generic ACL interface (RFC)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu Jul 29 16:45:58 GMT 1999
> > in other words, a security descriptor can say "this group has read/write
> > permissions; this user has full control; the built-in power user's group
> > are allowed full control; administrator of workstation ABC is denied all
> > access; etc".
> >
> > is that what you mean?
> >
> Not at all. The thing is, you can't express something like "user X
> has read/write access _when he is in group Y_" in a single NT ACE, since
> that isn't really meaningful in NT -- in Unix, however, a particular process
> can have groups associated with it that its owner is not normally a member
> of. (sgid scripts/binaries, for instance)
>
> Maybe I'm missing something, though. How would you express the
> following ACL in NT parlance?
>
> joe.% rw-
> %.radar r--
> %.% ---
> bob.% ---
> bob.radar rw-
hmmm, i see the light. you'd have to ignore that capability in HP/UX ACLs
or map to every single group manually or implicitly. this ACL would
certainly have...
ummm.... what _exactly_ is meant by "user x has read/write access when in
group Y"?????? you mean, the HP/UX designers intended users to be moved
from group to group, and ACLs to change meaning / take this into
account?????
good grief :-) :-)
luke
More information about the samba-technical
mailing list