Mail Archives: cygwin/2016/06/27/05:35:43

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2016/06/27/05:35:43

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; q=dns; s=default; b=d4oMq9NdQB0X7sfp

GZ5HMJL2RmUwKzeD0Vk8OFydu5K1NQU3lAWU7jLgdy17Z+ZfhWfp494IDy2v9Inz

gPsslf0CCZxo086+Wr+wpegVvLzDqbBPFukHUfi3Tb6JW8E2YjgSeN+eBdICTMgE

OtUU2/reYuY1403AqP81tnA4JMM=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; s=default; bh=vg9DHk2GbWe+AXWg3Drg/b

nj4Nk=; b=Yx1bmaAzj6QcZMYgBJ2ojSy6h5qDPxbil5FhANUA+3zYg58lF8gOUa

wpa6wahjWkV7f+tCsIHpt3vxpAmviooTX7mG18fSoDqGQ8hqoolxp1aaGlcL5teI

AdfUUyo74W6NFAuHBD9vzDjP4mn3AuvoKNexBQGBzfZXLbBoAIeKY=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=2.0 required=5.0 tests=BAYES_50,FREEMAIL_FROM,KAM_THEBAT,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=H*UA:Bat!, H*x:Bat!, H*UA:Home, H*x:Home

X-HELO: forward3o.cmail.yandex.net

Authentication-Results: smtp4o.mail.yandex.net; dkim=pass header.i=@yandex.ru

X-Yandex-Suid-Status: 1 0,1 0

Date: Mon, 27 Jun 2016 12:23:24 +0300

From: Andrey Repin <anrdaemon AT yandex DOT ru>

Reply-To: cygwin AT cygwin DOT com

Message-ID: <1945820393.20160627122324@yandex.ru>

To: Bill Zissimopoulos <billziss AT navimatics DOT com>, cygwin AT cygwin DOT com

Subject: Re: POSIX permission mapping and NULL SIDs

In-Reply-To: <D39583E5.96E3%billziss@navimatics.com>

References: <D392BA70.95D4%billziss AT navimatics DOT com> <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> <D392F074.962E%billziss AT navimatics DOT com> <20160624215948 DOT GD27089 AT calimero DOT vinschen DOT de> <D39583E5.96E3%billziss AT navimatics DOT com>

MIME-Version: 1.0

X-IsSubscribed: yes

X-MIME-Autoconverted: from base64 to 8bit by delorie.com id u5R9Zdt3024488

Greetings, Bill Zissimopoulos!

>>> The main reason that I am weary of using an unused SID is that Microsoft
>>> may decide to assign some special powers to it in a future release (e.g.
>>> GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
>>> namespace.
>>
>>I think it's very unlikely.  We could chose any RID value we like and
>>the chance for collision is nil.  When I created the new implementation
>>for POSIX ACLs, I toyed around with this already and used a special
>>Cygwin SID within the NULL SID AUTHORITY.  I'm not entirely sure why I
>>changed this to the NULL SID deny ACE.  I think I disliked the fact that
>>almost every Cygwin ACL would contain a mysterious "unknown SID".

> Ideally we should choose a SID that:

> (1) Is very unlikely to be used by Microsoft at any point in the future.
> (2) Cannot be associated to a user logon for any reason (see problem with
> Anonymous SID) above.
> (3) Maps to a reasonable UID in Cygwin.

> I propose the following SID/UID mapping:

>     S-1-0-99 <=> UID 0xffffffff (32-bit -1)

Why not S-1-0-65535 ? It'll map to 0x1FFFF then without any special rules.

> This is a SID in the S-1-0 (Null Authority) namespace (same one that
> contains the NULL SID), which is unlikely to be used by Microsoft. So it
> likely satisfies (1).

> For the same reason (that it is a new/unused SID in the S-1-0) namespace,
> I think it also satisfies (2).

> If we follow the rules from Cygwinā€™s "POSIX accounts, permission, and
> securityā€¯ document [IDMAP], the SID S-1-0-99 maps to 0x10063. But we can
> make a special rule for this SID to map it to a different UID. Mapping it
> to -1 may be the easiest option, but perhaps we can also consider mapping
> it to 0xfffffffe (-2).

> Bill

> [IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html



-- 
With best regards,
Andrey Repin
Monday, June 27, 2016 12:08:13

Sorry for my terrible english...

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=d4oMq9NdQB0X7sfp
	GZ5HMJL2RmUwKzeD0Vk8OFydu5K1NQU3lAWU7jLgdy17Z+ZfhWfp494IDy2v9Inz
	gPsslf0CCZxo086+Wr+wpegVvLzDqbBPFukHUfi3Tb6JW8E2YjgSeN+eBdICTMgE
	OtUU2/reYuY1403AqP81tnA4JMM=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=vg9DHk2GbWe+AXWg3Drg/b
	nj4Nk=; b=Yx1bmaAzj6QcZMYgBJ2ojSy6h5qDPxbil5FhANUA+3zYg58lF8gOUa
	wpa6wahjWkV7f+tCsIHpt3vxpAmviooTX7mG18fSoDqGQ8hqoolxp1aaGlcL5teI
	AdfUUyo74W6NFAuHBD9vzDjP4mn3AuvoKNexBQGBzfZXLbBoAIeKY=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=2.0 required=5.0 tests=BAYES_50,FREEMAIL_FROM,KAM_THEBAT,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=HUA:Bat!, Hx:Bat!, HUA:Home, Hx:Home
X-HELO:	forward3o.cmail.yandex.net
Authentication-Results:	smtp4o.mail.yandex.net; dkim=pass header.i=@yandex.ru
X-Yandex-Suid-Status:	1 0,1 0
Date:	Mon, 27 Jun 2016 12:23:24 +0300
From:	Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To:	cygwin AT cygwin DOT com
Message-ID:	<1945820393.20160627122324@yandex.ru>
To:	Bill Zissimopoulos <billziss AT navimatics DOT com>, cygwin AT cygwin DOT com
Subject:	Re: POSIX permission mapping and NULL SIDs
In-Reply-To:	<D39583E5.96E3%billziss@navimatics.com>
References:	<D392BA70.95D4%billziss AT navimatics DOT com> <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> <D392F074.962E%billziss AT navimatics DOT com> <20160624215948 DOT GD27089 AT calimero DOT vinschen DOT de> <D39583E5.96E3%billziss AT navimatics DOT com>
MIME-Version:	1.0
X-IsSubscribed:	yes
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id u5R9Zdt3024488