ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
Thu Nov 14 01:57:00 GMT 2002
On Wed, Nov 13, 2002 at 12:32:31PM -0500, Pierre A. Humblet wrote:
> Corinna Vinschen wrote:
> > It doesn't add any overhead which isn't already there.
> If "already" is before the patch, it scans the group file instead of scanning
> the token groups. If "already" is after the patch, it scans the group file
> instead of scanning the token groups or doing nothing, depending if the uid
> of the file owner differs from the uid of the process.
So what? It just uses /etc/group to determine the group membership
of user "username". What's wrong with that? "username" is !=
current user so it reflects the default circumstances for that user.
I don't think we can get it better due to Win/POSIX divergence.
> The fundamental problem is that there is not enough information to know
> the "real permissions" of the owner. Is User_foo a member of Admins or not,
> at the time she accesses the file ?
Sure. We can't know that. We're reflecting the default.
> You make a lot of assumptions in your example. A more detailed description of
> the way the code works today (before patch) is this:
> If the process running ls -l is a member of Admins:
> If the process running ls -l in not a member of Admins:
> and that's the case *whether or not* User_foo is *nominally* a member of Admins.
Wait, I'm assuming that we have a corrected version of is_grp_member().
We already know that is_grp_member() isn't quite right, currently.
Let's assume is_grp_member() works as expected which means, including
my small patch plus a patch to take all groups in the ACL into account.
Then the most ugly problem - using the access token of another user -
is dropped from our analyzis.
Back to the example. Assume that user_foo is a member of Admins in
the SAM. The default case is that access tokens are created with
Admin being one of the token groups.
> With the current patch, the output of ls -l would be
> if ls -l is run by somebody else than User_foo
> It would be
> if ls -l is run by User_foo if User_foo is *currently* a member of Admins, and
> if ls -l is run by User_foo if User_foo is NOT *currently* a member of Admins
> To me, that's slightly better than currently.
I'm sorry if I miss something here but with my patch it would be
if ls -l is run by somebody else than User_foo.
> Note also that your example assumes implicitly that the ACL was not created
> by Cygwin.
Sure. That's the whole point in this discussion, isn't it? Pure Cygwin
ACLs are created according to POSIX rules so that's a non-issue.
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:email@example.com
Red Hat, Inc.
More information about the Cygwin-patches