From 82db54b40629d2d394d6c941dc08da35d52991f5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 30 Mar 2005 15:11:31 +0000 Subject: Another ACLs Installment. (This used to be commit cd9d0b3767363b7f108475c3bd75c588254137d3) --- docs/Samba-HOWTO-Collection/AccessControls.xml | 105 ++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 1 deletion(-) diff --git a/docs/Samba-HOWTO-Collection/AccessControls.xml b/docs/Samba-HOWTO-Collection/AccessControls.xml index 0a012bfd1f..db4547f25d 100644 --- a/docs/Samba-HOWTO-Collection/AccessControls.xml +++ b/docs/Samba-HOWTO-Collection/AccessControls.xml @@ -420,7 +420,7 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the man page for the chattr on SUSE Linux 9.2 says: -A file with the‘i attribute cannot be modified: it cannot be deleted +A file with the i attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. @@ -1237,6 +1237,9 @@ Before using any of the following options, please refer to the man page for &smb the way in which Windows ACLs must be implemented. + + UNIX POSIX ACL Overview + In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance: @@ -1268,6 +1271,106 @@ default:other:--- <-- inherited permissions for everyone (other) + + + + Mapping of Windows File ACLs to UNIX POSIX ACLs + + + Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. + The mappings for file permissions are shown in . + + + How Windows File ACLs Map to UNIX POSIX File ACLs + + + + + + Windows ACE + File Attribute Flag + + + + + Full Control + # + + + Traverse Folder / Execute File + x + + + List Folder / Read Data + r + + + Read Attributes + r + + + Read Extended Attribures + r + + + Create Files / Write Data + w + + + Create Folders / Append Data + w + + + Write Attributes + w + + + Write Extended Attributes + w + + + Delete Subfolders and Files + w + + + Delete + # + + + Read Permissions + all + + + Change Permissions + # + + + Take Ownership + # + + + +
+ + + As can be seen from the mapping table, there is no 1:1 mapping capability and therefore + Samba must make a logical mapping that will permit Windows to operate more-or-less the way + that is intended by the Administrator. + + + + + + Mapping of Windows Directory ACLs to UNIX POSIX ACLs + + + Interesting things happen in the mapping of UNIX POSIX directory permissions as well + as UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete component of + an Access Control List (ACL), are mapped to Windows directory ACLs. + + + + -- cgit