ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
Pierre A. Humblet
Fri Nov 15 09:29:00 GMT 2002
Corinna Vinschen wrote:
> Yep. But as far as I'm concerned we should drop that part of your
> patch until I could update ssh.
What about putting it in with #if 0 ?
It will then be easier to turn it on when ssh is ready.
Alternatively I could add it, but add a check for group
sid is SYSTEM, and then skip the step. That would be very easy
to do, and to remove later when ssh is ready.
I like this best actually.
> > It's not a group_deny, it's an owner deny (which would go on top, so canonical
> > order is OK here).
> Oops, thick fingers...
> > Also if the owner is not in the group when alloc_sd is called, and is placed
> > in the group later, then the owner access mode of the file would change, which
> > isn't POSIX.
> > Let's look at it from another angle: what is gained by going through the trouble
> > of calling is_grp_member and possibly omitting the owner_deny?
> Since is_grp_member() isn't that slow anymore, what does it hurt to
> get the situation right in the first place? I'm somehow more and more
> convinced that this is just a matter of taste.
As far as I can see there is absolutely no advantage to calling
is_grp_member() in alloc_sd() and by potentially omitting the owner_deny
we are making the situation worse! So here I am insistent!
> > The non canonical order is produced when the group has less permission
> > than everyone, which I agree is unlikely.
> Yeah, my mind was on another issue. Time for weekend.
> > It's 100% OK with me to give preference to being nice!
> Ok. I'm really sorry that I'm making your live that hard but I assume
> you know that I'm just trying to find something as a best solution (if
> that's at all possible).
Sure, and it's reciprocal.
By the way could you ask your friend if large organizations really
use deny ACEs? Are there tools that insert them in ACLs?
Have a relaxing weekend!
More information about the Cygwin-patches