Re: ACL ordering
Nicolas Williams <Nicolas.Williams <at> sun.com>
2002-12-02 16:20:08 GMT
The Cygwin FAQ has a very good treatment of ACE ordering and how the ACE
ordering enforced by the traditional Windows tools precludes emulation
of POSIX-style permissions and how that can be achieved by using a
different ACE order.
On Thu, Nov 28, 2002 at 11:10:23AM +0000, Carl Beame wrote:
> On Thu Nov 28 00:30:51 2002, Eric Sedlar wrote:
> > Therefore, to really achieve Windows interoperability (let alone usability),
> > protocols like NFSv4 should avoid allowing deny ACEs after any grant ACEs. This
> > also relaxes the requirement to maintain strict ACE ordering, since ordering is
> > irrelevant when processing denies, and ordering is irrelevant when processing
> > grants (other than as an optimization). I didn't see anything in the spec about
> > what order the inherited ACEs should be placed in (for example relative to a
> > default ACL that might be defined on the server on a per-user basis), so making
> > this ordering requirement clear simplifies the work.
> This is actually incorrect. The user interfaces which ship with Windows NT order
> the ACEs in a specific order, but the ACL can be stored in an NTFS filesystem in
> ANY order and are evaluated as is defined in the specification. It is easy
> enough to write a GUI which allows you to order then any way you want.
> - Carl