X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 754413861877
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1708337450;
	bh=pE/sv52mb5jD7owXERJPlJ8rMowkT/SJXadY1jY0VE8=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=LA5UfD3nPE7JvLe05uPbMIua+3eV2X+mbuXtpI4CB9syFDfu9q3XAUX9CymJGn20e
	 p3jpec1z9gG/CGAaSxfFMsSFLZ86Fg3JEjMd9SYVAXyTIX7gjKY6DVpja1lNlgMR24
	 PZg6IKx+tdLrqz8YIWN6C4L8AYh6/7p/JKzacYkc=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EB94C3861877
Date: Mon, 19 Feb 2024 11:09:44 +0100
To: cygwin AT cygwin DOT com
Subject: Re: Group name madness: "CurrentSession" vs.
 "LogonSessionId_0_111590" vs. "NT AUTHORITY\LogonSessionId_0_111590" ...
Message-ID: <ZdMo6LgFIR4V5wR5@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CAKAoaQ=KLBoiDEpCHq2ADc0RoBBYoGbUEUgi6cyMFurX2RoQeg AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAKAoaQ=KLBoiDEpCHq2ADc0RoBBYoGbUEUgi6cyMFurX2RoQeg@mail.gmail.com>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 41JAAqDV020320

On Feb 19 08:11, Roland Mainz via Cygwin wrote:
> Hi!
> 
> ----
> 
> While implementing chown/chgrp support in the ms-nfs41-client (Windows
> NFSv4.1 client filesystem driver) I encountered an issue with group
> names.
> 
> I tried a simple $ chgrp CurrentSession myfile #, which returned
> "Permission denied".

Works for me:

  $ chgrp CurrentSession x.c
  $ ls -l x.c
  -rw-r--r-- 1 corinna CurrentSession 906 Jan 23 21:40 x.c
  $ icacls x.c
  x.c VINSCHEN\corinna:(R,W,D,WDAC,WO)
      NT AUTHORITY\LogonSessionId_0_2027255:(R)
      Everyone:(R)

  Successfully processed 1 files; Failed processing 0 files
  $

> OK, /usr/bin/id -a shows that the current user is a member of this
> group, so I added a new group called "CurrentSession" to the NFSv4.1
> server side ([1]).

Just don't do that.  This group is a *temporary* group which is created
from your login session ID.  Your login session is basically a pair of
two 32 bit values, generated via NtAllocateLocallyUniqueId().  From
there, Windows creates a SID

 S-1-5-5-<High32bitValue>-<Low32bitValue>

These days, when you call LookupAccountSidW() on this SID, you get the
info

  Domain: NT AUTHORITY
  Namme:  LogonSessionId_0_2027255

This SID is used inside your user token to connect your token with the
login session for which this token has been created.  It can be used for
authorization purposes, but it's not meant to be used as a SID in file
ownership, even though it's possible (basically any SID can be added
to files).

So, what's that about "CurrentSession" in Cygwin?

The reason is that this is historically what Interix did.  Keep in
mind that Interix (as well as Cygwin, but that doesn't matter here)
exist since Windows NT 3.5 times.

The above naming mechanism didn't exist at the time.  If you fetched the
Logon SID from the token and called LookupAccountSidW() on it, the call
failed, i. e., there was no name attached to the SID.

So... given that a Logon SID is unique to the logon session, given that
the SID has no unambiguous name attached, and given that the Logon SID
makes *no sense at all* outside its session, the Interix guys decided to
solve this little problem like this:

- If the inspected token contains the Logon SID equivalent to the
  current user session, call it "CurrentSession" with unique gid 4095.

- If the inspected token contains a Logon SID which is not attached
  to the current Logon Session we're running in, call it "OtherSession"
  with the non-unique gid 4094.

This is the model Cygwin follows as well.  The Logon SIDs shouldn't
really concern you in terms of file access.  From the user perspective
they are barely informative at all.  They *could* make sense in terms
of temporary files, but I don't know of any useful example.

> But that did not work either, /usr/bin/chgrp # still failed.

I can't tell you why it didn't work for you while it works out of the
box for me.  However, there isn't much sense in there to attach these
SIDs to a file.  Logout, login again, and you will have a new Logon SID
anyway ¯\_(ツ)_/¯


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple