X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=LWyDing5vZfiCMU+dOX45vzFVHCH3K9Rj2EZ22ufP9fEpFDOUEriw FDXvIBn/SAR3xPI6Qklu+pcjCAJr7HOGBV8gAHkhldG8SxygwlJPqfiP28swtZXG KpXUMGCUownMvlSEoOWTuQQDh7lHJIS3Z1K7n8jwhIaBZe2hPvdoYM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=hoBTJ2ddcpjeTcom6bHWXSKLj8k=; b=FCyG4cchL4WlmMDaEqCzF9nZnvt3 7yUnu1vaKb7Kti6znahZpOXLN6I92Q37iotbuojQBme1DFDlad8XAU9qOPx9VsYa jmn0bIBi0mnTgGKE2RVMWBd/s9ompiFOZ0qdAlNGhCUaSrNFHxVIfVZtUImJn7L8 P9Wks/LmxciqzLs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-93.0 required=5.0 tests=AWL,BAYES_50,CYGWIN_OWNER_BODY,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=extensive, inclined, powers, osx X-HELO: calimero.vinschen.de Date: Fri, 24 Jun 2016 23:59:48 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: POSIX permission mapping and NULL SIDs Message-ID: <20160624215948.GD27089@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kfjH4zxOES6UT95V" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) --kfjH4zxOES6UT95V Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jun 24 21:37, Bill Zissimopoulos wrote: > On 6/24/16, 12:51 PM, "Corinna Vinschen" behalf of corinna-cygwin AT cygwin DOT com> wrote: > >Not yet. We're coming from the other side. We always have *some* SID. > >pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID > >to a passwd or group entry. If everything fails, the SID is used in this > >passwd/group entry verbatim, but mapped to uid/gid -1. >=20 > I also noticed that there is no uid mapping for nobody. On my OSX box it > is -2. On many other POSIX systems it appears to be the 32-bit or 16-bit > equivalent of -2. In fact it's an entirely arbitrary choice. On Fedora Linux, for instance, there is no "nogroup", but there is: /etc/passwd: nobody:x:99:99:Nobody:/:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin /etc/group: nobody:x:99: nfsnobody:x:65534: Note the 65534 here. This is -2 *if* the remote system uses 16 bit signed uid/gid values. However, these days uid/gid values are at least 32 bit, so -2 kind of lost its meaning. > For the time being I am mapping unknown SID=E2=80=99s to -1 as per Cygwin. We could kick this around a bit and maybe reserve -2, 99 or 65534 for an arbitrary "nobody" account. But since we're on Windows the SID value is important, not so much the uid/gid values. > >If you want some specific mapping we can arrange that, but it must not > >be the NULL SID. If you know you're communicating with a Cygwin process, > >what about using an arbitrary, unused SID like S-1-0-42? >=20 > I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a > bad choice for some reason or other. I thought about Anonymous myself when I wrote my reply to your OP. I refrained from mentioning it because it might have some unexpected side effect we're not aware about. > The main reason that I am weary of using an unused SID is that Microsoft > may decide to assign some special powers to it in a future release (e.g. > GodMode SID). But I agree that this is rather unlikely in the S-1-0-X > namespace. I think it's very unlikely. We could chose any RID value we like and the chance for collision is nil. When I created the new implementation for POSIX ACLs, I toyed around with this already and used a special Cygwin SID within the NULL SID AUTHORITY. I'm not entirely sure why I changed this to the NULL SID deny ACE. I think I disliked the fact that almost every Cygwin ACL would contain a mysterious "unknown SID". On second thought, maybe that would have avoided the UoW problem?!? Well, how should I have known about UoW when I implemanted this, right? > >How do you differ nobody from nogroup if you use the same SID for both, > >btw.? >=20 > I use the same SID for both nobody and nogroup. This should work as long > as you use the permission mapping from the [PERMS] document. Keep in mind that Interix only supported standard POSIX permission bits. Cygwin strives to support POSIX ACLs per POSIX 1003.1e draft 17. That's a bit more extensive. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --kfjH4zxOES6UT95V Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXba1TAAoJEPU2Bp2uRE+gWv0QAILCI9o+fEf9CQd8lzaCvc1w 38MGwOalqMTlfPhO+hZqahBXn5EsmnhFq7MUALjh5V0xa0rBKXcyErBdmghn6ROP 5pQnjpz8aE7R9kJvgQlwG5VmRfKQxLhgt8JuI/FHS3qt2+DfPW90HKO2NSi5lr/J hcLdXdg6J0rb83tWR3F5MlWbZ9/tZXCSYtKDwj66T2MR9hSXpMxoIIwyQGW0CZic usIaCb0khg+yYxMeRptLlElzzc1FPMAH1rLTdk1WPmS46NiTk6uVYFzZkDQuCZ3J Dz4gGAr+o5/iboyLNYahNnlAFh2jeRQKrkFPEh5AJYp2/KP+WJPrWqN1VDTWWaqq wCh1C2g0HFnUDxQPQWPWbNr54qgOUuTFnWtQ7wMNVg5VmOFDUfNny5r8YMZ5WCLg D69phXLN8Td1NVX3yoQZBf6UiFltYY84TSnACR5ELWllQSOvZrP+s39ETMSBssPz UAj/kcqrbb+ddTRX/Zt6Ijdyztp1gIZZnJEBVwM1WgCksPjCrlIKjG7t9P6zZgDv PGNYunkeW65ScU0oWDFHjcWZ0gxpKGcn//Lb7Y4revhBrNtxuDuFfmRXYB4djPR1 7ihvt6q4UhXbNjEh4fqxV4rcNt4HKpzQlcf3EVQEGXrLSMqDpjUQy40TkTMNJQ4J Czu2plO3giu5jUnZuP7C =RBe6 -----END PGP SIGNATURE----- --kfjH4zxOES6UT95V--