From: Bill Zissimopoulos <billziss@navimatics.com>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Re: POSIX permission mapping and NULL SIDs
Date: Fri, 24 Jun 2016 22:06:00 -0000 [thread overview]
Message-ID: <D392F074.962E%billziss@navimatics.com> (raw)
In-Reply-To: <20160624195144.GB27089@calimero.vinschen.de>
On 6/24/16, 12:51 PM, "Corinna Vinschen" <cygwin-owner@cygwin.com on
behalf of corinna-cygwin@cygwin.com> wrote:
>>Could my mapping of the NULL SID somehow interfere with Cygwin’s ACL
>> mapping? No way right? Turns out that: yes!
>>File:winsup/cygwin/sec_acl.cc,
>> line:787
>
>Read the comment at the beginning of the file explaining how new-style
>ACLs look like.
Thank you for the pointers and the historical information.
>>I am also seeking an alternative to using the NULL SID for
>> “nobody”/“nogroup”. Is there a Cygwin suggested one?
>
>Not yet. We're coming from the other side. We always have *some* SID.
>pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID
>to a passwd or group entry. If everything fails, the SID is used in this
>passwd/group entry verbatim, but mapped to uid/gid -1.
I also noticed that there is no uid mapping for nobody. On my OSX box it
is -2. On many other POSIX systems it appears to be the 32-bit or 16-bit
equivalent of -2.
For the time being I am mapping unknown SID’s to -1 as per Cygwin.
>If you want some specific mapping we can arrange that, but it must not
>be the NULL SID. If you know you're communicating with a Cygwin process,
>what about using an arbitrary, unused SID like S-1-0-42?
I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a
bad choice for some reason or other.
The main reason that I am weary of using an unused SID is that Microsoft
may decide to assign some special powers to it in a future release (e.g.
GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
namespace.
>How do you differ nobody from nogroup if you use the same SID for both,
>btw.?
I use the same SID for both nobody and nogroup. This should work as long
as you use the permission mapping from the [PERMS] document.
Bill
next prev parent reply other threads:[~2016-06-24 21:37 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 19:02 Bill Zissimopoulos
2016-06-24 21:37 ` Corinna Vinschen
2016-06-24 22:00 ` Corinna Vinschen
2016-06-24 22:06 ` Bill Zissimopoulos [this message]
2016-06-24 22:31 ` Corinna Vinschen
2016-06-24 22:36 ` Erik Soderquist
2016-06-24 23:03 ` Bill Zissimopoulos
2016-06-24 23:51 ` Bill Zissimopoulos
2016-06-27 13:20 ` Corinna Vinschen
2016-06-24 22:53 ` Bill Zissimopoulos
2016-06-25 17:10 ` Brian Inglis
2016-06-27 10:26 ` Bill Zissimopoulos
2016-06-27 10:29 ` Andrey Repin
2016-06-27 12:06 ` Corinna Vinschen
2016-06-27 20:31 ` Bill Zissimopoulos
2016-06-28 11:08 ` Corinna Vinschen
2016-06-28 19:17 ` Bill Zissimopoulos
2016-06-28 19:17 ` John Ruckstuhl
2016-06-29 8:43 ` Corinna Vinschen
2016-06-29 15:14 ` Corinna Vinschen
2016-06-29 16:06 ` Corinna Vinschen
2016-06-30 9:26 ` Bill Zissimopoulos
2016-06-30 14:15 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D392F074.962E%billziss@navimatics.com \
--to=billziss@navimatics.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).