Alternate symlink usage
Corinna Vinschen
corinna@vinschen.de
Sun Mar 12 14:15:00 GMT 2000
Chris Faylor wrote:
>
> Corinna,
> Is it possible that we could use the NTSEC stuff to store information
> about whether a file is a symbolic link? I talked to Jeremy Allison
> at Linux Expo and he said that he was doing lots of stuff with security
> type information for samba so if we could do this we might be able to
> have symbolic links on UNIX network drives.
>
> Is this possible?
>
> cgf
Hi Jeremy,
my name is Corinna, I have designed the usage of NT security
in cygwin, called NTSEC. If you are interested, I would like to
discuss the possibilities to support NTSEC with samba drives.
The additional ability to support symbolic links would be very
interested, too.
To give a short introduction (and to start the discussion) I
will describe the used methods of NTSEC in short:
- On each file related function, the full windows path is
determined and used for calling GetVolumeInformation().
Only files on file systems which has FS_PERSISTENT_ACLS
flag set are possible in NTSEC calls.
- To read security descriptors, the following funtions are used:
CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
BackupRead();
- To write security descriptors:
CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
BackupWrite();
My latest checks with samba (version 2.0.6-16) has
given the following results in a domainless environment:
- GetVolumeInformation results in FS_PERSISTENT_ACLS == TRUE.
- BackupRead returns ACLs.
- The RIDs of user and group are not corresponding to the Linux
uid/gid. Unfortunately, samba doesn't submit user and group
names to the reading pc. I'm using W2K and typically the
ACL content is shown like:
COMPUTERNAME\USERNAME permissions
or
DOMAINNAME\GROUPNAME permissions
If this information can't be determined by the reading
PC, the security info is shown as
S-1-5-21-1234455-23232232-4434343-2000 permissions
This is the case with samba on my Linux box. Maybe, my
configuration is not correct?!?
- The returned permissions are sometimes not correct when the
Linux permission bits are uncommon (eg. r-x-wxr-- or sth like
that).
- BackupWrite fails with WinAPI error 1337 (security ID structure
is invalid). This seems to be related to the missing user/group
informations.
I haven't checked it out in detail yet. I'm not blessed with
much time this month. Nevertheless I'm very interested in
a good solution.
What would you think is a good method to get information
about symbolic links via NTSEC? I had the idea to use
a self defined SID for submitting different informations
between samba and NT/W2K but unfortunately, BackupWrite()
checks SIDs. If it doesn't know a SID, the above 1337
error is generated. Maybe we could use an already defined
well known ID...
Ok, stop here. I would like to hear your opinion first.
Looking forward to your answer,
Corinna
More information about the Cygwin-developers
mailing list