On Fri, Aug 15, 2008 at 08:07:58PM +0200, Abramo Bagnara wrote: > Jeremy Allison ha scritto: > > On Fri, Aug 15, 2008 at 11:52:17AM +0200, Abramo Bagnara wrote: > >> Sorry to show me dense, but I don't see the problem: the request to > >> allow FILE_READ_ATTRIBUTES only would generate a 000 perms just as if > >> map_nt_perms was called with only permissions not handled there. > >> > >> I'd say that to ask to allow FILE_READ_ATTRIBUTES only don't have to > >> generate any ACE at all (as this request under an Unix permission model > >> point of view don't give to user/group any further right). > >> > >> Could you explain how a possible conflict with a requested DENY ACE > >> could happens? > > > > Existing file has FILE_READ_DATA|FILE_WRITE_DATA|FILE_READ_ATTRIBUTES. > > Acl comes in to change this to FILE_READ_ATTRIBUTES. Samba has to map > > this to '---' according to you. Oops. Instant deny ACL. Not what was > > intended. > > I try to detail your example as it seems there is some misunderstanding: > > NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_WRITE_DATA > Current samba perms for owner, group or others: rw- > Current samba posix acl: user:abramo:rw- > Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES > FILE_READ_EA FILE_GENERIC_READ FILE_WRITE_DATA FILE_APPEND_DATA > FILE_WRITE_ATTRIBUTES FILE_WRITE_EA FILE_GENERIC_WRITE > Proposed is the same as current > > NT ACL: Allow SID FILE_READ_ATTRIBUTES > Current samba perms for owner, group or others: r-- > Current samba posix acl: user:abramo:r-- > Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES > FILE_READ_EA FILE_GENERIC_READ > Proposed samba perms for owner, group or others: --- > Proposed samba posix acl: entry is removed > Proposed new NT ACL for owner, group or others: Allow SID EMPTY > Proposed new NT ACL: ACE is removed > > Simply I'm suggesting that this case is treated as it was a request to > have an empty list of accesses for that SID.
Now re-read the ACL on Windows. The '---' will be seen as a DENY ACE. That's the problem. POSIX has no deny ACLs so we have to overload no permissions in order to get the essential deny capability. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
