site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GTSA31mhJjf5XKWXgMqoCy6/Hg1CW0Y36LFTUBHQvm0=; b=i5vW6e07rP5vXfcY3/lsxswbPdlkRcvJMOobFn2ni8gbFogQD9uh5OVQ/zzlafc1AX OieNUu81XQz+hZJ8IjdaTauUyBVE1yNCKQOQsRkbiA7TCm7FyJf6i1pMiPBXL7G9l6JO JRpHN7iXSJLqH7W5zRPkTG6kYZzbMIHjnAc5U= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=p5DeAobNC7wUzEPUMZtbqmgAhlHtKP3E+5LYIiIHfi9qpfu6AIb00tFply4vbSab1X GUUEHjC2i+RdfOQ+DxF8DRtOK3vaMTyeJimghfvU3G2JfC4LP83GeF09Hc53aiPg2fKl uwncpfnTU54Ocq+Id1yA/Ud5r/tpvSu9fVh6k= 2009/2/5 John Michael Zorko <jmzorko@mac.com>:
James,
Wow -- thanks for the info, it is appreciated. I have to do a Win32 implementation of this class (and possibly one for Linux, depending on how close OSX is to it regarding ACLs), so that site will help.
Linux ACLs are completely different both structurally and in semantics. Note that while Darwin ACLs are intended to conform to the Windows ACL model, there are differences in behaviour, eg. Creator Owner isn't rewritten. Feel free to file radars :)
I will also need to eventually restore the ACLs back to a file, so thanks on the tip of making sure to preserve the correct order.
I've another question about ACLs and the acl_* APIs. If acl_get_tag_type() succeeds (returns 0), can acl_get_permset() fail? If acl_get_permset() succeeds, can acl_get_perm_np() fail?
I think acl_get_perm_np will only fail if there are bits set in the permset that are not defined by the kauth permission bits.
I guess the bigger question is, "Is an ACL with an ACE with a tag type but no permset worth saving at all?"
I would say no, but seems harmless to save and restore them
An ACE contains an identity, a type and a set of permissions. This means that a single ACE can allow OR deny more than one permission but it can't allow AND deny.
"jmzorko deny write allow read allow execute" breaks down into 2 ACES: jmzorko deny write jmzorko allow read execute
Darwin ACLs follow the Windows ACL model pretty closely, so the description of ACL structure here
<http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAnAccessControlList.html> is quite applicable. Just substitute GUID where it says SID.
If you rewrite ACLs, remember to preserve the canonical ordering (see chmod(1)) because there's no API in the system to do that for you.
Regards,
John
Falling You - exploring the beauty of voice and sound http://www.fallingyou.com
-- James Peach | jorgar@gmail.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com
participants (1)
-
James Peach