Re: POSIX permission mapping and NULL SIDs

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 3553 bytes --]

On Jun 28 18:06, Bill Zissimopoulos wrote:
> On 6/28/16, 3:27 AM, "Corinna Vinschen" <cygwin-owner@cygwin.com on behalf
> of corinna-cygwin@cygwin.com> wrote:
> 
> 
> >>Ok.  Please keep in mind that
> >
> >a) there can't be a bijective mapping between arbitrary length SIDs
> >   and a 32 bit uid/gid.
> >
> >b) The mapping used in Cygwin is not self-created but (mostly, except
> >   for a single deviation) identical to the Interix mapping.  The code
> >   basically follows how this mapping has been defined by Microsoft.
> 
> Corinna, please stop explaining things to me that I already know.

Sorry but I don't grok this.  During this discussion you were explaining
things to me which I obviously had to know.  If I'm explainig things to
you you already know, well, sorry about that.  Your attempt at creating
an artificial SID just to prove that a collision could be constructed
looked like you didn't understand how well-known Windows SIDs work and
are constructed, and that there's no way for a collision from a valid
Windows SID here.

> >> BTW, I have here a partitioning of the UID namespace that may help
> >>choose
> >> the right mapping:
> >> 
> >> /*
> >>  * UID namespace partitioning (from [IDMAP] rules):
> >>  *
> >>  * 0x000000 + RID              S-1-5-RID,S-1-5-32-RID
> >>  * 0x000ffe                    OtherSession
> >>  * 0x000fff                    CurrentSession
> >>  * 0x001000 * X + RID          S-1-5-X-RID ([WKSID]:
> >> X=1-15,17-21,32,64,80,83)
> >>  * 0x010000 + 0x100 * X + Y    S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
> >>  * 0x030000 + RID              S-1-5-21-X-Y-Z-RID
> >>  * 0x060000 + RID              S-1-16-RID
> >>  * 0x100000 + RID              S-1-5-21-X-Y-Z-RID
> >>  */
> >
> >You're aware that I wrote the code for this mapping as well as its
> >documentation? :)
> 
> Corinna, of course I am aware of that. I have found your original post to
> this list about it. Why would you think otherwise? And why would it change
> anything?

If that's the case, then why do you explain all these things to me?  I'm
a bit at a loss to see the difference between me explaining things to
you you already know vs. you explaing things to me I already know.
Aren't we kind of on par here?

But, never mind.

> >>With all that and to help conclude this thread I gather here all the
> >> proposed mappings. Corinna, I will use the one which you prefer the
> >>most:
> >> 
> >> S-1-0-65534                    <-> 65534
> >
> >This one is still my favorite.  Again, the range from 0x1000 up to
> >0xffff is unused.  Right now any incoming uid/gid value in this range
> >for a reverse SID lookup is treated as invalid SID.
> 
> I disagree. You are saying that it is unused, but a (perhaps erroneous)
> SID would map into that space.

Yes that's possible.  However, where would this erroneous SID come from?

The chances that a SID comes in which gets converted to uid/gid 0xfffffffe
is actually higher.  See UNIX_POSIX_OFFSET.

> In any case I will use your mapping of S-1-0-65534 <-> 65534.

Thanks.  Do you want to add handling for this mapping to
pwdgrp::fetch_account_from_windows yourself or shall I do it?  I could
come up with a patch in the next couple of days.  I will prepare a
developer's snapshot then, so you can immediately test if it works as
desired.


Thanks again,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]