X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-id:content-transfer-encoding
	:mime-version; q=dns; s=default; b=ymBZfgBY7Cep7ULMEr+urgrKuFu+9
	hSAAwwl0JRQ8cPTtJQPZSxTGnPCfy+hrT0uAcrMvWgfHxzyQ/qYxCuarCYaC2JTg
	BxXqVCnEwxZ1L71dP4iUMaINK6JoMU6h6wG4WzDyBGlS1jOkLeGyH7X5bkakB756
	RIvNkG9VjIDKbM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-id:content-transfer-encoding
	:mime-version; s=default; bh=mLxE4BnrTD9mWmqR0/mUZP/G1vc=; b=qWu
	xNulbdBPhVGF9wQAuRD3714wJyLqLewyKWdDxkkVCipPOKHwvfsoUsxxfoeSNbn4
	RTROeO0Qalx5WadmHu8+S37Eb3OcyK6nkijzz7x7Mx3qSlo+aanqYQzIRWTTWG9P
	OnRH/+PC+QrQmLcVIsLs9641qDDplJrZamGfTS0o=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 spammy=UD:ntsec.html, ntsechtml, cygwin-ug-net, cygwinugnet
X-HELO: na01-bl2-obe.outbound.protection.outlook.com
From: Bill Zissimopoulos <billziss AT navimatics DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: Re: POSIX permission mapping and NULL SIDs
Date: Mon, 27 Jun 2016 19:01:20 +0000
Message-ID: <D396C16E.9770%billziss@navimatics.com>
References: <D392BA70.95D4%billziss AT navimatics DOT com> <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> <D392F074.962E%billziss AT navimatics DOT com> <20160624215948 DOT GD27089 AT calimero DOT vinschen DOT de> <D39583E5.96E3%billziss AT navimatics DOT com> <1945820393 DOT 20160627122324 AT yandex DOT ru> <20160627102614 DOT GA8258 AT calimero DOT vinschen DOT de>
In-Reply-To: <20160627102614.GA8258@calimero.vinschen.de>
authentication-results: spf=none (sender IP is ) smtp.mailfrom=billziss AT navimatics DOT com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-office365-filtering-correlation-id: 045ed6ee-c012-483e-39d8-08d39ebd6dc0
x-microsoft-exchange-diagnostics: 1;CY1PR07MB2198;6:xTPhkM4zEaPs06XBP7Kods8ASI7YRQOsL+XeAlAw3FJxsMD978LncuAFeNxvtd8GEFrGP4d8SBy1xp0k1122mWZLkMxMPGJbLqBugzPAASnhkrHO0kdSBF+inCX0igUmToxbCBQ9fLK8eExJOJ68ISp/FpsnYbFNKYR6tkSmrEJPwBtwEyObUAvvIm7+Lgex93XBUP7X3R3YBCmvJ+/7Umg0iINPsRHB9LYtDQovdoMNZAMkLBFTmxfOntWPC8xY6irdisIRwVF88ZuTvHXwKCBh+Nin08fNesrm6GtdfBz0Y9kJO/Da92OZTd5GK5UHacvwqmkIeU65Peg5NSBJDw==;5:+1tkiFV6WMhj1DrU1Esv6ld067bFpDIRMDAPLpIs7ShWoEpExTxuOrAtaulYBAolCKomrJDeq4Qyrgpfe0ZtCGuHmkuFF7i4wxDZUYR13KecDRly6+skh97DH7SDBH0R2Z/W/i1leroVoITaaTfx/Q==;24:zhuo/bZqTRl9U2rxORR96l5efPItdailbU7Zui0kTuaaEO2YKYtxz7G6upwNYqr9ZUoLArwNbsaJNb8Ef+k5jVkLFx7ksuvaEWbi5GbZQlg=;7:M7VYZoh6ojxdoN3nQhAuo8hnwOGKNcf2F3z9mAFWdN6132kAqICvXtlN/6QavxnpoL5NQ2R+RVOjbIFfFwX7T+GrkmV6JI5DDCSqW5iHJDyrsuQyRfsGTHFN5LFO+tjDHf5a1dM5lLKRGXq2nVjKjpsXHvhKsyOCabmBh6O7w1ruZJajz3jWcupi6xjSHbRGbwlvct1WcTfvk69r0AIW0mb4WrImIJ+2MdxNl+pRc+rpQrboWOLSXYjWGWSLio7WFm7NiTQpG02xI0RfvWhDVA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR07MB2198;
x-microsoft-antispam-prvs: <CY1PR07MB2198DB5943371D8D8682A3E1BC210 AT CY1PR07MB2198 DOT namprd07 DOT prod DOT outlook DOT com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041072)(6043046);SRVR:CY1PR07MB2198;BCL:0;PCL:0;RULEID:;SRVR:CY1PR07MB2198;
x-forefront-prvs: 09860C2161
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(7916002)(199003)(189002)(3905003)(3660700001)(86362001)(87936001)(586003)(66066001)(110136002)(107886002)(102836003)(189998001)(2351001)(2501003)(36756003)(97736004)(3846002)(6116002)(3280700002)(2906002)(101416001)(68736007)(50986999)(76176999)(92566002)(54356999)(305945005)(93886004)(1730700003)(8676002)(10400500002)(81156014)(2950100001)(81166006)(2900100001)(11100500001)(5002640100001)(122556002)(77096005)(450100001)(7846002)(8936002)(7736002)(15975445007)(105586002)(106116001)(106356001)(19580395003)(5640700001)(99286002)(94096001);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR07MB2198;H:CY1PR07MB2199.namprd07.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: navimatics.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <94C1590FDA1D89429FEB635C466074CF AT namprd07 DOT prod DOT outlook DOT com>
MIME-Version: 1.0
X-OriginatorOrg: navimatics.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2016 19:01:20.3993 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 21071be9-4f9a-413b-89ac-8353a5d2410a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2198
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id u5RJ1rgw003043


