ACL / SDs

Todd Sabin tas at webspan.net
Thu Feb 24 17:27:49 GMT 2000 

Luke Kenneth Casson Leighton <lkcl at samba.org> writes:

> > > > Well, even NT has banned them from ACLs. Don't let the fact that the
> > > > code is the same in NT hide the fact that the bitmask in ACLs is a
> > > > different bitmask from that by which you request a set of permissions.
> > 
> > Actually, this isn't true; they're not banned at all, AFAICS.  At the
> > very least, the SDs for lots of registry keys in NT5 definitely
> > contain ACEs with some of the GENERIC_* bits set.  They're primarily
> > in inherit-only ACEs, but they're there, none the less.
> 
> See GenericPermissions arg of SeAccessCheck.  this is different from bits
> 16 to 32 in an ACE.
> 

No, the top four bits of an access_mask are GENERIC_READ,
GENERIC_WRITE, GENERIC_EXECUTE, and GENERIC_ALL.  The GenericMapping
arg tells how those things map into specific access rights.  e.g.,
for LsaPolicy, GENERIC_EXECUTE -> (POLICY_VIEW_LOCAL_INFORMATION
                                   | POLICY_LOOKUP_NAMES
                                   | STANDARD_RIGHTS_EXECUTE)
(STANDARD_RIGHTS_EXECUTE == READ_CONTROL)

I'm not sure how this plays out in practice.  I had thought that the
generic mapping was mainly a UI mechanism, so the ACL editor could
hide details.  However, I've seen ACEs in NT5 that have some of the
GENERIC_* bits set.  Usually, they're for inherit-only ACEs, though.
I've never seen any place that uses the GENERIC_* bits in a
DesiredAccess.  I wonder what would happen if you did?

> > {
> >     int requested = user_request;  // passed in
> >     int granted;
> > 
> >     for (i=0; requested && i< #aces; i++) {
> >         if (ace applies to user 
> >             && ace applies to object /* i.e. isn't inherit only */) {
> >             if (ace is permit type) {
> >                 granted = ace.mask & requested;
> >                 requested &= ~granted;
> >             } else if (ace is deny type) {
> >                 if (requested & ace.mask)
> >                     break;
> >             }
> >         }
> >     }
> >     if (requested) {
> >         /* access denied (didn't get granted everything) */
> >     } else {
> >         /* access permitted */
> >     }
> > }
> > 
> 
> todd, i think i need to accumulate granted permissios, so i made it
> granted |= ace.mask & requested.
> 
> is that right?
>  

well, the pseudo-code is actually subtracting out granted perms.  If
you get to the point where you don't need any more, you're through.
granted is really just a convenience var, the two lines could actually
be written as "requested &= ~ace.mask;", I think.  Maybe requested
should be called still_need, or something.


Todd

More information about the samba-technical mailing list