Security Identifier (SID) to User Identifier (uid) Resolution
System
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Wed Jan 5 15:54:01 GMT 2000
> -----Original Message-----
> From: Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> Sent: Tuesday, January 04, 2000 20:20
> To: Cole, Timothy D.
> Cc: Multiple recipients of list SAMBA-TECHNICAL
> Subject: RE: Security Identifier (SID) to User Identifier (uid)
> Resolution System
>
> > > > From: Steve Langasek [SMTP:vorlon at netexpress.net]
> > > > Sent: Tuesday, January 04, 2000 15:04
> > > > To: Cole, Timothy D.
> > > > Cc: Multiple recipients of list SAMBA-TECHNICAL
> > > > Subject: RE: Security Identifier (SID) to User Identifier
> (uid)
> > > > Resolution System
> > > >
> > > > On Wed, 5 Jan 2000, Cole, Timothy D. wrote:
> > > >
> > > > > On another note, although it's not really relevent to Samba,
> over
> > > > > the holiday I was actually pondering sticking a SURS-like table in
> a
> > > > hidden
> > > > > inode on an ext2/3 filesystem, mapping between uids/gids on the
> disk
> > > and
> > > > > SIDs. The kernel patch would also include a SURS-like mapping
> table
> > > > > in-kernel, which would map between SIDs and "system" uids/gids
> (which
> > > > might
> > > > > well be different from those on disk).
> > > >
> > > > > The kernel table would be filled out from userspace, having
> a few
> > > > > initial entries for root and the like hard-coded. SIDs with no
> > > kernel
> > > > > entry would map to uid/gid -2 (nobody), until such time as a
> mapping
> > > > were
> > > > > added from userspace. Mapping between fs uids/gids and "system"
> > > > uids/gids
> > > > > would be done by the filesystem driver, so none of the existing
> > > > interfaces
> > > > > would really have to change -- no hits from comparing SIDs
> everywhere,
> > > > it's
> > > > > still all word-size integers.
> > > >
> > > > Intriguing. It's probably not that important for a first
> > > implementation,
> > > > but
> > > > would it be possible to make the default 'nobody' SID mapping
> > > configurable
> > > > via
> > > > a mount option?
> > > >
> > > Hmm, that's a good idea. Yes, I would think it'd be trivial to do.
> > >
> > > The actual kernel table lookup (which would be independent of the
> > > filesystems) would still return -2, but since the fs driver would be
> the
> > > one
> > > doing the lookup, it could return whatever uid/gid it wanted in that
> case.
> > >
> > > Or, better, the lookup function could take a parameter for the
> > > uid/gid to fall back on, which would of course be supplied by the
> caller,
> > > normally fs driver. Yes, that seems like a better design to me.
> > >
> > Luke has a point though (I just read and responded to his message);
> > you don't really want to squash a bunch of SIDs into the same user.
> >
> > -2/nobody isn't really a user, so that's not quite the same thing.
>
>
> samba uses nobodty, by default, as the guest user.
>
Doh, you're right. Yes, that wouldn't do at all then. I'm too used
to the specific configuration here -- HP-UX doesn't ALLOW anything to become
uid -2 (we had to create a separate guest account for samba).
More information about the samba-technical
mailing list