough I understand
> NT ACLs very well. What I need is a good understanding of
> POSIX ACLs so we can work out what the mapping should be.
>
> Are you very familiar with POSIX ACLs (or know someone
> who is) ?
>
Kind of. My familiarity is limited to "second-hand" knowledge,
derived from OS documentation. That being said, here is my understanding of
the requirements:
POSIX.6 makes no recommendations about the internal ordering or
representation of an ACL, and specifies that only POSIX.1 files can have
ACLs. It does, however, require that:
- each ACL entry must contain the following information:
tag type: file owner, owning group, named user, named
group, other
qualifier field: user/group id, ignored for all but user or
group tag types
(file owner/owning group are indicated
elsewhere)
permissions set: must support a minimum of read, write and
search/execute
- there are three mandatory entries in any POSIX.6 ACL,
corresponding to the permission
bits, as you would expect:
- owner (tag type of file owner?)
- group (tag type of owning group?)
- world (tag type of other)
- all applicable permissions at the same (highest applicable)
level of specificity are
ored together when checking access. The levels of specificity,
in decreasing order,
are:
- file owner
- named user
- owning group + named groups
- named groups
- "other"
I don't suppose anyone here on the list has a copy of a POSIX 1003.6
draft and would care to summarize "from the horse's mouth", as it were?
Also, I don't have any information on the specific interfaces that the
POSIX.6 drafts recommend; just that they seem to recommend specific
categories of interfaces to be present...
Anyway, I can already see that the POSIX.6 definition of ACLs isn't
general enough for our purposes; HP-UX's implementation, while obviously
influenced by it, will not map to it very well. vis a vis:
- HP-UX ACL entries contain the following information:
user: named user or 'any'
group: named group or 'any'
permissions set: r, w and x
- three mandatory ACL entries, matching the permission bits
owner - user.% (% = 'any')
group - %.group
world - %.%
- same concept of levels of specificity, although the specific
levels are different:
- user.group
- user.%
- %.group
- %.%
(I actually think I like the HP-UX scheme better)
Ahhh... just found a reference for the POSIX APIs as they more or
less exist as of draft 13, at least as implemented in Digtal Unix:
http://www.unix.digital.com/faqs/publications/base_doc/DOCUMENTATION/HTML/AA
-Q0R2D-TET1_html/sec.c225.html
More information about the samba-technical
mailing list