POSIX permission mapping and NULL SIDs

[Bill Zissimopoulos]

On 6/24/16, 12:51 PM, "Corinna Vinschen" <cygwin-owner@cygwin.com on
behalf of corinna-cygwin@cygwin.com> wrote:


>>Could my mapping of the NULL SID somehow interfere with Cygwin’s ACL
>> mapping? No way right? Turns out that: yes!
>>File:winsup/cygwin/sec_acl.cc,
>> line:787
>
>Read the comment at the beginning of the file explaining how new-style
>ACLs look like.

Thank you for the pointers and the historical information.

>>I am also seeking an alternative to using the NULL SID for
>> “nobody”/“nogroup”. Is there a Cygwin suggested one?
>
>Not yet.  We're coming from the other side.  We always have *some* SID.
>pwdgrp::fetch_account_from_windows() in uinfo.cc tries to convert the SID
>to a passwd or group entry.  If everything fails, the SID is used in this
>passwd/group entry verbatim, but mapped to uid/gid -1.

I also noticed that there is no uid mapping for nobody. On my OSX box it
is -2. On many other POSIX systems it appears to be the 32-bit or 16-bit
equivalent of -2.

For the time being I am mapping unknown SID’s to -1 as per Cygwin.

>If you want some specific mapping we can arrange that, but it must not
>be the NULL SID.  If you know you're communicating with a Cygwin process,
>what about using an arbitrary, unused SID like S-1-0-42?

I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a
bad choice for some reason or other.

The main reason that I am weary of using an unused SID is that Microsoft
may decide to assign some special powers to it in a future release (e.g.
GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
namespace.

>How do you differ nobody from nogroup if you use the same SID for both,
>btw.?

I use the same SID for both nobody and nogroup. This should work as long
as you use the permission mapping from the [PERMS] document.

Bill