summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-03-30 15:11:31 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:25 -0500
commit82db54b40629d2d394d6c941dc08da35d52991f5 (patch)
treee60372214731203e932df32454d19c0e42d0c8b9
parentfc5cdba1600fd3e0df7cef8273546d97e6c8f99f (diff)
downloadsamba-82db54b40629d2d394d6c941dc08da35d52991f5.tar.gz
samba-82db54b40629d2d394d6c941dc08da35d52991f5.tar.bz2
samba-82db54b40629d2d394d6c941dc08da35d52991f5.zip
Another ACLs Installment.
(This used to be commit cd9d0b3767363b7f108475c3bd75c588254137d3)
-rw-r--r--docs/Samba-HOWTO-Collection/AccessControls.xml105
1 files changed, 104 insertions, 1 deletions
diff --git a/docs/Samba-HOWTO-Collection/AccessControls.xml b/docs/Samba-HOWTO-Collection/AccessControls.xml
index 0a012bfd1f..db4547f25d 100644
--- a/docs/Samba-HOWTO-Collection/AccessControls.xml
+++ b/docs/Samba-HOWTO-Collection/AccessControls.xml
@@ -420,7 +420,7 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the
man page for the <command>chattr</command> on SUSE Linux 9.2 says:
<screen>
-A file with the‘i attribute cannot be modified: it cannot be deleted
+A file with the i attribute cannot be modified: it cannot be deleted
or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
@@ -1237,6 +1237,9 @@ Before using any of the following options, please refer to the man page for &smb
the way in which Windows ACLs must be implemented.
</para>
+ <sect3>
+ <title>UNIX POSIX ACL Overview</title>
+
<para>
In examining POSIX ACLs we must consider the manner in which they operate for
both files and directories. File ACLs have the following significance:
@@ -1268,6 +1271,106 @@ default:other:--- &lt;-- inherited permissions for everyone (other)
</screen>
</para>
+ </sect3>
+
+ <sect3>
+ <title>Mapping of Windows File ACLs to UNIX POSIX ACLs</title>
+
+ <para>
+ Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs.
+ The mappings for file permissions are shown in <link linkend="fdsacls"/>.
+ </para>
+
+ <table frame='all' pgwide='0' id="fdsacls"><title>How Windows File ACLs Map to UNIX POSIX File ACLs</title>
+ <tgroup cols='2'>
+ <colspec align="left"/>
+ <colspec align="center"/>
+ <thead>
+ <row>
+ <entry align="center">Windows ACE</entry>
+ <entry align="center">File Attribute Flag</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><para>Full Control</para></entry>
+ <entry><para>#</para></entry>
+ </row>
+ <row>
+ <entry><para>Traverse Folder / Execute File</para></entry>
+ <entry><para>x</para></entry>
+ </row>
+ <row>
+ <entry><para>List Folder / Read Data</para></entry>
+ <entry><para>r</para></entry>
+ </row>
+ <row>
+ <entry><para>Read Attributes</para></entry>
+ <entry><para>r</para></entry>
+ </row>
+ <row>
+ <entry><para>Read Extended Attribures</para></entry>
+ <entry><para>r</para></entry>
+ </row>
+ <row>
+ <entry><para>Create Files / Write Data</para></entry>
+ <entry><para>w</para></entry>
+ </row>
+ <row>
+ <entry><para>Create Folders / Append Data</para></entry>
+ <entry><para>w</para></entry>
+ </row>
+ <row>
+ <entry><para>Write Attributes</para></entry>
+ <entry><para>w</para></entry>
+ </row>
+ <row>
+ <entry><para>Write Extended Attributes</para></entry>
+ <entry><para>w</para></entry>
+ </row>
+ <row>
+ <entry><para>Delete Subfolders and Files</para></entry>
+ <entry><para>w</para></entry>
+ </row>
+ <row>
+ <entry><para>Delete</para></entry>
+ <entry><para>#</para></entry>
+ </row>
+ <row>
+ <entry><para>Read Permissions</para></entry>
+ <entry><para>all</para></entry>
+ </row>
+ <row>
+ <entry><para>Change Permissions</para></entry>
+ <entry><para>#</para></entry>
+ </row>
+ <row>
+ <entry><para>Take Ownership</para></entry>
+ <entry><para>#</para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ As can be seen from the mapping table, there is no 1:1 mapping capability and therefore
+ Samba must make a logical mapping that will permit Windows to operate more-or-less the way
+ that is intended by the Administrator.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Mapping of Windows Directory ACLs to UNIX POSIX ACLs</title>
+
+ <para>
+ Interesting things happen in the mapping of UNIX POSIX directory permissions as well
+ as UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete component of
+ an Access Control List (ACL), are mapped to Windows directory ACLs.
+ </para>
+
+ </sect3>
+
</sect2>
</sect1>