[Python-Dev] Re: rexec.py unuseable

Luke Kenneth Casson Leighton lkcl at lkcl.net
Wed Dec 17 15:34:43 EST 2003 

> 
> 
> What appears to be missing here is the ability for a piece of code to take
> the existing permissions which it does posess and create new permissions
> within them.
> 
> With the system you propose, if a function `foo' has permission to call
> function `bar', how does foo delegate that permission to `foobar'?  If it
> cannot, then it becomes very difficult to write well factored code which can
> also exist within the security framework.

jp,

i briefly touched on this in earlier messages, but have not expanded
on it since.  your question is therefore very useful.

there should exist a permission called
"sub-objects-get-a-copy-of-parent-permissions-at-sub-object-create-time"

and i believe there also exists (in NT 5.0) _yet another_ permission
that says "sub-objects-inherits-parent-permissions"

to be honest, i don't know _all_ of the internal details of the NT 5.0
enhancements to security descriptors.

if i recall correctly, the "gets-copy-of-permissions-on-create" isn't
actually a separate permission but an ACE qualifier bit - a bit like
the DENY and GRANT qualifications.

in this way, permissions can be considered to be recursive (both at
create time and at access-for-purpose-X time).

the _old_ style of permissions, NT 4.0 and below, you had to MANUALLY
add the permissions, recursively, to all sub-objects.


and incidentally, that's one reason why you can only upgrade from an
NT 4.0 NTFS to an NT 5.0 NTFS and not the other way round, because the
security descriptors are jigged around and irreversibly converted.

in that earlier message, i made a recommendation that the concept
of "recursive" application of permissions NOT be considered for
implementation (until at least the old nt4.0 style was implemented
and well understood).

but it _is_ important that the
"sub-objects-get-a-copy-of-parent-permissions-at-sub-object-create-time"
concept be implemented.

otherwise, as you say, there's no way to delegate permissions.

i'm assuming in the above description, perhaps incorrectly, that 
function 'foobar' is a member attribute of the function 'foo'?

please clarify!

l.

More information about the Python-Dev mailing list