\nthere’s a master list<\/A>\nthat somebody can make that lists them all,\nbecause I can make up a new one right here.\nWatch me:\n<\/P>\n\n#define GIZMO_QUERY_STATUS 0x0001\n#define GIZMO_QUERY_MEMBERS 0x0002\n#define GIZMO_START 0x0004\n#define GIZMO_STOP 0x0008\n#define GIZMO_ADD_CLIENT 0x0010\n#define GIZMO_REMOVE_CLIENT 0x0020<\/p>\n#define GIZMO_GENERIC_READ (STANDARD_RIGHTS_READ | \\\n GIZMO_QUERY_STATUS | \\\n GIZMO_QUERY_MEMBERS)\n#define GIZMO_GENERIC_READ (STANDARD_RIGHTS_READ | GIZMO_QUERY_STATUS)\n#define GIZMO_GENERIC_WRITE (STANDARD_RIGHTS_WRITE | \\\n GIZMO_ADD_CLIENT | \\\n GIZMO_REMOVE_CLIENT)\n#define GIZMO_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE | \\\n GIZMO_START | \\\n GIZMO_STOP)\n#define GIZMO_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \\\n GIZMO_QUERY_STATUS | \\\n GIZMO_QUERY_MEMBERS | \\\n GIZMO_START | \\\n GIZMO_STOP | \\\n GIZMO_ADD_CLIENT | \\\n GIZMO_REMOVE_CLIENT)<\/p>\n
GENERIC_MAPPING GizmoGenericMapping = {\n GIZMO_GENERIC_READ,\n GIZMO_GENERIC_WRITE,\n GIZMO_GENERIC_EXECUTE,\n GIZMO_ALL_ACCESS,\n};\n<\/PRE>\n
\nIt’s not just kernel objects that use ACLs.\nAnybody who wants to set up permissions can use ACLs\nto control access.\nFor example,\nthe file server service uses ACLs to control which users\ncan create new file shares,\nwhich users can view printer properties,\nwhich users can connect to administrative shares,\nall that stuff.\nThere is no kernel object that these access masks apply to;\nthey merely control who can do what with the service.\n<\/P>\n
\nIn that example above,\na “gizmo” might be some sort of chat room with a member list.\nSome users may have permission to add and remove other members\nfrom the chat room;\nothers have permission to open the chat room or shut it down.\nWhen a client wants to perform an operation on the chat room,\nthe program obtains the security descriptor for the chat room and calls\nAccessCheck<\/CODE> to see whether the caller has permission to\nperform the operation.\n<\/P>\n\nThis is a totally artificial example.\nMy point is that anybody can make up\naccess bits and use them to control access to some sort of\nshared resource.\nThat shared resource might be something you think of as a\n“real object” like a file or a process,\nbut it could be some sort of purely virtual construction like\na chat room or a file share.\nEven if some sort of “complete list” were developed,\nanybody working in a basement can add a new one,\nand then your complete list is incomplete.\n<\/P>\n
\nBonus chatter<\/B>:\nOne of my colleagues points out that the mandatory integrity mechanism\ndoes have implications for generic mappings.\nI don’t even understand that sentence, but there it is for you to\nponder.\n<\/P>\n
\n[Raymond is currently away; this message was pre-recorded.]\n<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Each component that uses ACLs to control access has its own idea of what GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE mean. It’s not like there’s a master list that somebody can make that lists them all, because I can make up a new one right here. Watch me: #define GIZMO_QUERY_STATUS 0x0001 #define GIZMO_QUERY_MEMBERS 0x0002 #define GIZMO_START 0x0004 […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-20733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Each component that uses ACLs to control access has its own idea of what GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE mean. It’s not like there’s a master list that somebody can make that lists them all, because I can make up a new one right here. Watch me: #define GIZMO_QUERY_STATUS 0x0001 #define GIZMO_QUERY_MEMBERS 0x0002 #define GIZMO_START 0x0004 […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/20733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=20733"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/20733\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=20733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=20733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=20733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}