From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=x9P6=KD=gluelogic.com=gs-cygwin.com@sourceware.org>
Received: from smtp1.atof.net (smtp1.atof.net [52.86.233.228])
	by sourceware.org (Postfix) with ESMTPS id D09083858D1E
	for <cygwin@cygwin.com>; Mon, 26 Feb 2024 04:17:36 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D09083858D1E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gluelogic.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gluelogic.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D09083858D1E
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=52.86.233.228
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708921060; cv=none;
	b=LcnLvFSx1Q17oBBvc8d9eZeubyrs1LPIZld/HYqOmc/T/RhTtryOO/fbPO5CCD9jMrLalkqDYk6Vwd1bQNSlPBPRXWh8Hpq68jxTfZwqnDUIf52nMlG3C5a86m6jPZHtQg0N9jWNtZsMhkTV5BJMXihDWr2f1T5kOfWEsp5sk1E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1708921060; c=relaxed/simple;
	bh=8X4YFfmbIbrqlKL0IJfoIgBJ8jPAyOm6zym+M+W1ZT4=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=fbpWjtOkdUErZSrwD2DaEPd55urPsWNCwd2IB6Cs1H/ch5VHN+t9GGlxk18En1W8iH4ywsOn4zL7ziU/4SzHqxOiEglK3sz7X1mO9k1r647wyAkaMhzfr83u59BS94vZdXDfr5ijJ+v5quQ8WHOTZ182T+wOPYNRTpZL0gENm80=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
X-Spam-Language: en
X-Spam-Relay-Country: 
X-Spam-DCC: B=www.nova53.net; R=smtp1.atof.net 1206; Body=1 Fuz1=1 Fuz2=1
X-Spam-RBL: 
X-Spam-PYZOR: Reported 0 times.
Date: Sun, 25 Feb 2024 23:17:27 -0500
From: gs-cygwin.com@gluelogic.com
To: Roland Mainz <roland.mainz@nrubsig.org>
Cc: cygwin@cygwin.com
Subject: Re: Will all SIDs fit into |SECURITY_MAX_SID_SIZE| bytes ? / was:
 Re: Switching groups with newgrp - how to get the new group with
 |GetTokenInformation()| ?
Message-ID: <ZdwQ1-p7JHF4GtD_@xps13>
References: <CAKAoaQnFxij4Np-jg+bOLEpiSziCfamFrJ2FR_JeO+Sv_Td2Kg@mail.gmail.com>
 <ZdecXZNUgQ3i0hYN@calimero.vinschen.de>
 <CAKAoaQk39bKbG0a_sZAR2KKz5f4U04xc=499YibfbdLesxC4Vg@mail.gmail.com>
 <Zdo8B-IhG_dYAjGo@calimero.vinschen.de>
 <CAKAoaQmL4wQ526dQ_-ASHCMum8L2sKiR_LnP-ba+R+39ZCMKVw@mail.gmail.com>
 <Zdu_9j2OplMcA5ki@xps13>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <Zdu_9j2OplMcA5ki@xps13>
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
List-Id: <cygwin.cygwin.com>

On Sun, Feb 25, 2024 at 05:32:32PM -0500, Glenn Strauss via Cygwin wrote:
> On Sun, Feb 25, 2024 at 10:04:29PM +0100, Roland Mainz via Cygwin wrote:
> > On Sat, Feb 24, 2024 at 7:57 PM Corinna Vinschen via Cygwin
> > <cygwin@cygwin.com> wrote:
> > >
> > > On Feb 24 15:38, Roland Mainz via Cygwin wrote:
> > > > On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> > > > <cygwin@cygwin.com> wrote:
> > > > > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > > > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > > > > (native) Win32 process use
> > > > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > > > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > > > > should I use) ?
> > > > >
> > > > >   PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> > > > [snip]
> > > >
> > > > Win32/NT API question: All known SIDs will fit into
> > > > |SECURITY_MAX_SID_SIZE| bytes, right ? I'm asking because right now
> > > > the ms-nfs41-client code assumes that all SIDs use a variable amount
> > > > of memory, and we always have to ask the Win32/NT API about the number
> > > > of bytes to allocate. If |SECURITY_MAX_SID_SIZE| is the global maximum
> > > > limit for all Windows versions, then we could simplify the code a
> > > > lot...
> > >
> > > Yes.  ACLs are size restricted to 64K, though, but that shouldn't be
> > > much of a problem usally.
> > 
> > Erm... why ACLs? I was asking about the memory allocation size for an SID.
> > 
> > Example:
> > Right now our code uses two calls to |LookupAccountNameA()| for the
> > conversion from a Windows account name to Windows SID.
> > The first call gets the allocation size for a SID, our code then
> > allocates that memory, and then does a second call to
> > |LookupAccountNameA()| to fill that memory with that SID.
> > 
> > If |SECURITY_MAX_SID_SIZE| (currently 68 bytes) is the maximum memory
> > size a Windows syscall can return for a SID, then the code above could
> > be simplified to a |sidmem =
> > malloc(SECURITY_MAX_SID_SIZE)|+|LookupAccountNameA(..., sidmem, ...)|.
> > 
> > The same could be done in many many other places, leading to a
> > considerable reduction of Win32 system library calls.
> > 
> > Question is whether the assumption about |SECURITY_MAX_SID_SIZE| is correct...
> 
> A robust solution which also reduces syscalls does not necessarily
> require a precise answer here.
> 
> I suggest writing a wrapper function which has on the stack
>   CSTR sidbuf[SECURITY_MAX_SID_SIZE];
> and calls LookupAccountNameA() passing sidbuf as Sid.
> If it succeeds, then malloc() returned cbSid value and copy sidbuf[].
> If it fails because the buffer is too small, then malloc() the returned
> cbSid value and call LookupAccountNameA() again.
> 
> Doing the above will keep memory use to a minimum, and will generally
> call LookupAccountNameA() once per wrapper func invocation rather than
> twice.
> 
> Cheers, Glenn

Commenters on stackoverflow provide data calculating the answer as
68 bytes for SID as binary [1]

[1] https://stackoverflow.com/questions/1140528/what-is-the-maximum-length-of-a-sid-in-sddl-format