DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-id:content-transfer-encoding
	:mime-version; q=dns; s=default; b=ws9BAQNDLV4egOXM2tkw1IhvhfFvV
	N8CkjvH9ShJBbbEJfcLAy/t1ymhYsKCPXeiUt5bSHZtOKCNUiEEgbIYrIlHncHE9
	OVhdXTSSojjc6BAjw47dUc3VlCW3NZCB44+BQXudSNnFZooKOUGC9aS9qoU6vYw5
	3iYLEG8zjt+I+M=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
From: Bill Zissimopoulos <billziss AT navimatics DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: Re: POSIX permission mapping and NULL SIDs
Date: Fri, 24 Jun 2016 21:37:08 +0000
Message-ID: <D392F074.962E%billziss@navimatics.com>
References: <D392BA70.95D4%billziss AT navimatics DOT com> <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de>
In-Reply-To: <20160624195144.GB27089@calimero.vinschen.de>
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-office365-filtering-correlation-id: ccf2fcef-bed6-4cc0-c560-08d39c77b1cc
x-microsoft-exchange-diagnostics: 1;CY1PR07MB2200;6:GydLae7PxHOG3ScrP1ytpEHL8MlEV5q8OrlYb8YxUOngNLtQDNZyS+duKvvxovdQbfntk9gby00axy7WUz8g4zoAnvV2W7xujYUaiD9X3ZN52pOWo+7dqAK668cEfZxmXuPDLGyI6Xwp5TBVAgZ4BRiQThbRtYj7+QcN1VzMTRMCIyOetu8VpEq9qKxYmoJqfOS1VvkzZG/fuU4SqcyErHc0cDDmDqGSSSfy+YaeK9an981wfy/Rk3W0UmUyNprEPmIG0xzFSEOCfEDt1JVJhPv12gp2h8tT63xbNFVhBiQaez2Os9Ec6u4fA1GtBEVsnJ/BWM2U1UrxL6eG6F3jZA==;5:jZINo20yk3RmEuruxWSZPjp9ZVRaarvXj1ZJKY8JjtWe1aaaHM1JM2XjQ3FEnlcVVZWVsrkh9YElk9U17EApDe+kFLHzDeRBIkwlW3+WblJd98bJis7vf5VM/jzCvCi0qPSZj4zLu6HB0B/yilbP1Q==;24:gxILCysy2hSSazvcmGu80ju0vAGrncLmTO9KRCczMomU5ZlAlMMlN8K+rwaz10Pe5rED1HMphroyTx3QNykFkYrIEf0+4/eMZOXOse44H/k=;7:hpxSDzhVc8rH+XM+XsQaUq2qGBh19KcvMe/DxtRwJuWhNe4d6hMXmTGoD3IOhHVGzOtwDcRVr+PHh/89IFFD2f2PDC4MY3/1GT0HQd9VrNlFfp0bxRtkVU9wUw7o3lK+MEHQENBeDt9S1mRXTie97PSQO4EK3v5al7SBVL6M2BPx4yxmlrof9nw5amEFtMA3X2xjqnDKp6i9K9+YgXLwRPnQRPsD5EtiLELqQ9dC50dsHWqzhCrTXy3EIXqPICUNg4vk/5HYxTwxTaZs4gUmJQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR07MB2200;
x-microsoft-antispam-prvs: <CY1PR07MB2200DF1A53921D36A66B63AABC2E0 AT CY1PR07MB2200 DOT namprd07 DOT prod DOT outlook DOT com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041072)(6043046);SRVR:CY1PR07MB2200;BCL:0;PCL:0;RULEID:;SRVR:CY1PR07MB2200;
x-forefront-prvs: 0983EAD6B2
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(7916002)(24454002)(199003)(377454003)(189002)(305945005)(106356001)(2351001)(97736004)(586003)(106116001)(107886002)(110136002)(99286002)(189998001)(92566002)(6116002)(3846002)(102836003)(345774005)(7736002)(81166006)(8676002)(66066001)(68736007)(8936002)(1730700003)(105586002)(81156014)(2501003)(11100500001)(10400500002)(19580405001)(77096005)(2906002)(19580395003)(3280700002)(5002640100001)(87936001)(2900100001)(122556002)(3660700001)(2950100001)(50986999)(54356999)(76176999)(86362001)(5640700001)(36756003)(101416001)(7846002)(551544002)(450100001)(94096001);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR07MB2200;H:CY1PR07MB2199.namprd07.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: navimatics.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <88662BA9A243494EAE694BDA16973EAC AT namprd07 DOT prod DOT outlook DOT com>
MIME-Version: 1.0
X-OriginatorOrg: navimatics.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2016 21:37:08.3377 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 21071be9-4f9a-413b-89ac-8353a5d2410a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2200
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id u5OLbYj1032600

On 6/24/16, 12:51 PM, "Corinna Vinschen" <cygwin-owner AT cygwin DOT com on
behalf of corinna-cygwin AT cygwin DOT com> wrote:


>>Could my mapping of the NULL SID somehow interfere with Cygwin’s ACL
>> mapping? No way right? Turns out that: yes!
>>File:winsup/cygwin/sec_acl.cc,
>> line:787
>
>Read the comment at the beginning of the file explaining how new-style
>ACLs look like.

Thank you for the pointers and the historical information.

>>I am also seeking an alternative to using the NULL SID for
>> “nobody”/“nogroup”. Is there a Cygwin suggested one?
>
>Not yet.  We're coming from the other side.  We always have *some* SID.
>pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID
>to a passwd or group entry.  If everything fails, the SID is used in this
>passwd/group entry verbatim, but mapped to uid/gid -1.

I also noticed that there is no uid mapping for nobody. On my OSX box it
is -2. On many other POSIX systems it appears to be the 32-bit or 16-bit
equivalent of -2.

For the time being I am mapping unknown SID’s to -1 as per Cygwin.

>If you want some specific mapping we can arrange that, but it must not
>be the NULL SID.  If you know you're communicating with a Cygwin process,
>what about using an arbitrary, unused SID like S-1-0-42?

I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a
bad choice for some reason or other.

The main reason that I am weary of using an unused SID is that Microsoft
may decide to assign some special powers to it in a future release (e.g.
GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
namespace.

>How do you differ nobody from nogroup if you use the same SID for both,
>btw.?

I use the same SID for both nobody and nogroup. This should work as long
as you use the permission mapping from the [PERMS] document.

Bill