X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=QafJpXpRr/KfouwEyQtv3vXf2n+OvwIWsz7mzxd62/XR3rId1WaZe YIR8TTBEn7MbHKqS8LOq1T30k1LuxEzcrG97F9zvnylS+jxgE/7Jz67dm0F4HcCF g/dCy1JsfEBE9LI2bdJ4bOWUou3hLJM9PWfXZhKpx0TONfaeEv272Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=mf/f0Gw9Gq/gPZBiHg8MbibpLvc=; b=YItZaCoXjipksoNJHn3SRKoeXn0D 7YV2FaJkl8bev/ZjrTSK34oxAxZYneq8v9BhQDNtsmcrEjbfi9K/xgOVw0n2h0ln l3/W9hjixmtOaT43r2vhK7K1uK+KriuNVRwdP3c8kKcJlT2joAAiRGucl46tpHAD LQdUmZ7lsZZwNvg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-94.3 required=5.0 tests=AWL,BAYES_00,CYGWIN_OWNER_BODY,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=erroneous, explaining, H*f:D3980824.9862, H*MI:D3980824.9862 X-HELO: calimero.vinschen.de Date: Wed, 29 Jun 2016 10:21:29 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: POSIX permission mapping and NULL SIDs Message-ID: <20160629082129.GC981@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20160624195144 DOT GB27089 AT calimero DOT vinschen DOT de> <20160624215948 DOT GD27089 AT calimero DOT vinschen DOT de> <1945820393 DOT 20160627122324 AT yandex DOT ru> <20160627102614 DOT GA8258 AT calimero DOT vinschen DOT de> <20160628102705 DOT GA22797 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Jun 28 18:06, Bill Zissimopoulos wrote: > On 6/28/16, 3:27 AM, "Corinna Vinschen" of corinna-cygwin AT cygwin DOT com> wrote: >=20 >=20 > >>Ok. Please keep in mind that > > > >a) there can't be a bijective mapping between arbitrary length SIDs > > and a 32 bit uid/gid. > > > >b) The mapping used in Cygwin is not self-created but (mostly, except > > for a single deviation) identical to the Interix mapping. The code > > basically follows how this mapping has been defined by Microsoft. >=20 > Corinna, please stop explaining things to me that I already know. Sorry but I don't grok this. During this discussion you were explaining things to me which I obviously had to know. If I'm explainig things to you you already know, well, sorry about that. Your attempt at creating an artificial SID just to prove that a collision could be constructed looked like you didn't understand how well-known Windows SIDs work and are constructed, and that there's no way for a collision from a valid Windows SID here. > >> BTW, I have here a partitioning of the UID namespace that may help > >>choose > >> the right mapping: > >>=20 > >> /* > >> * UID namespace partitioning (from [IDMAP] rules): > >> * > >> * 0x000000 + RID S-1-5-RID,S-1-5-32-RID > >> * 0x000ffe OtherSession > >> * 0x000fff CurrentSession > >> * 0x001000 * X + RID S-1-5-X-RID ([WKSID]: > >> X=3D1-15,17-21,32,64,80,83) > >> * 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=3D1,2,3,4,5,9,16) > >> * 0x030000 + RID S-1-5-21-X-Y-Z-RID > >> * 0x060000 + RID S-1-16-RID > >> * 0x100000 + RID S-1-5-21-X-Y-Z-RID > >> */ > > > >You're aware that I wrote the code for this mapping as well as its > >documentation? :) >=20 > Corinna, of course I am aware of that. I have found your original post to > this list about it. Why would you think otherwise? And why would it change > anything? If that's the case, then why do you explain all these things to me? I'm a bit at a loss to see the difference between me explaining things to you you already know vs. you explaing things to me I already know. Aren't we kind of on par here? But, never mind. > >>With all that and to help conclude this thread I gather here all the > >> proposed mappings. Corinna, I will use the one which you prefer the > >>most: > >>=20 > >> S-1-0-65534 <-> 65534 > > > >This one is still my favorite. Again, the range from 0x1000 up to > >0xffff is unused. Right now any incoming uid/gid value in this range > >for a reverse SID lookup is treated as invalid SID. >=20 > I disagree. You are saying that it is unused, but a (perhaps erroneous) > SID would map into that space. Yes that's possible. However, where would this erroneous SID come from? The chances that a SID comes in which gets converted to uid/gid 0xfffffffe is actually higher. See UNIX_POSIX_OFFSET. > In any case I will use your mapping of S-1-0-65534 <-> 65534. Thanks. Do you want to add handling for this mapping to pwdgrp::fetch_account_from_windows yourself or shall I do it? I could come up with a patch in the next couple of days. I will prepare a developer's snapshot then, so you can immediately test if it works as desired. Thanks again, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXc4UJAAoJEPU2Bp2uRE+gaAgP/1KCH7t3xfGufMAv6X3ypkQD XM2kZqn19Ny8OgtuM/E4LULqYVZdX+9spYPwbJC9ox1WTBU4SlKDYVGpqhugRhyk xGUxmDDsHp1DoAf2STbSEp82y2yYW4qRv++ZPlEohu+vY2xN/W47dcXNa1bKo0sQ aJD8CXq3aivX5tGsyDfr3lEoXn4s2ZiPj1B++F8TuFqeuCCUXjCkaDaCXrj47rsX tPKxWwPLVCArFqn+zpap3keLR5RKTIQXX0Mloo01s1c5Sv8rlybYr7cHRuOEuG0I Ov14DiFGGDko95J+6tRzzESXXqRrci7eg+QoY8Pett0xBCtGSuqH0gxOCFOhAzwS Mi6HK89Rg4S3m1j8NSSvYHWbHevdYAcbyQFqUogbFIDTiR+szwbEfIZwO0h7zizs 0YgvPt73jxxSFLGCr0ehaF5UlJ0ywusTRpEbGJhwDt4PC7MZO6N+RQD1o/wp0mqS xv/AZzp2dv/xyjAOrpTTHGYCwQ+TJSkMv5XplqBO/O/HbHYJSurFhyPMw4HCWa35 7JOszQEgT0vsG01QlItwmYkTB7u/38FyaDpBi+KB4eeGw++an8o1kXcwcjbWDCNM W1KSVoyXUrUVWSVYD6rrTp+0YtHJWbBnhTzBuZCLFlJ7GQY7QO+r7NY52iB4EBFU 9I95zB+kB41LHEddtsUr =DV0a -----END PGP SIGNATURE----- --uQr8t48UFsdbeI+V--