Security Identifier (SID) to User Identifier (uid) Resolution System

Steve Langasek vorlon at
Wed Jan 5 02:10:19 GMT 2000

On Wed, 5 Jan 2000, Luke Kenneth Casson Leighton wrote:

> hum, don't know exactly what's going on, here.  like i keep mentioning,
> i'm not a unix expert.

> as long as you're not telling me that you want to use nobody(-2) as an NT
> user, i think that's ok, but i don't quite get why.

> ... how does not mapping to a uid make a user "appear" to have rwx/
> acccess?  what kind of acess?  and are you referring to "user "appearing""
> as an nt user or a unix user?

A Unix user.  So far, we're talking about stuff that's internal to the Linux
kernel, so NT users don't enter into the equation.

Timothy could probably explain better, since he's the one talking about
writing this driver, but if I understand correctly, ACL's based on SIDs would
be stored on the ext2/3 filesystem, and the kernel would have an internal
table for mapping these SID's to uid's or gid's.  An application making calls
to the Linux kernel via the POSIX API would be given the uid/gid in response
to a query about a file, and this uid/gid would be nobody(-2) if the SID can't
be mapped to any other user/group.  /However/, there would be no inverse
mapping of the POSIX nobody, so a setuid() call to 'nobody' would not suddenly
grant the application access to these unclaimed resources.

-Steve Langasek
postmodern programmer

More information about the samba-technical mailing list