Ref: 08720029
Title: How LAN Manager 1.x and 2.0 Determine Access Rights
Date: 12/13/90

Copyright 3Com Corporation, 1991.  All rights reserved.

Whenever a workstation attempts to access remote files, spooled print
queues, character devices, or named pipes on a server running User-level
security, the server must determine whether the user logged on
to that workstation has permission to do the requested operation.  The
server uses the Access Control Lists (ACLs) and the User Account
database (UAD) to make that determination.  Both the ACLs and the UAD
are stored in the NET.ACC file in LAN Manager 1.x servers.  When LAN
Manager 2.0 is configured to use HPFS386, only the UAD is stored in
the NET.ACC file; the ACLs are maintained by the file system itself
(HPFS386).

An Access Control List contains the name of a resource, an audit
attribute field, and a list of access control entries.  An access
control entry (ACE) is a username or groupname and its corresponding
access permissions.

There is no restriction on the number of ACLs for servers running LAN
Manager 2.0 and HPFS386.  LAN Manager 2.0 servers not running HPFS386
and LAN Manager 1.x servers can have as many as 8192 ACLs defined.  Each
ACL can have as many as 64 ACEs.

By default, non-Admin class users have no access permissions.  For a
non-Admin class user to access a resource on a server, there must be
an ACL for this resource and there must be an ACE for this user.  A
user with Admin privilege can access all resources; LAN Manager does
not check ACLs for this class of user.

Access permissions can be determined according to the following rules:

*  File permissions override directory permissions.  If a user is
assigned specific permissions for a file, directory level
permissions no longer apply to that file.

*  Individual permissions override group permissions.  If a user is
assigned specific individual permissions, group permissions no
longer apply.

*  Group permissions are combined.  If a user belongs to more than one
group, the permissions are all of the permissions for the groups to
which the user belongs.

*  Access is checked for the GUEST user when there is no ACE for the
user or for any groups to which that user belongs.  If the GUEST
account exists and has access to that resource, the user is granted
the same level of access.

Access permission is checked on three levels for file-system resources:
first, the resource itself, then the parent of the resource, and finally
the drive on which the resource is located.  For example, in checking
permission for the resource C:\APPS\DOSAPPS\REMSERV.BAT, an ACL for
C:\APPS\DOSAPPS\REMSERV.BAT is first checked; if it does not exist, then
an ACL for C:\APPS\DOSAPPS is checked; if it does not exist, then an ACL
for C: is checked.  Note that the DRIVE is checked last, not the root
directory of that drive.

Access permissions are also checked on three levels for logical
resources such as spooled print queues, character devices, and named
pipes.  Again, the sequence is to first check the resource itself, then
the parent of the resource, and finally the root of the resource (such
as \PRINT, \COMM, and \PIPE, respectively).  For example, in checking
the permissions for \PIPE\DIRNAME\NMPIPE, first an ACL for
\PIPE\DIRNAME\NMPIPE is checked, then an ACL for \PIPE\DIRNAME is
checked, and finally an ACL for \PIPE is checked.

The actual algorithm used by LAN Manager in determining access rights is
as follows:

If there is an ACL for this resource
    If there is an ACE for this user
        Return these permissions
    Else if the user is in any groups that have ACEs in this ACL
        Accumulate permissions from all groups in this ACL that contain
            this user
        Return these permissions
    Else
        Fail
Else if there is a parent ACL for this resource
    If there is an ACE for this user
        Return these permissions
    Else if the user is in any groups that have ACEs in this ACL
        Accumulate permissions from all groups in this ACL that contain
            this user
        Return these permissions
    Else
        Fail
Else if there is a drive-level ACL for this resource
    If there is an ACE for this user
        Return these permissions
    Else if the user is in any groups that have ACEs in this ACL
        Accumulate permissions from all groups in this ACL that contain
            this user
        Return these permissions
    Else
       Fail
Else
    Fail

