usershare acl parser?
tridge at samba.org
tridge at samba.org
Sun Dec 11 11:42:18 GMT 2005
Jeremy,
> No, it's not just a subset it's a almost a completely different
> animal. What would setting :
>
> WRITE_DAC_ACCESS | SYNCHRONIZE_ACCESS | FILE_EXECUTE
WRITE_DAC_ACCESS would mean that the trustee of the ace can change the
ACL
FILE_EXECUTE is in the file specific bits, and is 0x20, which means
that on a share it would be known as SEC_DIR_TRAVERSE which would
allow/deny the trustee to traverse the share root (which just happens
to be what unix execute means on a directory).
SEC_STD_SYNCHRONIZE won't be useful on a share root, but the others
definately mean something
> *possibly* mean in a share context ? That's something that
> might come out of a generic ACL. Remember, people are going
> to have to be able to read and type this on a UNIX command line.
> Hands up anyone who knows the Microsoft text ACL format..... :-).
>
> Remember, the syntax is just "[user|group]:[F|R|D]". Complete
> ACLs are so much overkill for this it's not even funny :-).
well, playing devils advocate, how will you control the inheritance,
which controls what ACL will be used on files created in the root of
the share?
How will you allow/deny changing attributes on the share? (such as
volume name). How will you enable auditing controls?
You may well be right that a full ACL is more than most people need,
but I don't think its true to say that a broader ACL capability is
useless.
Cheers, Tridge
More information about the samba-technical
mailing list