Re: SFTP ACLs need inheritance support

To: denis bider <ietf-ssh%denisbider.com@localhost>
Subject: Re: SFTP ACLs need inheritance support
From: Joseph Galbraith <galb-list%vandyke.com@localhost>
Date: Tue, 06 Dec 2005 08:02:23 -0700

> Oh, it does.
> 
> Without this flag, it is very difficult for the server to know
> whether the client, having sent a list of ACLs that does not
> include any AUDIT or ALARM entries, wants the server to (a)
> clear the SACL, or (b) not touch the SACL at all. The Windows

Okay, I see why we need this in the protocol.

However, I don't think there is any difference between
an empty SACL and an absent SACL like there is between
a empty DACL and an absent DACL.

> DACL and SACL are edited separetely. Any access to the SACL
> requires the SeSecurityPrivilege to be enabled, and a special
> access flag to be included when the file is opened. Also, in a
> large majority of cases, the user wants to modify just the
> DACL, not also the SACL.
> 
> Suppose the client sends an ACL with no AUDIT or ALARM
> entries. If the server goes ahead and tries to clear the SACL,
> but fails, it cannot know whether to respond with an error
> (because perhaps the user wanted to clear the SACL) or success
> (because perhaps the user didn't want to clear the SACL, and
> doesn't have privilege to do it in the first place).

Yes, I see that.

Thanks,

Joseph

Follow-Ups:
- Re: SFTP ACLs need inheritance support
  - From: denis bider

References:
- Re: SFTP ACLs need inheritance support
  - From: denis bider

Prev by Date: Re: SFTP ACLs need inheritance support
Next by Date: Re: SFTP ACLs need inheritance support
Previous by Thread: Re: SFTP ACLs need inheritance support
Next by Thread: Re: SFTP ACLs need inheritance support
Indexes:

Home | Main Index | Thread Index | Old Index