From: Richard Sharpe [mailto:[EMAIL PROTECTED]] > Hmmmm, the MSDN article I looked at did not say that, but > does not address > that situation either. It kind of implies that any deny bit > in the set > requested causes a deny.
There used to be an MSDN article on "Computing Effective Rights" but my bookmark seems to be dead now :-( Microsoft has a "preferred ordering" of ACEs which tells you to always put denied ACEs before allowed ACEs in an ACL. See the bottom half of http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se curity/order_of_aces_in_a_dacl.asp?frame=true. This is probably why they don't mention this case, since it doesn't normally occur. > Is that your experience? Do you have a simple program that > demonstrates > that? We wrote several win32 test applications to test conformance. Also the NT ACL <-> POSIX ACL code in samba that Jeremy wrote computes effective right similarly, if I remember right. Matt Zinkevicius Software Engineer Network Storage Array Solutions Hewlett-Packard
