RE: Extended attributes

New Message Reply About this list Date view Thread view Subject view Author view Attachment view

From: Yoder, Alan (alan.yoder@netapp.com)
Date: 06/07/99-12:23:06 PM Z 

Message-ID: <7F608EC0BDE6D111B53A00805FA7F7DA02A2EAF6@tahoe.netapp.com>
From: "Yoder, Alan" <alan.yoder@netapp.com>
Subject: RE: Extended attributes
Date: Mon, 7 Jun 1999 10:23:06 -0700 

> As I understand it, NT ACL's are order-dependent all the way through.
> If you match a given SID and the entry for that SID does not grant 
                                                      ^^^^^^^^^^^^^^
> the access you seek, your request is denied (do not pass GO, do not
> collect $200).  No second chances even if a later entry has an SID
> that you would match and grants the access.  I am working from a
> description and actually have to look at some code to verify this.

   The entry must *deny* access, not just "not grant" it.  If there
are two ACEs (Access Control Entries) and one grants R access to a
given SID and the other grants W, a request for RW will succeed 
unless a previous ACE specifically denies R, W or RW.  The permissions
check steps through the ACL accumulating permissions until the requested
permissions are granted or specifically denied.

   An NT ACL is a linear list of ACEs.  For formalists, the algorithm to check
whether a given SID (Security ID) should be granted a given set of permissions
is as follows:
	let _perms_ = 0 be the bitmask of permissions granted so far
	get the first ACE from the ACL
	while there is an ACE and access has been neither granted nor denied
		check the current ACE
		if it denies access to the given SID for any of the requested
permissions, 
			deny access and exit permissions check
		else if it grants some or all of the desired permissions,
			OR the granted permissions into _perms_
		if _perms_ contains all the desired permissions
			grant access and exit permissions check
		else
			continue with next ACE

   So yes, there is an order dependency.  Clients, NOT the server,
are responsible for maintaining the ACE order in the ACL.  I'm told by
those who should know that there are no known instances of clients which
screw this up (?!!).

Alan

===============================================================
Alan G. Yoder                                    agy@netapp.com
Network Appliance, Inc.                           
2770 San Tomas Expwy                        voice  408-367-3031
Santa Clara, CA  95051         changing in June to 408-822-6919
===============================================================

New Message Reply About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.2 : 03/04/05-01:47:09 AM Z CST