Security Identifier (SID) to User Identifier (uid) ResolutionSystem
Steve Langasek
vorlon at netexpress.net
Thu Dec 30 21:24:24 GMT 1999
On Fri, 31 Dec 1999, Leslie M. Barstow III wrote:
> > A getXXXbyYYY() interface is needed that does not hide SIDs.
> We could put the SID in the GECOS field...
This would mean appropriating an existing structure with an established
purpose, and storing *critical* information in it for which it was never
intended.
Hmm. Sounds kinda like what MS did with Kerberos. ;)
This is a very bad hack. It's fine if individual sites choose to use
something like this, but it's not the sort of thing that should be
*recommended* by the Samba team. There could be all kinds of information that
the existing Unix infrastructure *requires* be stored in the GECOS field,
making this a non-option for them (or at least a very painful option).
And then, imagine what happens if an admin forgets to lock down 'chfn', or any
of a handful of other utilities that let a user change his/her own GECOS
entry. Whoops..
> > Actually, a generic interface to user credentials (POSIX, NT, whatever)
> > is needed. This might then generate interest in kernels supporting more
> > than one type of credential for processes and, eventually, for files.
>
> > After all, the use of cred structs in many *nix kernels was done to make
> > credentials more opaque to various areas of kernel code. Let's further
> > this trend.
> This is beyond my time abilities. If someone wants to champion this, I
> would welcome it. The Linux community would either think (a) this is a
> good hack, or (b) it will slow down the system substantially (arbitrary
> credentials being looked up almost constantly will not be quick...)
An interface for returning arbitrary credentials wouldn't necessarily be
slower than the existing getpwnam(). In fact, the code could be almost
identical to getpwnam(), as could the structure returned, except that the
pw_passwd field would be replaced with something more complex. The only time
I see a real slow-down occuring is if you start having to look in lots of
different places to collect all the credentials...
-Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list