POSIX permission mapping and NULL SIDs

Wed Jun 29 08:43:00 GMT 2016

On Jun 28 18:06, Bill Zissimopoulos wrote:
> On 6/28/16, 3:27 AM, "Corinna Vinschen" <cygwin-owner@cygwin.com on behalf
> of corinna-cygwin@cygwin.com> wrote:
>>> >>Ok. Please keep in mind that
> >
> >a) there can't be a bijective mapping between arbitrary length SIDs
> > and a 32 bit uid/gid.
> >
> >b) The mapping used in Cygwin is not self-created but (mostly, except
> > for a single deviation) identical to the Interix mapping. The code
> > basically follows how this mapping has been defined by Microsoft.
>> Corinna, please stop explaining things to me that I already know.

Sorry but I don't grok this. During this discussion you were explaining
things to me which I obviously had to know. If I'm explainig things to
you you already know, well, sorry about that. Your attempt at creating
an artificial SID just to prove that a collision could be constructed
looked like you didn't understand how well-known Windows SIDs work and
are constructed, and that there's no way for a collision from a valid
Windows SID here.
> >> BTW, I have here a partitioning of the UID namespace that may help
> >>choose
> >> the right mapping:
> >> 
> >> /*
> >> * UID namespace partitioning (from [IDMAP] rules):
> >> *
> >> * 0x000000 + RID S-1-5-RID,S-1-5-32-RID
> >> * 0x000ffe OtherSession
> >> * 0x000fff CurrentSession
> >> * 0x001000 * X + RID S-1-5-X-RID ([WKSID]:
> >> X=1-15,17-21,32,64,80,83)
> >> * 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
> >> * 0x030000 + RID S-1-5-21-X-Y-Z-RID
> >> * 0x060000 + RID S-1-16-RID
> >> * 0x100000 + RID S-1-5-21-X-Y-Z-RID
> >> */
> >
> >You're aware that I wrote the code for this mapping as well as its
> >documentation? :)
>> Corinna, of course I am aware of that. I have found your original post to
> this list about it. Why would you think otherwise? And why would it change
> anything?

If that's the case, then why do you explain all these things to me? I'm
a bit at a loss to see the difference between me explaining things to
you you already know vs. you explaing things to me I already know.
Aren't we kind of on par here?
But, never mind.
> >>With all that and to help conclude this thread I gather here all the
> >> proposed mappings. Corinna, I will use the one which you prefer the
> >>most:
> >> 
> >> S-1-0-65534 <-> 65534
> >
> >This one is still my favorite. Again, the range from 0x1000 up to
> >0xffff is unused. Right now any incoming uid/gid value in this range
> >for a reverse SID lookup is treated as invalid SID.
>> I disagree. You are saying that it is unused, but a (perhaps erroneous)
> SID would map into that space.

Yes that's possible. However, where would this erroneous SID come from?
The chances that a SID comes in which gets converted to uid/gid 0xfffffffe
is actually higher. See UNIX_POSIX_OFFSET.
> In any case I will use your mapping of S-1-0-65534 <-> 65534.

Thanks. Do you want to add handling for this mapping to
pwdgrp::fetch_account_from_windows yourself or shall I do it? I could
come up with a patch in the next couple of days. I will prepare a
developer's snapshot then, so you can immediately test if it works as
desired.
Thanks again,
Corinna
-- 
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20160629/92112a44/attachment.sig>