GNU cfengine
3.4.4 NT ACLs
NT ACEs are written as follows:
| | acl_type:user/group:permissions:accesstype
|
The actual change consists of the extra field containing the access
type. A star/asterisk in the field for user/group would
normally imply that the ACL applies to the owner of the file
object. However this functionality is as of today not yet implemented.
In NT, the ACL type can be one of the following:
Both types require that you specify the name of a user or a group.
NT permissions are comprised of the bits `rwxdpo', where:
| | r - Read privileges
w - Write privileges
x - Execute privileges
d - Delete privileges
p - Privileges to change the permissions on the file
o - Privileges to take ownership of the file
|
In addition to any combination of these bits, the word noaccess
or default can be used as explained in the previous section. NT
comes with some standard, predefined permissions. The standards are only
a predefined combination of the different bits specified above and are
provided with cfengine as well. You can use the standards by setting the
permission to read, change or all. The bit
implementation of each standard is as on NT:
| | read - rx
change - rwxd
all - rwxdpo
|
where the bits follow the earlier definition. The keywords mentioned
above can only be used alone, and not in combination with `+',
`-', `=' and/or other permission bits.
NT defines several different access types, of which only two are used in
connection with the ACL type that is implemented in cfengine for NT. The
access type can be one of the following:
Intuitively, allowed access grants the specified permissions to
the user, whilst denied denies the user the specified
permissions. If no access type is specified, the default is
allowed. This enables cfengine's behaviour as on UNIX systems
without any changes to the configuration file. If the permissions
noaccess or default is used, the access type will be
irrelevant.
