From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 115359 invoked by alias); 28 Jun 2016 10:27:20 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 115342 invoked by uid 89); 28 Jun 2016 10:27:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-96.3 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=Hx-languages-length:3048, H*MI:D396C16E.9770, H*i:D396C16E.9770, H*f:D396C16E.9770 X-HELO: calimero.vinschen.de Received: from ipbcc0227e.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.34.126) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 28 Jun 2016 10:27:09 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id CEACBA807D3; Tue, 28 Jun 2016 12:27:05 +0200 (CEST) Date: Tue, 28 Jun 2016 11:08:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: POSIX permission mapping and NULL SIDs Message-ID: <20160628102705.GA22797@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20160624195144.GB27089@calimero.vinschen.de> <20160624215948.GD27089@calimero.vinschen.de> <1945820393.20160627122324@yandex.ru> <20160627102614.GA8258@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-SW-Source: 2016-06/txt/msg00394.txt.bz2 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 3296 On Jun 27 19:01, Bill Zissimopoulos wrote: >=20 > >Why don't we just follow Fedora Linux here and use a mapping to either > >99 (nobody) or 65534 (nfsnobody)? Both uid values are ununsed in the > >mapping and 65534 aka 0xfffe has the additional advantage that it's not > >mapped at all (all values between 0x1000 and 0xffff are invalid). > > > >Also, since 65534 is -2 in a 16 bit uid it seems like a natural choice > >to me. > > > >So, what about S-1-0-65534 <-> 65534, name of "{nfs}nobody"? >=20 > I am happy with the S-1-0-65534 *SID*, but I note that the 65534 *UID* is > perhaps *not* a good choice. It is actually already mapped to > S-1-5-15-4095, according to your own [IDMAP] document: >=20 > S-1-5-X-RID <=3D> uid/gid: 0x1000 * X + RID >=20 > With X=3D15 and RID=3D4095, we get uid=3D=3D65534. This doesn't make any sense. This is an entirely artificial example of how one can construct arbitrary SIDs. > Unfortunately S-1-5-15 is the > SID for "This Organization=E2=80=9D according to the =E2=80=9CWell-known = security > identifiers in Windows operating systems=E2=80=9D document [WKSID]. OTOH,= because > S-1-5-15 is a =E2=80=9Cleaf=E2=80=9D SID and not a =E2=80=9Cnamespace=E2= =80=9D it may be possible to > assume that the S-1-5-15-4095 SID cannot appear (I am not sure about that= ). There is no such SID and there never will be. Ok. Please keep in mind that a) there can't be a bijective mapping between arbitrary length SIDs and a 32 bit uid/gid. b) The mapping used in Cygwin is not self-created but (mostly, except for a single deviation) identical to the Interix mapping. The code basically follows how this mapping has been defined by Microsoft. > BTW, I have here a partitioning of the UID namespace that may help choose > the right mapping: >=20 > /* > * UID namespace partitioning (from [IDMAP] rules): > * > * 0x000000 + RID S-1-5-RID,S-1-5-32-RID > * 0x000ffe OtherSession > * 0x000fff CurrentSession > * 0x001000 * X + RID S-1-5-X-RID ([WKSID]: > X=3D1-15,17-21,32,64,80,83) > * 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=3D1,2,3,4,5,9,16) > * 0x030000 + RID S-1-5-21-X-Y-Z-RID > * 0x060000 + RID S-1-16-RID > * 0x100000 + RID S-1-5-21-X-Y-Z-RID > */ You're aware that I wrote the code for this mapping as well as its documentation? :) > Clearly the namespace is very busy with multiple overlapping ranges. The overlapping is much alleviated by the fact that only certain SIDs can exist, plus the fact that AD admins can choose an offset value for AD accounts of various domains. Search for "trustPosixOffset" in https://cygwin.com/cygwin-ug-net/ntsec.html. > With all that and to help conclude this thread I gather here all the > proposed mappings. Corinna, I will use the one which you prefer the most: >=20 > S-1-0-65534 <-> 65534 This one is still my favorite. Again, the range from 0x1000 up to 0xffff is unused. Right now any incoming uid/gid value in this range for a reverse SID lookup is treated as invalid SID. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXclD5AAoJEPU2Bp2uRE+g2KcP+wd98vGFmM2j3QQ3Vzd1fnQM s4cEWH7pxJAsLeL3TlaKIEf/OHHKf67ZAitmGH5eZil1cpuIi2iAPxQ6q9jKKQ92 +gbQbE/KUR58mgy8Ljm/86hBZEnGQogRkecr9raZ2k/WIiNVUdNxAjrrCdq/8Xxj 8Bbkn7s11H7rq9vHM96Z9UOBgN8289Z4PleuGi9X4rTBclgvSb8dYZnEpw0P9CCG Jyi19W8LPBxUAkQywmmuGgDjHq5lL9FdnAtUwRLqP7wqqoTfY2XZ2yoBPuFCbV4K M6O3tWv32gqBZN0Mb7vhvimjJwdFh+Rv9q/G0bc6lNlx8WKU64spuugpnoVT+PDp IszmbLjr3dipgCk7QcikpBk8lWgvLnOWs97ThNeoHPlfzGL13A2q9eI48SnVLCOC tgGWFo38x4g2X+97E2costdiN5ZsRQxmK2xEWBVn2fE6mOatzw0CbGBjqAe90bQq 5qB+1/GWDS9g9IQix/x3tdD6UaEtZNGft9GfbRsA/aDVIfd7eBrB2zVfoo7ZEHOG +V6/IAlVc49bLNUEJpxy8msWqQPrKE2Ue44sMj7j/znU4sHwO3T8mdDxx64liG0s GjaQxlL2SXQgMTTxFP4c1BsKT2FSxPf+A+N85QKeV6Wsrf69+bV6aN/CiOuK3ibL uJ/sr/S56oWrrLVi3sNF =C27t -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--