From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin-developers@cygwin.com
Subject: Re: Cygwin 3.5 mapping uid/gid on NFSv4 filesystem to unexpected IDs ...
Date: Wed, 15 Nov 2023 15:40:28 +0100 [thread overview]
Message-ID: <ZVTYXJyrY5dsBoml@calimero.vinschen.de> (raw)
In-Reply-To: <ZVTARV6LZiTxfA+3@calimero.vinschen.de>
On Nov 15 13:57, Corinna Vinschen wrote:
> In other words, you could add code to fs_info::update() which
> recognizes the NFS4 string and sets another filesystem bit in the
> fs_info class. Then you create the matching methods in path_conv,
> i. e., fs_is_nfs4() and a combining operator like fs_is_any_nfs().
While at it, the existing operator fs_is_nfs() shoulds be renamed to
fs_is_nfs3(). That makes sure that all occurences of fs_is_nfs() will
have to be scrutinized and changed accordingly.
> - Now Cygwin is free to behave differently. In particular there's no
> reason left to use the Nfsv3Attr API. Cygwin can decide to fetch
> Windows standard security information via NtQuerySecurityObject if
> path_conv::is_is_nfs4() is true.
>
> - As a result, the mapping from Unix ids to Cygwin ids doesn't
> require to call a name service anymore, because the NFS4 client
..., aka NFS4 driver, if that was unclear, ...
> can decide what SID to return on its own. These SIDs can be valid
> Windows SIDs known to the local SAM or the responsible AD service,
> i. e., existing Windows user or group SIDs. As long as followup
> calls to LookupAccountSidW/ LookupAccountNameW return with valid
> information, you're done.
That should go without saying, but it's better talking about apparent
self-evidence than just implying it:
The id mapping should refrain from doing a fully automatic translation
along the lines of:
UID --> S-1-5-21-<COMPUTER SID>-<UID-as-RID>
GID --> S-1-5-21-<COMPUTER SID>-<GID-as-RID>
and vice versa.
Not only will that lead to collisions, it would also be dangerous,
especially if you're not using AD, but stand-alone Windows machines.
Assuming this scenario:
WindowsMachine1
<---> NFSServer
WindowsMachine2
The SIDs on the two machines are different, and the RIDs on both
machines are not necessarily the same for the same physical user,
even if the username is the same. And even *iff* the RIDs for
an account of the same name is the same on both machines, the iron
rule is: if the SID is different, it's another user.
So whatever you do, you need some kind of mapping instance.
Corinna
next prev parent reply other threads:[~2023-11-15 14:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-31 16:20 Roland Mainz
2023-11-10 12:22 ` Roland Mainz
2023-11-13 19:39 ` Corinna Vinschen
2023-11-13 20:41 ` Roland Mainz
2023-11-15 12:57 ` Corinna Vinschen
2023-11-15 14:40 ` Corinna Vinschen [this message]
2023-11-13 22:52 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVTYXJyrY5dsBoml@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin-developers@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).