This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: POSIX permission mapping and NULL SIDs
- From: Bill Zissimopoulos <billziss at navimatics dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Fri, 24 Jun 2016 21:37:08 +0000
- Subject: Re: POSIX permission mapping and NULL SIDs
- Authentication-results: sourceware.org; auth=none
- Authentication-results: spf=none (sender IP is ) smtp dot mailfrom=billziss at navimatics dot com;
- References: <D392BA70 dot 95D4%billziss at navimatics dot com> <20160624195144 dot GB27089 at calimero dot vinschen dot de>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On 6/24/16, 12:51 PM, "Corinna Vinschen" <cygwin-owner@cygwin.com on
behalf of corinna-cygwin@cygwin.com> wrote:
>>Could my mapping of the NULL SID somehow interfere with Cygwinâs ACL
>> mapping? No way right? Turns out that: yes!
>>File:winsup/cygwin/sec_acl.cc,
>> line:787
>
>Read the comment at the beginning of the file explaining how new-style
>ACLs look like.
Thank you for the pointers and the historical information.
>>I am also seeking an alternative to using the NULL SID for
>> ânobodyâ/ânogroupâ. Is there a Cygwin suggested one?
>
>Not yet. We're coming from the other side. We always have *some* SID.
>pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID
>to a passwd or group entry. If everything fails, the SID is used in this
>passwd/group entry verbatim, but mapped to uid/gid -1.
I also noticed that there is no uid mapping for nobody. On my OSX box it
is -2. On many other POSIX systems it appears to be the 32-bit or 16-bit
equivalent of -2.
For the time being I am mapping unknown SIDâs to -1 as per Cygwin.
>If you want some specific mapping we can arrange that, but it must not
>be the NULL SID. If you know you're communicating with a Cygwin process,
>what about using an arbitrary, unused SID like S-1-0-42?
I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a
bad choice for some reason or other.
The main reason that I am weary of using an unused SID is that Microsoft
may decide to assign some special powers to it in a future release (e.g.
GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
namespace.
>How do you differ nobody from nogroup if you use the same SID for both,
>btw.?
I use the same SID for both nobody and nogroup. This should work as long
as you use the permission mapping from the [PERMS] document.
Bill