Allan Fleming wrote:
ls -V shows me this:

d---------+ 15 allan Domain 32 May 13 11:46
    group:Local sys...@builti:rwxpdDaARWcCos:-------:allow
    group:Local sys...@builti:rwxpdDaARWcCos:fdi----:allow

If I try to set the group the same on another file I can't.

chmod A+group:Local\ sys...@builti:rwxpdDaARWcCos:-------:allow junk
Invalid group Local sys...@builti specified.

I'm not sure what I am missing

The first thing that you're missing is that the ls -V output is truncated; the name it's trying to specify is "Local sys...@builtin". However, that won't work either :-(.

The second thing you're missing is that we have some bugs in this area; the treatment of builtin users and groups is wrong. As it happens, I've been looking at the question over the last couple of weeks, and am close to determining what the "right" answer is.

One workaround, obscure but will work forever, is to explicitly specify the SID. For Local System, that's:
$ chmod A+sid:S-1-5-18:full_set:fd:allow junk

Another workaround, less obscure but I'm not sure it will be an allowable form after we clean up the situation, is to use "@<nothing>":
$ chmod A+group:"Local System@":full_set:fd:allow junk

Right now, it looks like the most likely form for builtin names will be to use the bare name, e.g. "Local System", with no @domain qualifier. There might also be a way to explicitly specify that you want a builtin name, in case there's ambiguity.

There's also a question of exactly what names should be used for the builtin names. The Microsoft documentation refers to S-1-5-18 as "Local System", but the Windows user interface refers to it as "SYSTEM" or "NT AUTHORITY\SYSTEM", so we might change our behavior there.

cifs-discuss mailing list

Reply via email to