From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: POSIX permission mapping and NULL SIDs
Date: Wed, 29 Jun 2016 08:43:00 -0000 [thread overview]
Message-ID: <20160629082129.GC981@calimero.vinschen.de> (raw)
In-Reply-To: <D3980824.9862%billziss@navimatics.com>
[-- Attachment #1: Type: text/plain, Size: 3553 bytes --]
On Jun 28 18:06, Bill Zissimopoulos wrote:
> On 6/28/16, 3:27 AM, "Corinna Vinschen" <cygwin-owner@cygwin.com on behalf
> of corinna-cygwin@cygwin.com> wrote:
>
>
> >>Ok. Please keep in mind that
> >
> >a) there can't be a bijective mapping between arbitrary length SIDs
> > and a 32 bit uid/gid.
> >
> >b) The mapping used in Cygwin is not self-created but (mostly, except
> > for a single deviation) identical to the Interix mapping. The code
> > basically follows how this mapping has been defined by Microsoft.
>
> Corinna, please stop explaining things to me that I already know.
Sorry but I don't grok this. During this discussion you were explaining
things to me which I obviously had to know. If I'm explainig things to
you you already know, well, sorry about that. Your attempt at creating
an artificial SID just to prove that a collision could be constructed
looked like you didn't understand how well-known Windows SIDs work and
are constructed, and that there's no way for a collision from a valid
Windows SID here.
> >> BTW, I have here a partitioning of the UID namespace that may help
> >>choose
> >> the right mapping:
> >>
> >> /*
> >> * UID namespace partitioning (from [IDMAP] rules):
> >> *
> >> * 0x000000 + RID S-1-5-RID,S-1-5-32-RID
> >> * 0x000ffe OtherSession
> >> * 0x000fff CurrentSession
> >> * 0x001000 * X + RID S-1-5-X-RID ([WKSID]:
> >> X=1-15,17-21,32,64,80,83)
> >> * 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
> >> * 0x030000 + RID S-1-5-21-X-Y-Z-RID
> >> * 0x060000 + RID S-1-16-RID
> >> * 0x100000 + RID S-1-5-21-X-Y-Z-RID
> >> */
> >
> >You're aware that I wrote the code for this mapping as well as its
> >documentation? :)
>
> Corinna, of course I am aware of that. I have found your original post to
> this list about it. Why would you think otherwise? And why would it change
> anything?
If that's the case, then why do you explain all these things to me? I'm
a bit at a loss to see the difference between me explaining things to
you you already know vs. you explaing things to me I already know.
Aren't we kind of on par here?
But, never mind.
> >>With all that and to help conclude this thread I gather here all the
> >> proposed mappings. Corinna, I will use the one which you prefer the
> >>most:
> >>
> >> S-1-0-65534 <-> 65534
> >
> >This one is still my favorite. Again, the range from 0x1000 up to
> >0xffff is unused. Right now any incoming uid/gid value in this range
> >for a reverse SID lookup is treated as invalid SID.
>
> I disagree. You are saying that it is unused, but a (perhaps erroneous)
> SID would map into that space.
Yes that's possible. However, where would this erroneous SID come from?
The chances that a SID comes in which gets converted to uid/gid 0xfffffffe
is actually higher. See UNIX_POSIX_OFFSET.
> In any case I will use your mapping of S-1-0-65534 <-> 65534.
Thanks. Do you want to add handling for this mapping to
pwdgrp::fetch_account_from_windows yourself or shall I do it? I could
come up with a patch in the next couple of days. I will prepare a
developer's snapshot then, so you can immediately test if it works as
desired.
Thanks again,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-06-29 8:21 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 19:02 Bill Zissimopoulos
2016-06-24 21:37 ` Corinna Vinschen
2016-06-24 22:00 ` Corinna Vinschen
2016-06-24 22:06 ` Bill Zissimopoulos
2016-06-24 22:31 ` Corinna Vinschen
2016-06-24 22:36 ` Erik Soderquist
2016-06-24 23:03 ` Bill Zissimopoulos
2016-06-24 23:51 ` Bill Zissimopoulos
2016-06-27 13:20 ` Corinna Vinschen
2016-06-24 22:53 ` Bill Zissimopoulos
2016-06-25 17:10 ` Brian Inglis
2016-06-27 10:26 ` Bill Zissimopoulos
2016-06-27 10:29 ` Andrey Repin
2016-06-27 12:06 ` Corinna Vinschen
2016-06-27 20:31 ` Bill Zissimopoulos
2016-06-28 11:08 ` Corinna Vinschen
2016-06-28 19:17 ` Bill Zissimopoulos
2016-06-28 19:17 ` John Ruckstuhl
2016-06-29 8:43 ` Corinna Vinschen [this message]
2016-06-29 15:14 ` Corinna Vinschen
2016-06-29 16:06 ` Corinna Vinschen
2016-06-30 9:26 ` Bill Zissimopoulos
2016-06-30 14:15 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160629082129.GC981@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).