1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00

Another ACLs Installment.

(This used to be commit cd9d0b3767)
This commit is contained in:
John Terpstra 2005-03-30 15:11:31 +00:00 committed by Gerald W. Carter
parent fc5cdba160
commit 82db54b406

View File

@ -420,7 +420,7 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the
man page for the <command>chattr</command> on SUSE Linux 9.2 says: man page for the <command>chattr</command> on SUSE Linux 9.2 says:
<screen> <screen>
A file with thei attribute cannot be modified: it cannot be deleted A file with the i attribute cannot be modified: it cannot be deleted
or renamed, no link can be created to this file and no data can be or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute. CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
@ -1237,6 +1237,9 @@ Before using any of the following options, please refer to the man page for &smb
the way in which Windows ACLs must be implemented. the way in which Windows ACLs must be implemented.
</para> </para>
<sect3>
<title>UNIX POSIX ACL Overview</title>
<para> <para>
In examining POSIX ACLs we must consider the manner in which they operate for In examining POSIX ACLs we must consider the manner in which they operate for
both files and directories. File ACLs have the following significance: both files and directories. File ACLs have the following significance:
@ -1268,6 +1271,106 @@ default:other:--- &lt;-- inherited permissions for everyone (other)
</screen> </screen>
</para> </para>
</sect3>
<sect3>
<title>Mapping of Windows File ACLs to UNIX POSIX ACLs</title>
<para>
Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs.
The mappings for file permissions are shown in <link linkend="fdsacls"/>.
</para>
<table frame='all' pgwide='0' id="fdsacls"><title>How Windows File ACLs Map to UNIX POSIX File ACLs</title>
<tgroup cols='2'>
<colspec align="left"/>
<colspec align="center"/>
<thead>
<row>
<entry align="center">Windows ACE</entry>
<entry align="center">File Attribute Flag</entry>
</row>
</thead>
<tbody>
<row>
<entry><para>Full Control</para></entry>
<entry><para>#</para></entry>
</row>
<row>
<entry><para>Traverse Folder / Execute File</para></entry>
<entry><para>x</para></entry>
</row>
<row>
<entry><para>List Folder / Read Data</para></entry>
<entry><para>r</para></entry>
</row>
<row>
<entry><para>Read Attributes</para></entry>
<entry><para>r</para></entry>
</row>
<row>
<entry><para>Read Extended Attribures</para></entry>
<entry><para>r</para></entry>
</row>
<row>
<entry><para>Create Files / Write Data</para></entry>
<entry><para>w</para></entry>
</row>
<row>
<entry><para>Create Folders / Append Data</para></entry>
<entry><para>w</para></entry>
</row>
<row>
<entry><para>Write Attributes</para></entry>
<entry><para>w</para></entry>
</row>
<row>
<entry><para>Write Extended Attributes</para></entry>
<entry><para>w</para></entry>
</row>
<row>
<entry><para>Delete Subfolders and Files</para></entry>
<entry><para>w</para></entry>
</row>
<row>
<entry><para>Delete</para></entry>
<entry><para>#</para></entry>
</row>
<row>
<entry><para>Read Permissions</para></entry>
<entry><para>all</para></entry>
</row>
<row>
<entry><para>Change Permissions</para></entry>
<entry><para>#</para></entry>
</row>
<row>
<entry><para>Take Ownership</para></entry>
<entry><para>#</para></entry>
</row>
</tbody>
</tgroup>
</table>
<para>
As can be seen from the mapping table, there is no 1:1 mapping capability and therefore
Samba must make a logical mapping that will permit Windows to operate more-or-less the way
that is intended by the Administrator.
</para>
</sect3>
<sect3>
<title>Mapping of Windows Directory ACLs to UNIX POSIX ACLs</title>
<para>
Interesting things happen in the mapping of UNIX POSIX directory permissions as well
as UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete component of
an Access Control List (ACL), are mapped to Windows directory ACLs.
</para>
</sect3>
</sect2> </sect2>
</sect1> </sect1>