Nico and I discussed his issues yesterday and I am attaching a new spec that incorporates the changes Nico requested.
Summary of the changes: - name at domain will be supported in addition to raw sid format - sid: can be used when user doesn't care whether a sid is a user or a group - ACL_SID_FMT will only use the raw sid format when necessary. It will first try and construct a name at domain format. -Mark Nicolas Williams wrote: > On Tue, May 27, 2008 at 02:44:40PM -0600, Tim Haley wrote: >> usersid/groupsid ACE types. These are aliases for user and group, >> but instead of an id a windows SID is specified instead. >> >> usersid:S-1-5-4343545-34534-44354-23:rwxp:allow >> groupsid:S-1-5-438473-58347567-4848-55:rwx:allow >> >> The acl_fromtext() interface will use idmap to convert the SID >> string into an ephemeral id. > > You can also use idmap interfaces to perform name-to-SID lookup + ID > mapping. So you could allow "usersid:foo at domain:rwxp:allow"... > > Do, please, make sure that there's a way to distinguish between Unix > user/group names and Windows user/group names. In the future we'll be > adding an nss_ad module that will make the two namespaces equal, but it > isn't necessarily the case that the customer will configure their system > to use nss_ad, thus the need for distinguishing between namespaces. > >> The acl_totext() interface will introduce a new flag bit >> ACL_SID_FMT that will be used to instruct acl_totext() to use >> the usersid, or groupsid format when constructing textual >> ACLs when the "id" field is an ephemeral id and the flag >> parameter requests "sid" format. > > I think we'll need a flag to request the use of Windows names vs. plain > SIDs. See above. > >> acl_totext(aclp, ACL_SID_FMT); >> >> Both chown(1) and chgrp(1) will have a -s option added to allow >> changing the owner/group by SID string. >> >> For example: >> >> chown -s S-1-5-4343545-34534-44354-23:S-1-5-438473-58347567-4848-55 >> file >> chgrp -s S-1-5-438473-58347567-4848-55 file >> >> All of the normal options to chown(1)/chgrp(1) will still >> apply, the -s argument simply tells the utility to treat the >> owner/group argument as a SID rather than a user or >> groupname. > > My comments re: chmod apply here as well. > > Nico -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: acl.fasttrack URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080528/9e8dd703/attachment.ksh>
