This is the mail archive of the
mailing list for the Cygwin project.
Re: POSIX permission mapping and NULL SIDs
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Bill Zissimopoulos <billziss at navimatics dot com>, cygwin at cygwin dot com
- Date: Mon, 27 Jun 2016 12:23:24 +0300
- Subject: Re: POSIX permission mapping and NULL SIDs
- Authentication-results: sourceware.org; auth=none
- Authentication-results: smtp4o.mail.yandex.net; dkim=pass header dot i= at yandex dot ru
- References: <D392BA70 dot 95D4%billziss at navimatics dot com> <20160624195144 dot GB27089 at calimero dot vinschen dot de> <D392F074 dot 962E%billziss at navimatics dot com> <20160624215948 dot GD27089 at calimero dot vinschen dot de> <D39583E5 dot 96E3%billziss at navimatics dot com>
- Reply-to: cygwin at cygwin dot com
Greetings, Bill Zissimopoulos!
>>> The main reason that I am weary of using an unused SID is that Microsoft
>>> may decide to assign some special powers to it in a future release (e.g.
>>> GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
>>I think it's very unlikely. We could chose any RID value we like and
>>the chance for collision is nil. When I created the new implementation
>>for POSIX ACLs, I toyed around with this already and used a special
>>Cygwin SID within the NULL SID AUTHORITY. I'm not entirely sure why I
>>changed this to the NULL SID deny ACE. I think I disliked the fact that
>>almost every Cygwin ACL would contain a mysterious "unknown SID".
> Ideally we should choose a SID that:
> (1) Is very unlikely to be used by Microsoft at any point in the future.
> (2) Cannot be associated to a user logon for any reason (see problem with
> Anonymous SID) above.
> (3) Maps to a reasonable UID in Cygwin.
> I propose the following SID/UID mapping:
> S-1-0-99 <=> UID 0xffffffff (32-bit -1)
Why not S-1-0-65535 ? It'll map to 0x1FFFF then without any special rules.
> This is a SID in the S-1-0 (Null Authority) namespace (same one that
> contains the NULL SID), which is unlikely to be used by Microsoft. So it
> likely satisfies (1).
> For the same reason (that it is a new/unused SID in the S-1-0) namespace,
> I think it also satisfies (2).
> If we follow the rules from Cygwinâs "POSIX accounts, permission, and
> securityâ document [IDMAP], the SID S-1-0-99 maps to 0x10063. But we can
> make a special rule for this SID to map it to a different UID. Mapping it
> to -1 may be the easiest option, but perhaps we can also consider mapping
> it to 0xfffffffe (-2).
> [IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html
With best regards,
Monday, June 27, 2016 12:08:13
Sorry for my terrible english...