Do you have an example of doing the same thing via "smbcacls" (from Linux) or "icacls" (or cacls.exe) from Windows? On Thu, Sep 23, 2021 at 11:14 AM Bruno Wolff III <bruno@xxxxxxxx> wrote: > > I was looking at using S-1-2-3-4 to take away rights via ownership and > granting no access (but not denying it either) makes sense as access > is granted via group membership. Microsofts documentation seems to > suggest the a 0x0 mask is valid. > Quote from > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125370(v=ws.10)?redirectedfrom=MSDN > "When you add the Owner Rights security principal to objects, you can > specify what permissions are given to the owner of an object. For example > you can specify in the access control entry (ACE) of an object that the > owner of a particular object is given Read permissions or you can specify > NULL permissions to an object, which grants the owner of the object no > permissions." > > Here is example output: > # setcifsacl -a "ACL:S-1-2-3-4:0x0/0x0/0x0" bruno-test > verify_ace_mask: Invalid mask 0x0 (value 0x0) > > Besides the owner rights case, I think this might also make sense in an ACL > to break inheritence, though in that case there might be other ways to > do that. > > Unless having a 0x0 mask actually breaks things, it doesn't seem that > it is a good idea to prohibit it. -- Thanks, Steve
