> 1. If it encounters a DENY (negative) ACE that denies any of the bits > requested, it denies access.
Correct > 2. If it encounters ALLOW ACLs that allows any of the bits, > but not all, > it continues? Is this true. Does it accumulate permission > bits until the > requested bits are available and then stop? If a DENY appears > after an ACE > that allows some bits, but not all, presumably, it denies > access. So order > is very important. However, does it accumulate perms. It accumulates and continues as long as none of the request bits have been denied. If there are no more ACEs and the full set of request bits have not been allowed then permission is denied. If a previously allowed bit is denied in a later ACE it is still allowed. That is why ACE ordering is important. See my patch that I posted a couple months back where I implemented full NT security semantics for samba 2.2.3a. This implements NT ACL inheritance as well, which is where it can get really scary. Matt Zinkevicius Software Engineer Network Storage Array Solutions Hewlett-Packard
