From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 61490 invoked by alias); 24 Jun 2016 19:51:58 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 61477 invoked by uid 89); 24 Jun 2016 19:51:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-95.4 required=5.0 tests=AWL,BAYES_20,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=MASK, ACLs, acls, communicating X-HELO: calimero.vinschen.de Received: from ipbcc0227e.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.34.126) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 24 Jun 2016 19:51:47 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id A29DAA80921; Fri, 24 Jun 2016 21:51:44 +0200 (CEST) Date: Fri, 24 Jun 2016 21:37:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: POSIX permission mapping and NULL SIDs Message-ID: <20160624195144.GB27089@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-SW-Source: 2016-06/txt/msg00352.txt.bz2 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2681 On Jun 24 18:07, Bill Zissimopoulos wrote: > Could my mapping of the NULL SID somehow interfere with Cygwin=E2=80=99s = ACL > mapping? No way right? Turns out that: yes! File:winsup/cygwin/sec_acl.cc, > line:787 Read the comment at the beginning of the file explaining how new-style ACLs look like. > Allow me to say that I find this a *gross* hack. You are subverting the > Windows ACL mechanism to store information that it was not designed to > store. I would love to hear a good rationale for this decision. The usage of NULL SID ACEs to store special POSIX permission bits is long-standing behaviour, first implemented by U/Win and later adopted by Cygwin. That older version is using Access-allowed NULL SID ACEs for *ages* to store ISVTX, ISGID and ISUID bits. The new implementation uses access-denied NULL SID ACEs to store the same bits, plus the POSIX MASK bits. Another access-denied NULL SID ACEs with the "Inherit Only" bit set is used to specify the same info for the POSIX default ACL. > BTW, this also appears to break BashOnWindows: see [BASHW] I'm not overly sympathetic. Cygwin's implementation is older. If Microsoft provides full support for POSIX permission bits plus POSIX ACLs including useful documentation, I'm willing to reconsider. And matching patches are welcome of course. What strikes me as weird is that nobody from the UoW side is trying to work with Cygwin ACLs or even trying to communicate with us to define and implement POSIX ACLs in a documented, generic way for both systems. > In any case I am seeking more information regarding Cygwin=E2=80=99s use = of NULL > SID=E2=80=99s. I have found an old post that sheds some light [OPOST]. That's old. See the comment at the beginning of sec_acl.cc, as well as the comments in set_posix_access() in the same file. > I am also seeking an alternative to using the NULL SID for > =E2=80=9Cnobody=E2=80=9D/=E2=80=9Cnogroup=E2=80=9D. Is there a Cygwin sug= gested one? Not yet. We're coming from the other side. We always have *some* SID. pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID to a passwd or group entry. If everything fails, the SID is used in this passwd/group entry verbatim, but mapped to uid/gid -1. If you want some specific mapping we can arrange that, but it must not be the NULL SID. If you know you're communicating with a Cygwin process, what about using an arbitrary, unused SID like S-1-0-42? How do you differ nobody from nogroup if you use the same SID for both, btw.? Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXbY9QAAoJEPU2Bp2uRE+gAjsQAKMBD/Vha9Y9ebXKV9i4QufX aGqSW6AcRnx2ylozJcEhysm6RA3UO9etm3dPdZLKewqW3Tom44BOY3uBCqZSkL9g FC1Uqtc7njfIDV2xgIcl+8gUZ2WbPeP2pkew1r/gkIYksaFnCfmi59aRXZsgREgi pLkkCrGMyELUcnB8G7WGkUihA7rmLJkHUUNF8iqO78vWr/C5mkxqv/FftBNAvzyh 6OmwdLWQg8gvZTVtDaEgZZp3hG+nULbTMCfDSCeUbzETmTcum/EtzAjFJ/jFaqge WYJFNpgFic2NhiZnQhgFrn+AE1sG72i3rdDE9PXpyz+nTfKBEDAoJNsggThfU+kA lkzuI9iYVtArUqGvfR7P22pidNB3sNvZb9JEAUX5JA0oTJrLYM+In6U1disiQrjI dx0nPHAiVu0DCyQWawcKfCiKAaeL0B71Cz9DbdrUb/5EanMPFwHC0jmtU9Mc9jpc 89XdHY8HyejExWk5nzY8fTKIXXKmnf4EhGqlhJ6PWbE/In7JBRujb5IHMjnvc3UM w3doxqhUnyqkVy7YMA1ZAOli9Z1rquSfjO6bJySvn3Lr4dPhK3PokgbaZjeDr2rF zIv7Xs66C2ajd/kcG/4pahdWqLRXnCtLSmkcEoRAtSWlyF0LDxi9hVamIE6XXG5C bdpyxx5OqKJNKMESauDF =jDjN -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--