Security Identifier (SID) to User Identifier (uid) Resolution System

Thu Jan 6 05:05:50 GMT 2000

From: Steve Langasek <vorlon at netexpress.net>

> On Wed, 5 Jan 2000, John E. Malmberg wrote:
>
> > From: Luke Kenneth Casson Leighton <lkcl at samba.org>
>
> > > > Actally, there's another rationale at work here, too... regardless
> > > > of how the actual table is stored (I imagine in practice it'd be
one, or
> > at
> > > > most two, tables), there are really three "logical" tables:
>
> > > > 1. sid -> posix uid/gid
> > > > 2. uid -> sid
> > > > 3. gid -> sid
>
> Any 32-bit integer is a valid UID or GID under POSIX (well, assuming a
32-bit
> or greater size for uid_t).
>
> It's an interesting idea.  The same result could also be achieved using a
> uid_t/gid_t and a flag to tell which it is.  You still only need one
database,
> your POSIX key just has to include the id and the flag.  I don't see any
clear
> advantage to one method over the other.
>
It has to do with the keys of the database.  The sid must be unique, and so
must the the uid/gid that matches it.

By having flag of value 1 for uids, and 2 for gid, and higher for any host
specific special routines, you guarantee that each have their own number
space.

Thus the "key" for looking up a SID from a uid or gid must also include the
flag.

The downside of this is for GIDs or UIDs that match the natural integer size
for the host, two unsigned integer compares must be done for each key value.

So in theory for searching for data, the database appears to have two
fields.  For extracting the data, it would be treated as having three
fields.

The other issue is that the size of the uid/gid field varies with the host
operating system, but that is minor, since the binary tables would not be
passed between machines.

> > Using a structure of a {uid_t low; gid_t high} to store the mappings,
could
> > it work out that a specific NT SID would map to a specific GID/UID pair.
>
> > For those host operating systems that support ACLs, then an NT SID could
map
> > to a specific UID, or a specific UID/GID pair, or a specific GID.  I do
not
> > know if any UNIX operating system has the concept of a RIGHTS identifier
> > separate from a GID.
>
> But an SID under NT always represents a single user OR a single group.  It
> never represents both at the same time.  I think it would unnecessarily
> complicate matters to try to map SIDs to more than one POSIX entity.

A bit of cross platform confusion.  Under OpenVMS (POSIX compliant) a UID
aways contains a GID.  So a map of a SID to an OpenVMS USER would always be
a UID/GID pair match.  Because of the way the numbers work out, that can
also be ignored.

In OpenVMS, the user [200,200] and [300,200] are two different users.  Does
anything like this occur in UNIX?  I will confess ignorance on that or it's
implecation for security mapping.  [gid,uid] notation.

-John
WB8TYW at QSL.NET