Posix Extended headers ...
Joerg Schilling
schilling at fokus.gmd.de
Tue Jul 16 06:27:54 GMT 2002
>From tpot at samba.org Mon Jul 15 23:51:30 2002
>> > >The SEC_DESC contains the Owner SID and the Primary Group SID of the Owner
>> > >of the file, along with the ACL, which can contain both positive ACEs
>> > >(allow) and negative ACEs (deny) as well as AUDIT and something else ACEs.
>> >
>> > Mmm, Audit entries on Solaris are kept in the shadow passwd file.
>>
>> I think audit entries are similar to positive or negative ACEs, and simply
>> mean that if the specified user/group requested the specified access,
>> write a system log entry.
>Yes. There's an ACE type called SEC_ACE_TYPE_SYSTEM_AUDIT which does
>what you describe. Samba doesn't really support them but you could get
>a pretty good idea of how they work and what they do by playing around
>with a couple of NT/Win2k systems and ethereal.
I don't have a NT/Win2k system available for direct use. For this reason, I
also did not yet implement ioctl based SCSI transport into libscg :-(
>> > Having denial ACLs makes it a bit more complex, but if at least the basic
>> > idea is the same as with POSIX, then it would be possible to add just two
>> > additional ACL descriptors to the TAR header:
>> >
>> > - Denial default entries (descending information starting from dirs)
>> >
>> > - Denial access entries
>> >
>> > These could just look (besides the label) the same as the existing entries.
>>
>> That is a neat idea. That would make it work. We would want to record
>> user/group names as DOMAIN\name as well, and UID/GID does not necessarily
>> make sense.
>Storing a sid and rid would perhaps be a better way to do it as you may
>not be able to resolve the username or domain due to network problems or
>that the sid is a foreign sid from a non-trusted domain.
Could you explain what sid/rid is please?
Jörg
EMail:joerg at schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
js at cs.tu-berlin.de (uni) If you don't have iso-8859-1
schilling at fokus.gmd.de (work) chars I am J"org Schilling
URL: http://www.fokus.gmd.de/usr/schilling ftp://ftp.fokus.gmd.de/pub/unix
More information about the samba-technical
mailing list