X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=QafJpXpRr/KfouwEyQtv3vXf2n+OvwIWsz7mzxd62/XR3rId1WaZe
	YIR8TTBEn7MbHKqS8LOq1T30k1LuxEzcrG97F9zvnylS+jxgE/7Jz67dm0F4HcCF
	g/dCy1JsfEBE9LI2bdJ4bOWUou3hLJM9PWfXZhKpx0TONfaeEv272Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=mf/f0Gw9Gq/gPZBiHg8MbibpLvc=; b=YItZaCoXjipksoNJHn3SRKoeXn0D
	7YV2FaJkl8bev/ZjrTSK34oxAxZYneq8v9BhQDNtsmcrEjbfi9K/xgOVw0n2h0ln
	l3/W9hjixmtOaT43r2vhK7K1uK+KriuNVRwdP3c8kKcJlT2joAAiRGucl46tpHAD
	LQdUmZ7lsZZwNvg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-94.3 required=5.0 tests=AWL,BAYES_00,CYGWIN_OWNER_BODY,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=erroneous, explaining, H*f:D3980824.9862, H*MI:D3980824.9862
X-HELO: calimero.vinschen.de
Date: Wed, 29 Jun 2016 10:21:29 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: POSIX permission mapping and NULL SIDs
Message-ID: <20160629082129.GC981@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <D392BA70.95D4%billziss AT navimatics DOT com> <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> <D392F074.962E%billziss AT navimatics DOT com> <20160624215948 DOT GD27089 AT calimero DOT vinschen DOT de> <D39583E5.96E3%billziss AT navimatics DOT com> <1945820393 DOT 20160627122324 AT yandex DOT ru> <20160627102614 DOT GA8258 AT calimero DOT vinschen DOT de> <D396C16E.9770%billziss AT navimatics DOT com> <20160628102705 DOT GA22797 AT calimero DOT vinschen DOT de> <D3980824.9862%billziss AT navimatics DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V"
Content-Disposition: inline
In-Reply-To: <D3980824.9862%billziss@navimatics.com>
User-Agent: Mutt/1.6.1 (2016-04-27)

--uQr8t48UFsdbeI+V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Jun 28 18:06, Bill Zissimopoulos wrote:
> On 6/28/16, 3:27 AM, "Corinna Vinschen" <cygwin-owner AT cygwin DOT com on behalf
> of corinna-cygwin AT cygwin DOT com> wrote:
>=20
>=20
> >>Ok.  Please keep in mind that
> >
> >a) there can't be a bijective mapping between arbitrary length SIDs
> >   and a 32 bit uid/gid.
> >
> >b) The mapping used in Cygwin is not self-created but (mostly, except
> >   for a single deviation) identical to the Interix mapping.  The code
> >   basically follows how this mapping has been defined by Microsoft.
>=20
> Corinna, please stop explaining things to me that I already know.

Sorry but I don't grok this.  During this discussion you were explaining
things to me which I obviously had to know.  If I'm explainig things to
you you already know, well, sorry about that.  Your attempt at creating
an artificial SID just to prove that a collision could be constructed
looked like you didn't understand how well-known Windows SIDs work and
are constructed, and that there's no way for a collision from a valid
Windows SID here.

> >> BTW, I have here a partitioning of the UID namespace that may help
> >>choose
> >> the right mapping:
> >>=20
> >> /*
> >>  * UID namespace partitioning (from [IDMAP] rules):
> >>  *
> >>  * 0x000000 + RID              S-1-5-RID,S-1-5-32-RID
> >>  * 0x000ffe                    OtherSession
> >>  * 0x000fff                    CurrentSession
> >>  * 0x001000 * X + RID          S-1-5-X-RID ([WKSID]:
> >> X=3D1-15,17-21,32,64,80,83)
> >>  * 0x010000 + 0x100 * X + Y    S-1-X-Y ([WKSID]: X=3D1,2,3,4,5,9,16)
> >>  * 0x030000 + RID              S-1-5-21-X-Y-Z-RID
> >>  * 0x060000 + RID              S-1-16-RID
> >>  * 0x100000 + RID              S-1-5-21-X-Y-Z-RID
> >>  */
> >
> >You're aware that I wrote the code for this mapping as well as its
> >documentation? :)
>=20
> Corinna, of course I am aware of that. I have found your original post to
> this list about it. Why would you think otherwise? And why would it change
> anything?

If that's the case, then why do you explain all these things to me?  I'm
a bit at a loss to see the difference between me explaining things to
you you already know vs. you explaing things to me I already know.
Aren't we kind of on par here?

But, never mind.

> >>With all that and to help conclude this thread I gather here all the
> >> proposed mappings. Corinna, I will use the one which you prefer the
> >>most:
> >>=20
> >> S-1-0-65534                    <-> 65534
> >
> >This one is still my favorite.  Again, the range from 0x1000 up to
> >0xffff is unused.  Right now any incoming uid/gid value in this range
> >for a reverse SID lookup is treated as invalid SID.
>=20
> I disagree. You are saying that it is unused, but a (perhaps erroneous)
> SID would map into that space.

Yes that's possible.  However, where would this erroneous SID come from?

The chances that a SID comes in which gets converted to uid/gid 0xfffffffe
is actually higher.  See UNIX_POSIX_OFFSET.

> In any case I will use your mapping of S-1-0-65534 <-> 65534.

Thanks.  Do you want to add handling for this mapping to
pwdgrp::fetch_account_from_windows yourself or shall I do it?  I could
come up with a patch in the next couple of days.  I will prepare a
developer's snapshot then, so you can immediately test if it works as
desired.


Thanks again,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--uQr8t48UFsdbeI+V
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXc4UJAAoJEPU2Bp2uRE+gaAgP/1KCH7t3xfGufMAv6X3ypkQD
XM2kZqn19Ny8OgtuM/E4LULqYVZdX+9spYPwbJC9ox1WTBU4SlKDYVGpqhugRhyk
xGUxmDDsHp1DoAf2STbSEp82y2yYW4qRv++ZPlEohu+vY2xN/W47dcXNa1bKo0sQ
aJD8CXq3aivX5tGsyDfr3lEoXn4s2ZiPj1B++F8TuFqeuCCUXjCkaDaCXrj47rsX
tPKxWwPLVCArFqn+zpap3keLR5RKTIQXX0Mloo01s1c5Sv8rlybYr7cHRuOEuG0I
Ov14DiFGGDko95J+6tRzzESXXqRrci7eg+QoY8Pett0xBCtGSuqH0gxOCFOhAzwS
Mi6HK89Rg4S3m1j8NSSvYHWbHevdYAcbyQFqUogbFIDTiR+szwbEfIZwO0h7zizs
0YgvPt73jxxSFLGCr0ehaF5UlJ0ywusTRpEbGJhwDt4PC7MZO6N+RQD1o/wp0mqS
xv/AZzp2dv/xyjAOrpTTHGYCwQ+TJSkMv5XplqBO/O/HbHYJSurFhyPMw4HCWa35
7JOszQEgT0vsG01QlItwmYkTB7u/38FyaDpBi+KB4eeGw++an8o1kXcwcjbWDCNM
W1KSVoyXUrUVWSVYD6rrTp+0YtHJWbBnhTzBuZCLFlJ7GQY7QO+r7NY52iB4EBFU
9I95zB+kB41LHEddtsUr
=DV0a
-----END PGP SIGNATURE-----

--uQr8t48UFsdbeI+V--