Generic cred APIs (RE: Security Identifier (SID) ...)
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Jan 6 12:33:00 GMT 2000
does anyone know anyone who wants to host a web site for linuxnt.com? i
think it's time i started this up.
On Wed, 5 Jan 2000, Nicolas Williams wrote:
> On Thu Jan 06 2000, Cole, Timothy D. (timothy_d_cole at md.northgrum.com) wrote:
> > > -----Original Message-----
> > > From: Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org]
> > > Sent: Wednesday, January 05, 2000 11:59
> > > To: Multiple recipients of list SAMBA-TECHNICAL
> > > Subject: RE: Security Identifier (SID) to User Identifier (uid)
> > > Resolution System
> > >
> > > On Wed, 5 Jan 2000, Cole, Timothy D. wrote:
> > >
> > > AH! you're talking about a _kernel_ level implemntation that uses this
> > > stuff, not samba.
> > >
> > Yes; that's what I meant when I said I was getting off on a tangent
> > :)
> > > ok... having created a uid / gid, it's permanent, so it's ok. ither
> > > representations are then nothing to do with this. it's _external_
> > > representiations that, say, samba or winbind use, that sid/uid converion
> > > becomes imprtant.
> > >
> > Pretty much. The kernel table would more likely be (indirectly)
> > updated from winbind or whatnot, rather than the other way around. The main
> > clever thing that would allow would be using uids and gids even with a
> > mounted NTFS filesystem, and everything still working as expected.
> There was a thread before this one in the XAD list which started when
> Luke Howard asked wether Luke Leighton really did want "SIDs in the
> kernel". Out of that thread came Luke's SURS proposal and then the
> thread moved here.
> What we really need is generic credential-type neutral APIs for:
> - getting/setting process credentials (think effective vs. real
> - getting/setting a file's credentials (thing stat/chown/chgrp/chmod)
> - NSS APIs for resolving user/groupnames and credentials to each other
> - Kernel APIs for filesystem drivers to compare process credentials to
> file credentials; to copy process credentials to a file; etc...
> This means that kernels should support more than one type of credential
> per-process and, therefore, that they should store those credentials.
> This is motivated by the superiority of SIDs to POSIX UIDs/GIDs.
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
More information about the samba-technical