ACL / SDs
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Feb 24 16:51:43 GMT 2000
> > it's a matter of which you want to do.
> >
> > do you want: the PDC to tell you what groups the user is in?
> >
> > do you want: the local unix system to tell you what groups the user is in?
> >
>
> In the case of NT, both happen actually. The PDC will determine what
> global (domain) groups the user is in and tell that to the
> workstation. The workstation then uses that list (and the user's SID)
> to determine what local groups (aka aliases) the user belongs to.
> Actually, it's slightly more complicated than that, because there are
> the "WellKnownGroups" (Everyone, Network, Interactive, etc.) that can
> also affect local group membership.
oh no... that's what the "other SIDS" are for in the NET_USER_INFO_3
structure, i bet.
> Not sure if that's relevant, but figured I'd throw it out there.
*sigh* thx todd.
> > > Well, even NT has banned them from ACLs. Don't let the fact that the
> > > code is the same in NT hide the fact that the bitmask in ACLs is a
> > > different bitmask from that by which you request a set of permissions.
>
> Actually, this isn't true; they're not banned at all, AFAICS. At the
> very least, the SDs for lots of registry keys in NT5 definitely
> contain ACEs with some of the GENERIC_* bits set. They're primarily
> in inherit-only ACEs, but they're there, none the less.
See GenericPermissions arg of SeAccessCheck. this is different from bits
16 to 32 in an ACE.
> {
> int requested = user_request; // passed in
> int granted;
>
> for (i=0; requested && i< #aces; i++) {
> if (ace applies to user
> && ace applies to object /* i.e. isn't inherit only */) {
> if (ace is permit type) {
> granted = ace.mask & requested;
> requested &= ~granted;
> } else if (ace is deny type) {
> if (requested & ace.mask)
> break;
> }
> }
> }
> if (requested) {
> /* access denied (didn't get granted everything) */
> } else {
> /* access permitted */
> }
> }
>
todd, i think i need to accumulate granted permissios, so i made it
granted |= ace.mask & requested.
is that right?
> for computing maximum allowed:
>
> {
> int denied = 0;
> int granted = 0;
>
> for (i=0; i< #aces; i++) {
> if (ace applies to user
> && ace applies to object /* i.e. isn't inherit only */) {
> if (ace is permit type) {
> granted |= ace.mask & ~denied;
> } else if (ace is deny type) {
> denied |= ace.mask & ~granted;
> }
> }
> }
> return granted;
> }
this looks good.
More information about the samba-technical
mailing list