Security Identifier (SID) to User Identifier (uid) Resolution
System
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Tue Jan 4 21:30:50 GMT 2000
> -----Original Message-----
> From: Steve Langasek [SMTP:vorlon at netexpress.net]
> Sent: Tuesday, January 04, 2000 15:04
> To: Cole, Timothy D.
> Cc: Multiple recipients of list SAMBA-TECHNICAL
> Subject: RE: Security Identifier (SID) to User Identifier (uid)
> Resolution System
>
> On Wed, 5 Jan 2000, Cole, Timothy D. wrote:
>
> > On another note, although it's not really relevent to Samba, over
> > the holiday I was actually pondering sticking a SURS-like table in a
> hidden
> > inode on an ext2/3 filesystem, mapping between uids/gids on the disk and
> > SIDs. The kernel patch would also include a SURS-like mapping table
> > in-kernel, which would map between SIDs and "system" uids/gids (which
> might
> > well be different from those on disk).
>
> > The kernel table would be filled out from userspace, having a few
> > initial entries for root and the like hard-coded. SIDs with no kernel
> > entry would map to uid/gid -2 (nobody), until such time as a mapping
> were
> > added from userspace. Mapping between fs uids/gids and "system"
> uids/gids
> > would be done by the filesystem driver, so none of the existing
> interfaces
> > would really have to change -- no hits from comparing SIDs everywhere,
> it's
> > still all word-size integers.
>
> Intriguing. It's probably not that important for a first implementation,
> but
> would it be possible to make the default 'nobody' SID mapping configurable
> via
> a mount option?
>
Hmm, that's a good idea. Yes, I would think it'd be trivial to do.
The actual kernel table lookup (which would be independent of the
filesystems) would still return -2, but since the fs driver would be the one
doing the lookup, it could return whatever uid/gid it wanted in that case.
Or, better, the lookup function could take a parameter for the
uid/gid to fall back on, which would of course be supplied by the caller,
normally fs driver. Yes, that seems like a better design to me.
More information about the samba-technical
mailing list