This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: POSIX permission mapping and NULL SIDs
- From: Bill Zissimopoulos <billziss at navimatics dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Mon, 27 Jun 2016 19:01:20 +0000
- Subject: Re: POSIX permission mapping and NULL SIDs
- Authentication-results: sourceware.org; auth=none
- Authentication-results: spf=none (sender IP is ) smtp dot mailfrom=billziss at navimatics dot com;
- References: <D392BA70 dot 95D4%billziss at navimatics dot com> <20160624195144 dot GB27089 at calimero dot vinschen dot de> <D392F074 dot 962E%billziss at navimatics dot com> <20160624215948 dot GD27089 at calimero dot vinschen dot de> <D39583E5 dot 96E3%billziss at navimatics dot com> <1945820393 dot 20160627122324 at yandex dot ru> <20160627102614 dot GA8258 at calimero dot vinschen dot de>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
>Why don't we just follow Fedora Linux here and use a mapping to either
>99 (nobody) or 65534 (nfsnobody)? Both uid values are ununsed in the
>mapping and 65534 aka 0xfffe has the additional advantage that it's not
>mapped at all (all values between 0x1000 and 0xffff are invalid).
>
>Also, since 65534 is -2 in a 16 bit uid it seems like a natural choice
>to me.
>
>So, what about S-1-0-65534 <-> 65534, name of "{nfs}nobody"?
I am happy with the S-1-0-65534 *SID*, but I note that the 65534 *UID* is
perhaps *not* a good choice. It is actually already mapped to
S-1-5-15-4095, according to your own [IDMAP] document:
S-1-5-X-RID <=> uid/gid: 0x1000 * X + RID
With X=15 and RID=4095, we get uid==65534. Unfortunately S-1-5-15 is the
SID for "This Organizationâ according to the âWell-known security
identifiers in Windows operating systemsâ document [WKSID]. OTOH, because
S-1-5-15 is a âleafâ SID and not a ânamespaceâ it may be possible to
assume that the S-1-5-15-4095 SID cannot appear (I am not sure about that).
BTW, I have here a partitioning of the UID namespace that may help choose
the right mapping:
/*
* UID namespace partitioning (from [IDMAP] rules):
*
* 0x000000 + RID S-1-5-RID,S-1-5-32-RID
* 0x000ffe OtherSession
* 0x000fff CurrentSession
* 0x001000 * X + RID S-1-5-X-RID ([WKSID]:
X=1-15,17-21,32,64,80,83)
* 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
* 0x030000 + RID S-1-5-21-X-Y-Z-RID
* 0x060000 + RID S-1-16-RID
* 0x100000 + RID S-1-5-21-X-Y-Z-RID
*/
Clearly the namespace is very busy with multiple overlapping ranges.
With all that and to help conclude this thread I gather here all the
proposed mappings. Corinna, I will use the one which you prefer the most:
S-1-0-65534 <-> 65534
S-1-0-65534 <-> -1==0xffffffff
S-1-0-65534 <-> -2==0xfffffffe
S-1-0-99 <-> -1==0xffffffff
S-1-0-99 <-> -2==0xfffffffe
Bill
[IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html
[WKSID] https://support.microsoft.com/en-us/kb/243330