Author: jht Date: 2005-03-30 15:11:31 +0000 (Wed, 30 Mar 2005) New Revision: 456
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=456 Log: Another ACLs Installment. Modified: trunk/Samba-HOWTO-Collection/AccessControls.xml Changeset: Modified: trunk/Samba-HOWTO-Collection/AccessControls.xml =================================================================== --- trunk/Samba-HOWTO-Collection/AccessControls.xml 2005-03-29 19:24:12 UTC (rev 455) +++ trunk/Samba-HOWTO-Collection/AccessControls.xml 2005-03-30 15:11:31 UTC (rev 456) @@ -420,7 +420,7 @@ Unfortunately, the implementation of the immutible flag is NOT consistent with published documentation. For example, the man page for the <command>chattr</command> on SUSE Linux 9.2 says: <screen> -A file with theâi attribute cannot be modified: it cannot be deleted +A file with the i attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. @@ -1237,6 +1237,9 @@ the way in which Windows ACLs must be implemented. </para> + <sect3> + <title>UNIX POSIX ACL Overview</title> + <para> In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance: @@ -1268,6 +1271,106 @@ </screen> </para> + </sect3> + + <sect3> + <title>Mapping of Windows File ACLs to UNIX POSIX ACLs</title> + + <para> + Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. + The mappings for file permissions are shown in <link linkend="fdsacls"/>. + </para> + + <table frame='all' pgwide='0' id="fdsacls"><title>How Windows File ACLs Map to UNIX POSIX File ACLs</title> + <tgroup cols='2'> + <colspec align="left"/> + <colspec align="center"/> + <thead> + <row> + <entry align="center">Windows ACE</entry> + <entry align="center">File Attribute Flag</entry> + </row> + </thead> + <tbody> + <row> + <entry><para>Full Control</para></entry> + <entry><para>#</para></entry> + </row> + <row> + <entry><para>Traverse Folder / Execute File</para></entry> + <entry><para>x</para></entry> + </row> + <row> + <entry><para>List Folder / Read Data</para></entry> + <entry><para>r</para></entry> + </row> + <row> + <entry><para>Read Attributes</para></entry> + <entry><para>r</para></entry> + </row> + <row> + <entry><para>Read Extended Attribures</para></entry> + <entry><para>r</para></entry> + </row> + <row> + <entry><para>Create Files / Write Data</para></entry> + <entry><para>w</para></entry> + </row> + <row> + <entry><para>Create Folders / Append Data</para></entry> + <entry><para>w</para></entry> + </row> + <row> + <entry><para>Write Attributes</para></entry> + <entry><para>w</para></entry> + </row> + <row> + <entry><para>Write Extended Attributes</para></entry> + <entry><para>w</para></entry> + </row> + <row> + <entry><para>Delete Subfolders and Files</para></entry> + <entry><para>w</para></entry> + </row> + <row> + <entry><para>Delete</para></entry> + <entry><para>#</para></entry> + </row> + <row> + <entry><para>Read Permissions</para></entry> + <entry><para>all</para></entry> + </row> + <row> + <entry><para>Change Permissions</para></entry> + <entry><para>#</para></entry> + </row> + <row> + <entry><para>Take Ownership</para></entry> + <entry><para>#</para></entry> + </row> + </tbody> + </tgroup> + </table> + + <para> + As can be seen from the mapping table, there is no 1:1 mapping capability and therefore + Samba must make a logical mapping that will permit Windows to operate more-or-less the way + that is intended by the Administrator. + </para> + + </sect3> + + <sect3> + <title>Mapping of Windows Directory ACLs to UNIX POSIX ACLs</title> + + <para> + Interesting things happen in the mapping of UNIX POSIX directory permissions as well + as UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete component of + an Access Control List (ACL), are mapped to Windows directory ACLs. + </para> + + </sect3> + </sect2> </sect1>