ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member

Corinna Vinschen cygwin-patches@cygwin.com
Thu Nov 14 01:57:00 GMT 2002

On Wed, Nov 13, 2002 at 12:32:31PM -0500, Pierre A. Humblet wrote:
> Corinna Vinschen wrote:
> > It doesn't add any overhead which isn't already there.
> > 
> If "already" is before the patch, it scans the group file instead of scanning
> the token groups. If "already" is after the patch, it scans the group file
> instead of scanning the token groups or doing nothing, depending if the uid 
> of the file owner differs from the uid of the process. 

So what?  It just uses /etc/group to determine the group membership
of user "username".  What's wrong with that?  "username" is !=
current user so it reflects the default circumstances for that user.
I don't think we can get it better due to Win/POSIX divergence.

> The fundamental problem is that there is not enough information to know
> the "real permissions" of the owner. Is User_foo a member of Admins or not,
> at the time she accesses the file ?

Sure.  We can't know that.  We're reflecting the default.

> You make a lot of assumptions in your example. A more detailed description of
> the way the code works today (before patch) is this:
> If the process running ls -l is a member of Admins:
>  rwxrwxr--
> If the process running ls -l in not a member of Admins:
>  ---rwxr--
> and that's the case *whether or not* User_foo is *nominally* a member of Admins.

Wait, I'm assuming that we have a corrected version of is_grp_member().
We already know that is_grp_member() isn't quite right, currently.
Let's assume is_grp_member() works as expected which means, including
my small patch plus a patch to take all groups in the ACL into account.
Then the most ugly problem - using the access token of another user -
is dropped from our analyzis.

Back to the example.  Assume that user_foo is a member of Admins in
the SAM.  The default case is that access tokens are created with
Admin being one of the token groups.

> With the current patch, the output of ls -l would be
>  ---rwxr--
> if ls -l is run by somebody else than User_foo
> It would be 
>  rwxrwxr--
> if ls -l is run by User_foo if User_foo is *currently* a member of Admins, and
>  ---rwxr-- 
> if ls -l is run by User_foo if User_foo is NOT *currently* a member of Admins 
> To me, that's slightly better than currently.

I'm sorry if I miss something here but with my patch it would be


if ls -l is run by somebody else than User_foo.  

> Note also that your example assumes implicitly that the ACL was not created 
> by Cygwin.

Sure.  That's the whole point in this discussion, isn't it?  Pure Cygwin
ACLs are created according to POSIX rules so that's a non-issue.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

More information about the Cygwin-patches mailing list