ACL / SDs
Todd Sabin
tas at webspan.net
Thu Feb 24 17:27:49 GMT 2000
Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> > > > Well, even NT has banned them from ACLs. Don't let the fact that the
> > > > code is the same in NT hide the fact that the bitmask in ACLs is a
> > > > different bitmask from that by which you request a set of permissions.
> >
> > Actually, this isn't true; they're not banned at all, AFAICS. At the
> > very least, the SDs for lots of registry keys in NT5 definitely
> > contain ACEs with some of the GENERIC_* bits set. They're primarily
> > in inherit-only ACEs, but they're there, none the less.
>
> See GenericPermissions arg of SeAccessCheck. this is different from bits
> 16 to 32 in an ACE.
>
No, the top four bits of an access_mask are GENERIC_READ,
GENERIC_WRITE, GENERIC_EXECUTE, and GENERIC_ALL. The GenericMapping
arg tells how those things map into specific access rights. e.g.,
for LsaPolicy, GENERIC_EXECUTE -> (POLICY_VIEW_LOCAL_INFORMATION
| POLICY_LOOKUP_NAMES
| STANDARD_RIGHTS_EXECUTE)
(STANDARD_RIGHTS_EXECUTE == READ_CONTROL)
I'm not sure how this plays out in practice. I had thought that the
generic mapping was mainly a UI mechanism, so the ACL editor could
hide details. However, I've seen ACEs in NT5 that have some of the
GENERIC_* bits set. Usually, they're for inherit-only ACEs, though.
I've never seen any place that uses the GENERIC_* bits in a
DesiredAccess. I wonder what would happen if you did?
> > {
> > int requested = user_request; // passed in
> > int granted;
> >
> > for (i=0; requested && i< #aces; i++) {
> > if (ace applies to user
> > && ace applies to object /* i.e. isn't inherit only */) {
> > if (ace is permit type) {
> > granted = ace.mask & requested;
> > requested &= ~granted;
> > } else if (ace is deny type) {
> > if (requested & ace.mask)
> > break;
> > }
> > }
> > }
> > if (requested) {
> > /* access denied (didn't get granted everything) */
> > } else {
> > /* access permitted */
> > }
> > }
> >
>
> todd, i think i need to accumulate granted permissios, so i made it
> granted |= ace.mask & requested.
>
> is that right?
>
well, the pseudo-code is actually subtracting out granted perms. If
you get to the point where you don't need any more, you're through.
granted is really just a convenience var, the two lines could actually
be written as "requested &= ~ace.mask;", I think. Maybe requested
should be called still_need, or something.
Todd
More information about the samba-technical
mailing list