>Why don't we just follow Fedora Linux here and use a mapping to either
>99 (nobody) or 65534 (nfsnobody)?  Both uid values are ununsed in the
>mapping and 65534 aka 0xfffe has the additional advantage that it's not
>mapped at all (all values between 0x1000 and 0xffff are invalid).
>
>Also, since 65534 is -2 in a 16 bit uid it seems like a natural choice
>to me.
>
>So, what about S-1-0-65534 <-> 65534, name of "{nfs}nobody"?

I am happy with the S-1-0-65534 *SID*, but I note that the 65534 *UID* is
perhaps *not* a good choice. It is actually already mapped to
S-1-5-15-4095, according to your own [IDMAP] document:

S-1-5-X-RID                          <=> uid/gid: 0x1000 * X + RID

With X=15 and RID=4095, we get uid==65534. Unfortunately S-1-5-15 is the
SID for "This Organization” according to the “Well-known security
identifiers in Windows operating systems” document [WKSID]. OTOH, because
S-1-5-15 is a “leaf” SID and not a “namespace” it may be possible to
assume that the S-1-5-15-4095 SID cannot appear (I am not sure about that).


BTW, I have here a partitioning of the UID namespace that may help choose
the right mapping:

/*
 * UID namespace partitioning (from [IDMAP] rules):
 *
 * 0x000000 + RID              S-1-5-RID,S-1-5-32-RID
 * 0x000ffe                    OtherSession
 * 0x000fff                    CurrentSession
 * 0x001000 * X + RID          S-1-5-X-RID ([WKSID]:
X=1-15,17-21,32,64,80,83)
 * 0x010000 + 0x100 * X + Y    S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
 * 0x030000 + RID              S-1-5-21-X-Y-Z-RID
 * 0x060000 + RID              S-1-16-RID
 * 0x100000 + RID              S-1-5-21-X-Y-Z-RID
 */


Clearly the namespace is very busy with multiple overlapping ranges.

With all that and to help conclude this thread I gather here all the
proposed mappings. Corinna, I will use the one which you prefer the most:

S-1-0-65534                    <-> 65534

S-1-0-65534                    <-> -1==0xffffffff
S-1-0-65534                    <-> -2==0xfffffffe

S-1-0-99                       <-> -1==0xffffffff
S-1-0-99                       <-> -2==0xfffffffe


Bill


[IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html
[WKSID] https://support.microsoft.com/en-us/kb/243330