Re: Canonical ACL ordering
- From: "Norman Diamond" <ndiamond@xxxxxxxxxxxxxxxx>
- Date: Fri, 22 Jun 2007 09:44:32 +0900
It is not accurate that Windows enforce or allow only ACL canonical order.[..]
The high level tools and some high level APIs are the ones that enforce the order.
Does that combination mean that the high level tools and some high level APIs aren't part of Windows?
Meanwhile, even if only your first statement is true, you might be able to guess where you can't write it. Statements similar to that were already censored. The opinion that Windows does enforce canonical ordering, because that's the only ordering that makes sense and there's no need for denial ACEs, has to remain unchallenged.
"ijor" <ijor@xxxxxxxxxxxxx> wrote in message news:0F4049B9-E8CF-4EFA-95B5-377A2B87FD1D@xxxxxxxxxxxxxxxx
It is not accurate that Windows enforce or allow only ACL canonical order.
Programatically (or with the right tools) anybody is free to use whatever ACL
order he wants, or even use conflicting ACLs that don't make sense.
The high level tools and some high level APIs are the ones that enforce the
order. I don't know much about Windows Services for Unix, but it is obvious
that it is not going to use any of those Windows subsystem high level APIs.
Furthermore, the Unix group permissions don't make much sense outside the
Unix environment because Windows doesn't really have such a concept of user
primary group.
If all of this is good or not, I don't know nor I really care. Just pointing
the technicals.
"Norman Diamond" wrote:
It has been observed recently that the canonical ordering of ACEs in an ACL
puts all the deny ACEs before all the allow ACEs. It has been observed that
no other ordering makes sense. All Windows ACL editing tools preserve or
enforce canonical ordering.
So, how is the following nonsense possible, and why is it permitted.
In Windows Services for Unix, I could do this:
touch junk
chmod 707 junk
ls -l junk
and the resulting permissions were rwx---rwx.
Now to me, rwx---rwx isn't a particularly meaningful set of permissions, and
I wouldn't even have thought of trying it other than to see if Windows
Services for Unix could conform to Posix. It did. But how?
The truth of the matter of Windows only allowing sensible canonical ordering
of deny ACEs is so obvious that this asserted topic is closed to further
observation in some quarters. I know where replies will not come from on
this question. But if anyone else knows how Windows could preserve its
sensibility and still come up with rwx---rwx permissions, please kindly
enlighten me.
.
- Prev by Date: Re: fixed time slices?
- Next by Date: Re: Remote Desktop Sessions
- Previous by thread: fixed time slices?
- Next by thread: Re: Canonical ACL ordering
- Index(es):
Relevant Pages
|
