POSIX permission mapping and NULL SIDs

Corinna Vinschen corinna-cygwin@cygwin.com
Tue Jun 28 11:08:00 GMT 2016 

On Jun 27 19:01, Bill Zissimopoulos wrote:
> 
> >Why don't we just follow Fedora Linux here and use a mapping to either
> >99 (nobody) or 65534 (nfsnobody)?  Both uid values are ununsed in the
> >mapping and 65534 aka 0xfffe has the additional advantage that it's not
> >mapped at all (all values between 0x1000 and 0xffff are invalid).
> >
> >Also, since 65534 is -2 in a 16 bit uid it seems like a natural choice
> >to me.
> >
> >So, what about S-1-0-65534 <-> 65534, name of "{nfs}nobody"?
> 
> I am happy with the S-1-0-65534 *SID*, but I note that the 65534 *UID* is
> perhaps *not* a good choice. It is actually already mapped to
> S-1-5-15-4095, according to your own [IDMAP] document:
> 
> S-1-5-X-RID                          <=> uid/gid: 0x1000 * X + RID
> 
> With X=15 and RID=4095, we get uid==65534.

This doesn't make any sense.  This is an entirely artificial example of
how one can construct arbitrary SIDs.

> Unfortunately S-1-5-15 is the
> SID for "This Organization” according to the “Well-known security
> identifiers in Windows operating systems” document [WKSID]. OTOH, because
> S-1-5-15 is a “leaf” SID and not a “namespace” it may be possible to
> assume that the S-1-5-15-4095 SID cannot appear (I am not sure about that).

There is no such SID and there never will be.

Ok.  Please keep in mind that

a) there can't be a bijective mapping between arbitrary length SIDs
   and a 32 bit uid/gid.

b) The mapping used in Cygwin is not self-created but (mostly, except
   for a single deviation) identical to the Interix mapping.  The code
   basically follows how this mapping has been defined by Microsoft.

> BTW, I have here a partitioning of the UID namespace that may help choose
> the right mapping:
> 
> /*
>  * UID namespace partitioning (from [IDMAP] rules):
>  *
>  * 0x000000 + RID              S-1-5-RID,S-1-5-32-RID
>  * 0x000ffe                    OtherSession
>  * 0x000fff                    CurrentSession
>  * 0x001000 * X + RID          S-1-5-X-RID ([WKSID]:
> X=1-15,17-21,32,64,80,83)
>  * 0x010000 + 0x100 * X + Y    S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
>  * 0x030000 + RID              S-1-5-21-X-Y-Z-RID
>  * 0x060000 + RID              S-1-16-RID
>  * 0x100000 + RID              S-1-5-21-X-Y-Z-RID
>  */

You're aware that I wrote the code for this mapping as well as its
documentation? :)

> Clearly the namespace is very busy with multiple overlapping ranges.

The overlapping is much alleviated by the fact that only certain SIDs
can exist, plus the fact that AD admins can choose an offset value for
AD accounts of various domains.  Search for "trustPosixOffset" in
https://cygwin.com/cygwin-ug-net/ntsec.html.

> With all that and to help conclude this thread I gather here all the
> proposed mappings. Corinna, I will use the one which you prefer the most:
> 
> S-1-0-65534                    <-> 65534

This one is still my favorite.  Again, the range from 0x1000 up to
0xffff is unused.  Right now any incoming uid/gid value in this range
for a reverse SID lookup is treated as invalid SID.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20160628/c6370200/attachment.sig>

More information about the Cygwin mailing list