Filter
Top Products
ApplianceWare v.5.3 Complete FAQ – February 24, 2004 – Page 27 of 30
Optifacio Software Services, Inc.
but do not allow these pseudo groups for entries that define access. When an object inherits
permissions, those abstract entries are converted to entries for a specific user and group.
Despite the semantic mismatch between these two ACL systems, POSIX ACLs are presented
in the Windows ACL editor dialog box so that they resemble native Windows ACLs pretty closely.
Occasional users are unlikely to realize the differences. Experienced administrators will
nevertheless be able to detect a few differences. The mapping between POSIX and Windows ACLs
described here is found in this form in ApplianceWare products:
•
The permissions in the POSIX access ACL are mapped to Windows access permissions. The
permissions in the POSIX default ACL are mapped to Windows inheritable permissions.
• Minimal POSIX ACLs consist of three ACL entries defining the permissions for the owner,
owning group, and others. These entries are required. Windows ACLs may contain any number of
entries including zero. If one of the POSIX ACL entries contains no permissions and omitting the
entry does not result in a loss of information, the entry is hidden from Windows clients. If a
Windows client sets an ACL in which required entries are missing, the permissions of that entry are
cleared in the corresponding POSIX ACL.
• The mask entry in POSIX ACLs has no correspondence in Windows ACLs. If permissions in a
POSIX ACL are ineffective because they are masked and such an ACL is modified via CIFS, those
masked permissions are removed from the ACL.
• Because Windows ACLs only support the Creator Owner and Creator Group pseudo groups for
inheritable permissions, owner and owning group entries in a default ACL are mapped to those
pseudo groups. For access ACLs, these entries are mapped to named entries for the current owner
and the current owning group (e.g., the POSIX ACL entry ``u::rw'' of a file owned by Joe is treated
as ``u:joe:rw'').
If an access ACL contains named ACL entries for the owner or owning group (e.g., if one of
Joe's files also has a ``u:joe:...'' entry), the permissions defined in such entries are not effective
unless file ownership changes, so such named entries are ignored. When an ACL is set by Samba
that contains Creator Owner or Creator Group entries, these entries are given precedence over