Security Identifier (SID) to User Identifier (uid) Resolution System

Luke Kenneth Casson Leighton lkcl at samba.org
Wed Jan 5 01:20:08 GMT 2000


> > > From:	Steve Langasek [SMTP:vorlon at netexpress.net]
> > > Sent:	Tuesday, January 04, 2000 15:04
> > > To:	Cole, Timothy D.
> > > Cc:	Multiple recipients of list SAMBA-TECHNICAL
> > > Subject:	RE: Security Identifier (SID) to User Identifier (uid)
> > > Resolution  System
> > > 
> > > On Wed, 5 Jan 2000, Cole, Timothy D. wrote:
> > > 
> > > > 	On another note, although it's not really relevent to Samba, over
> > > > the holiday I was actually pondering sticking a SURS-like table in a
> > > hidden
> > > > inode on an ext2/3 filesystem, mapping between uids/gids on the disk
> > and
> > > > SIDs.  The kernel patch would also include a SURS-like mapping table
> > > > in-kernel, which would map between SIDs and "system" uids/gids (which
> > > might
> > > > well be different from those on disk).
> > > 
> > > > 	The kernel table would be filled out from userspace, having a few
> > > > initial entries for root and the like hard-coded.   SIDs with no
> > kernel
> > > > entry would map to uid/gid -2 (nobody), until such time as a mapping
> > > were
> > > > added from userspace.  Mapping between fs uids/gids and "system"
> > > uids/gids
> > > > would be done by the filesystem driver, so none of the existing
> > > interfaces
> > > > would really have to change -- no hits from comparing SIDs everywhere,
> > > it's
> > > > still all word-size integers.
> > > 
> > > Intriguing.  It's probably not that important for a first
> > implementation,
> > > but
> > > would it be possible to make the default 'nobody' SID mapping
> > configurable
> > > via
> > > a mount option?
> > > 
> > 	Hmm, that's a good idea.  Yes, I would think it'd be trivial to do.
> > 
> > 	The actual kernel table lookup (which would be independent of the
> > filesystems) would still return -2, but since the fs driver would be the
> > one
> > doing the lookup, it could return whatever uid/gid it wanted in that case.
> > 
> > 	Or, better, the lookup function could take a parameter for the
> > uid/gid to fall back on, which would of course be supplied by the caller,
> > normally fs driver.  Yes, that seems like a better design to me.
> > 
> 	Luke has a point though (I just read and responded to his message);
> you don't really want to squash a bunch of SIDs into the same user.
> 
> 	-2/nobody isn't really a user, so that's not quite the same thing.


samba uses nobodty, by default, as the guest user.



More information about the samba-technical mailing list