Security Identifier (SID) to User Identifier (uid) Resolution
System
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Wed Jan 5 16:10:10 GMT 2000
> -----Original Message-----
> From: Steve Langasek [SMTP:vorlon at netexpress.net]
> Sent: Tuesday, January 04, 2000 20:40
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: RE: Security Identifier (SID) to User Identifier (uid)
> Resolution System
>
> On Wed, 5 Jan 2000, Luke Kenneth Casson Leighton wrote:
>
> > > Well, I said what I did under the assumption that there would be no
> > > mapping from -2 back to any SID (i.e. the mapping function would
> fail).
>
> > the mapping from SID to unknowwn uid MUST fail. the mapping from uid to
> > unknown SID MUST fail.
>
> Wouldn't this be a cosmetic issue? If the driver only allows access to
> the
> resource if it can successfully map a uid/gid to an SID, and it's explicit
> that the 'nobody' uid will *not* map to an SID, then it will only *appear*
> that user 'nobody' has read/write/whatever access. That, IMHO, is a lot
> better than returning -1 from stat() and having to invent a new errno for
> the
> occasion. Returning a uid that no one on the system is supposed to be
> using should be relatively harmless, as long as it doesn't mean that POSIX
> uid
> isn't *really* granted illegitimate access to the file.
>
Well, that's a good point; I hadn't actually realized that it's not
really a problem _as long as the mapping is one-way_.
We can't really just allow stat() to fail, either -- imagine what
would happen if the root of the filesystem had a primary group with an
unknown SID. That shouldn't actually affect anyone else's access to
anything one way or another (and doesn't in similar sitations under NT), but
if stat() just failed, it'd really screw all kinds of things up very very
badly.
So, I'm kind of back to my original position on this -- "cosmetic"
(one-way) mappings for unknown SIDs are probably desirable. Samba does
normally use uid -2/nobody for guest users, but thinking about it now, are
there any circumstances under which it would ... hmm, yes, there probably is
an SID nobody should map to. So that's out on most Samba systems.
Yeah, it looks like probably the best way to do this is to make the
"fallback" uid a parameter to the SID lookup function, and have the
filesystem get that via a mount option. It then falls to the administrator
to make sure it's a uid without an SID mapping, but that's really a policy
decision anyway -- there are SOME circumstances (i.e. data recovery), where
it might actually be desirable to "squash-map" the thing to a valid SID.
More information about the samba-technical
mailing list