Security Identifier (SID) to User Identifier (uid) Resolution System

Cole, Timothy D. timothy_d_cole at
Wed Jan 5 16:21:45 GMT 2000

> -----Original Message-----
> From:	Luke Kenneth Casson Leighton [SMTP:lkcl at]
> Sent:	Tuesday, January 04, 2000 20:49
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	RE: Security Identifier (SID) to User Identifier (uid)
> Resolution  System
> On Tue, 4 Jan 2000, Steve Langasek wrote:
> > On Wed, 5 Jan 2000, Luke Kenneth Casson Leighton wrote:
> > 
> > > > 	Well, I said what I did under the assumption that there
> would be no
> > > > mapping from -2 back to any SID (i.e. the mapping function would
> fail).
> > 
> > > the mapping from SID to unknowwn uid MUST fail.  the mapping from uid
> to
> > > unknown SID MUST fail.
> > 
> > Wouldn't this be a cosmetic issue?  If the driver only allows access to
> the
> > resource if it can successfully map a uid/gid to an SID, and it's
> explicit
> > that the 'nobody' uid will *not* map to an SID, then it will only
> *appear*
> > that user 'nobody' has read/write/whatever access.  That, IMHO, is a lot
> > better than returning -1 from stat() and having to invent a new errno
> for the
> > occasion.  Returning a uid that no one on the system is supposed to be
> > using should be relatively harmless, as long as it doesn't mean that
> POSIX uid
> > isn't *really* granted illegitimate access to the file.
> hum, don't know exactly what's going on, here.  like i keep mentioning,
> i'm not a unix expert.
> as long as you're not telling me that you want to use nobody(-2) as an NT
> user, i think that's ok, but i don't quite get why.
> .. how does not mapping to a uid make a user "appear" to have rwx/
> acccess?  what kind of acess?  and are you referring to "user "appearing""
> as an nt user or a unix user?
	this is basically about stat() -- it's a single system call used to
fill out a structure with all the following information about a given file,
and is the only POSIX way to get the following information about a file:

	 - block device the filesystem is on
	 - the file's inode number
	 - the filesystem type (not in all Unices)
	 - the file's permissions set (rwx) and type
	 - number of links (directory entries referencing the file)
	 - the uid of the file's owner
	 - the gid of the file's owning group
	 - device id (for char and block devices only)
	 - the file size
	 - last access time
	 - last modification time
	 - last attribute change time

	If stat() fails, then it is impossible to determine any of this
information.  Many, many things rely on being able to stat() a file (under
normal circumstances, assuming the object exists, the only reason stat()
would fail is if the user did not have search(execute) permission on the
object's container).

	Consequently, we need SOMETHING to put in the st_uid and st_gid
fields if the SID is unknown.

More information about the samba-technical mailing list