Fine points of ACL conversion
ZINKEVICIUS,MATT (HP-Loveland,ex1)
matt_zinkevicius at hp.com
Wed Jul 31 12:06:01 GMT 2002
> 1. If it encounters a DENY (negative) ACE that denies any of the bits
> requested, it denies access.
Correct
> 2. If it encounters ALLOW ACLs that allows any of the bits,
> but not all,
> it continues? Is this true. Does it accumulate permission
> bits until the
> requested bits are available and then stop? If a DENY appears
> after an ACE
> that allows some bits, but not all, presumably, it denies
> access. So order
> is very important. However, does it accumulate perms.
It accumulates and continues as long as none of the request bits have been
denied. If there are no more ACEs and the full set of request bits have not
been allowed then permission is denied. If a previously allowed bit is
denied in a later ACE it is still allowed. That is why ACE ordering is
important.
See my patch that I posted a couple months back where I implemented full NT
security semantics for samba 2.2.3a. This implements NT ACL inheritance as
well, which is where it can get really scary.
Matt Zinkevicius
Software Engineer
Network Storage Array Solutions
Hewlett-Packard
More information about the samba-technical
mailing list