The article in question is entitled “Understanding Windows NTFS Permissions” and covers the basics of permissions for NTFS. It covers the fact you have read which is really made up of List Folder/Read Data, Read Attributes, Read Extended Attributes and Read Permissions. It also covers that NTFS permits permissions to be inherited but appears to miss the distinction of “This folder, subfolders and files”, “This folder only”, “Subfolders and files only”, “This folder only” when applied to permissions. Each of these actually impacts how permissions are inherited and applied, surely if you’re trying to understand this then explaining the distinctions here would be great and how they apply. He finishes with an interesting observation on the “precedence” of permissions. Now I find this curious because this is something I’ve been looking at late and I’ve been trying to find something that adequately explains it. Perhaps the author of the particular article is dumbing it down for his readers but it just strikes me as wrong. The author comments the following:

The scenario proves that there is a hierarchy of permissions for NTFS 5.0 resources. The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow

Ok, so its an interesting way of explaining it, but to mimic an annoying kid: why? Microsoft says in a dialog just previous that deny overrules allow so why would they so blatantly change the mind? To do so would mean that you would have to understand how NTFS evaluates permissions and calculates the permissions – but weren’t we reading an article about understanding?

This is the core of my gripe, the article doesn’t particularly give you a depth of insight or understanding in permissions that you couldn’t get by clicking things on and off to observe their behaviour. It treats one mildly non-obvious behaviour but doesn’t explain why NTFS would do this. To be honest I stumbled across this behaviour on another web site which had run into the pitfall of believing that deny overruled everything and was trying to understand why his security model was broken. His article hypothesised something much simpler: the algorithm finds the first explicit permission and uses it, if both are set then use the deny. No complex precedence model, something quite simple. And as Ockham’s Razor goes “the simplest answer is often the best”. But interestingly this also fits into the way NTFS appears to have been designed. For container objects, a permission can be set at a level and it can be determined just how deep it should apply: should it apply to just this container, just to subfolders or just to files? Or should it apply to a combination of those?

Interestingly I’m on the hunt for something that formally explains how NTFS permission inheritance works, I had thought this article would tell me but it doesn’t. It tells me a lot of what I know already but doesn’t actually enhance my understanding. I had read an article a while back that informed me of this ‘quirk’ in the behaviour but at the time didn’t think much of bookmarking it – and it is in fact this article that I’m looking for, and thankfully I just found it.

The article in question is “How IT works: NTFS Permissions” from the November/December 2005 issue of TechNet Magazine. It introduces the concept of “discretionary access control lists” (DACL) and also explains how they work. It explains that the DACL is checked in order until a match is found with the DACL created with denies first, then allows starting with the object and then incrementally for each item it looks for a match until it gets to the end at which point it denies. The single article just cleared up exactly how it worked, why it works and how it behaves explaining the behaviour. At this point I understand how and why it works, not just know that it works in a particular way – this is the difference between understanding and knowing.

First up for today is a personal thing, I completed a rather largish Uni assignment today which reminded me of all of the pains that come with C++, but to follow that I returned to working on my filesystem in C, which is just more pain. I got a quick response back, and almost full marks (96%) so I’m happy for all of the time I put in to get it done and how its probably far more complicated than anything else that will be submitted (it used Boost Signals and a whole heap of other things that I don’t think will ever be taught in the subject for a long time). But hey, thats just Uni!

Today I finally managed to get Pentaho, some business intelligence (BI) software, to play nicely with Novell eDirectory’s LDAP interface. I must have missed the option, but Pentaho doesn’t seem to accept anonymous binding to the LDAP server, which means I need to bind as a user. By default our users funnily enough have less access than the anonymous account (which is actually a proxy account with full browse permissions). The solution was simple enough: we shunted our dummy Pentaho user into the same group as the anonymous proxy account and everything worked. So I’ve now got Pentaho using LDAP for authentication (yay!) and a MySQL database to get its role/group permissions. Funnily enough when its all said and done the documentation is pretty close to the mark.

But once I had that I don’t have an ability to manage the groups/roles within Pentaho, so I end up having to write some small PHP to manage that. Luckily I worked on a project a while back that I called “Joomla! Central Management for Users” which basically connected directly to MySQL databases of Joomla! installs and altered the users. I had originally built it with a plugin infrastructure in mind so that I could plug other stuff into it later. Starting this morning it only had a ‘connector’ for Joomla! 1.0 via MySQL and LDAP, now it has one for the Pentaho security tables. This means I can easily copy users from LDAP or Joomla! into Pentaho without too much issues and has a debugged user interface already. But wait theres more!

When I was originally developing the tool I wrote a query language for it. See, SQL is a great language for databases, but its a bit hard to apply in situations where you don’t quite need all of that power. So I wrote my own query language. Its quite simple it can validate simple attributes and allows for set operations within “Sites” (a site is a container for users and groups). So for example I want to see all of the users who are on our web site but not in our LDAP directory:
existsin “Web Sites” and not existsin “LDAP”

Primitive sure, but it because writing a large SQL expression for something simple. I hope to expand on it, but it already does what it needs to do for the time being.

So I’ve covered query languages, LDAP and BI! All I need now is the filesystem news. Today there was a whole heap of fan fare on Slashdot about the ZFS news from Apple, whilst thats cool and all (especially since I don’t mind Apple’s UI), I personally have my own filesystem that I’ve gotten back into to do some work on. It also happens to be a Uni assignment due on Friday! So I’ll be back to working on that and hopefully I’ll have it to a nice stage that I can do some lightening talks at linux.conf.au!