First page Back Continue Last page Overview Graphics
Mapping Windows ACLs to POSIX (continued)
- Map each SID into a POSIX user, group or other.
- Walk the list three times.
- . Look for an 'Everyone' DENY entry. If all bits are set, truncate the list at this point. If not, mask off the access bits from all subsequent entries. Remove the entry.
- . Look for DENY user entries. If found, look for ALLOW group entries where the user is in that group. Convert the entry to an ALLOW entry containing the group allow permissions, with the user DENY permissions masked off. Push to the end of the list.
- . Look for DENY group entries. If found, look for ALLOW user entries where the user is in that group. Mask the user entry with the DENY bits from the group entry. If there exists an 'Everyone' ALLOW entry then convert the DENY entry to an ALLOW entry with the 'Everyone' allow bits masked by the group deny bits. If there is no Everyone allow entry convert the DENY group entry to a allow nothing entry and push to the end of the list.