delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2016/06/24/15:52:16

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; q=dns; s=
default; b=gFYLmrnfpunTTmjjLNjhVeDUkd6DMJs9GmazCab7STt+cgJ72eh5i
Ken6qE+8DejakR6NQ6s+yseszpFH+LIKgkGezZpdoaPzszXQY5Sz2stz9GV8nelc
rr3hKWWugpEl8DvBBYMOqlTmEqrucSFqXwJxFkrAQU3A92/J+Ak//c=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:to:subject:message-id:reply-to
:references:mime-version:content-type:in-reply-to; s=default;
bh=XWKY4kKltO4G281aJacmhxcGTt4=; b=rYmuK+rPx9+P4+/AzBZXnH0ujHvB
lM75tQtWnFzbEbevzDsiQqGIWV3Wz8rhGx/pK7qWsexOBS2pu2EBtoi1CtF/FkLu
1poPjsUnPofqI3vwsqZn4m9DkUNkoK6MqS7cNNp1lTO8BNYEsGevKxmVVW9yze4d
b7pboLLL1Y+Nu2I=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-95.4 required=5.0 tests=AWL,BAYES_20,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=MASK, ACLs, acls, communicating
X-HELO: calimero.vinschen.de
Date: Fri, 24 Jun 2016 21:51:44 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: POSIX permission mapping and NULL SIDs
Message-ID: <20160624195144.GB27089@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <D392BA70.95D4%billziss AT navimatics DOT com>
MIME-Version: 1.0
In-Reply-To: <D392BA70.95D4%billziss@navimatics.com>
User-Agent: Mutt/1.6.1 (2016-04-27)

--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jun 24 18:07, Bill Zissimopoulos wrote:
> Could my mapping of the NULL SID somehow interfere with Cygwin=E2=80=99s =
ACL
> mapping? No way right? Turns out that: yes! File:winsup/cygwin/sec_acl.cc,
> line:787

Read the comment at the beginning of the file explaining how new-style
ACLs look like.

> Allow me to say that I find this a *gross* hack. You are subverting the
> Windows ACL mechanism to store information that it was not designed to
> store. I would love to hear a good rationale for this decision.

The usage of NULL SID ACEs to store special POSIX permission bits is
long-standing behaviour, first implemented by U/Win and later adopted by
Cygwin.  That older version is using Access-allowed NULL SID ACEs for
*ages* to store ISVTX, ISGID and ISUID bits.  The new implementation
uses access-denied NULL SID ACEs to store the same bits, plus the POSIX
MASK bits.  Another access-denied NULL SID ACEs with the "Inherit Only"
bit set is used to specify the same info for the POSIX default ACL.

> BTW, this also appears to break BashOnWindows: see [BASHW]

I'm not overly sympathetic.  Cygwin's implementation is older.  If
Microsoft provides full support for POSIX permission bits plus POSIX
ACLs including useful documentation, I'm willing to reconsider.  And
matching patches are welcome of course.

What strikes me as weird is that nobody from the UoW side is trying
to work with Cygwin ACLs or even trying to communicate with us to
define and implement POSIX ACLs in a documented, generic way for both
systems.

> In any case I am seeking more information regarding Cygwin=E2=80=99s use =
of NULL
> SID=E2=80=99s. I have found an old post that sheds some light [OPOST].

That's old.  See the comment at the beginning of sec_acl.cc, as well as
the comments in set_posix_access() in the same file.

> I am also seeking an alternative to using the NULL SID for
> =E2=80=9Cnobody=E2=80=9D/=E2=80=9Cnogroup=E2=80=9D. Is there a Cygwin sug=
gested one?

Not yet.  We're coming from the other side.  We always have *some* SID.
pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID
to a passwd or group entry.  If everything fails, the SID is used in this
passwd/group entry verbatim, but mapped to uid/gid -1.

If you want some specific mapping we can arrange that, but it must not
be the NULL SID.  If you know you're communicating with a Cygwin process,
what about using an arbitrary, unused SID like S-1-0-42?

How do you differ nobody from nogroup if you use the same SID for both,
btw.?


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXbY9QAAoJEPU2Bp2uRE+gAjsQAKMBD/Vha9Y9ebXKV9i4QufX
aGqSW6AcRnx2ylozJcEhysm6RA3UO9etm3dPdZLKewqW3Tom44BOY3uBCqZSkL9g
FC1Uqtc7njfIDV2xgIcl+8gUZ2WbPeP2pkew1r/gkIYksaFnCfmi59aRXZsgREgi
pLkkCrGMyELUcnB8G7WGkUihA7rmLJkHUUNF8iqO78vWr/C5mkxqv/FftBNAvzyh
6OmwdLWQg8gvZTVtDaEgZZp3hG+nULbTMCfDSCeUbzETmTcum/EtzAjFJ/jFaqge
WYJFNpgFic2NhiZnQhgFrn+AE1sG72i3rdDE9PXpyz+nTfKBEDAoJNsggThfU+kA
lkzuI9iYVtArUqGvfR7P22pidNB3sNvZb9JEAUX5JA0oTJrLYM+In6U1disiQrjI
dx0nPHAiVu0DCyQWawcKfCiKAaeL0B71Cz9DbdrUb/5EanMPFwHC0jmtU9Mc9jpc
89XdHY8HyejExWk5nzY8fTKIXXKmnf4EhGqlhJ6PWbE/In7JBRujb5IHMjnvc3UM
w3doxqhUnyqkVy7YMA1ZAOli9Z1rquSfjO6bJySvn3Lr4dPhK3PokgbaZjeDr2rF
zIv7Xs66C2ajd/kcG/4pahdWqLRXnCtLSmkcEoRAtSWlyF0LDxi9hVamIE6XXG5C
bdpyxx5OqKJNKMESauDF
=jDjN
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019