Generic cred APIs (RE: Security Identifier (SID) ...)

Luke Kenneth Casson Leighton lkcl at samba.org
Thu Jan 6 12:33:00 GMT 2000 

does anyone know anyone who wants to host a web site for linuxnt.com?  i
think it's time i started this up.

On Wed, 5 Jan 2000, Nicolas Williams wrote:

> On Thu Jan 06 2000, Cole, Timothy D. (timothy_d_cole at md.northgrum.com) wrote:
> > > -----Original Message----- 
> > > From: Luke Kenneth Casson Leighton [SMTP:lkcl at samba.org] 
> > > Sent: Wednesday, January 05, 2000 11:59 
> > > To: Multiple recipients of list SAMBA-TECHNICAL 
> > > Subject: RE: Security Identifier (SID) to User Identifier (uid) 
> > > Resolution System 
> > > 
> > > On Wed, 5 Jan 2000, Cole, Timothy D. wrote: 
> > > 
> > > AH! you're talking about a _kernel_ level implemntation that uses this 
> > > stuff, not samba. 
> > > 
> >         Yes; that's what I meant when I said I was getting off on a tangent 
> > :) 
> > 
> > > ok... having created a uid / gid, it's permanent, so it's ok. ither 
> > > representations are then nothing to do with this. it's _external_ 
> > > representiations that, say, samba or winbind use, that sid/uid converion 
> > > becomes imprtant. 
> > > 
> >         Pretty much. The kernel table would more likely be (indirectly) 
> > updated from winbind or whatnot, rather than the other way around. The main 
> > clever thing that would allow would be using uids and gids even with a 
> > mounted NTFS filesystem, and everything still working as expected. 
> 
> There was a thread before this one in the XAD list which started when
> Luke Howard asked wether Luke Leighton really did want "SIDs in the
> kernel". Out of that thread came Luke's SURS proposal and then the
> thread moved here.
> 
> What we really need is generic credential-type neutral APIs for:
> 
>  - getting/setting process credentials (think effective vs. real
>    credentials)
> 
>  - getting/setting a file's credentials (thing stat/chown/chgrp/chmod)
> 
>  - NSS APIs for resolving user/groupnames and credentials to each other
> 
>  - Kernel APIs for filesystem drivers to compare process credentials to
>    file credentials; to copy process credentials to a file; etc...
> 
> This means that kernels should support more than one type of credential
> per-process and, therefore, that they should store those credentials.
> 
> This is motivated by the superiority of SIDs to POSIX UIDs/GIDs.
> 
> Nico
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
> 
> This message contains confidential information and is intended only 
> for the individual named.  If you are not the named addressee you 
> should not disseminate, distribute or copy this e-mail.  Please 
> notify the sender immediately by e-mail if you have received this 
> e-mail by mistake and delete this e-mail from your system.
> 
> E-mail transmission cannot be guaranteed to be secure or error-free 
> as information could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses.  The sender therefore 
> does not accept liability for any errors or omissions in the contents 
> of this message which arise as a result of e-mail transmission.  If 
> verification is required please request a hard-copy version.  This 
> message is provided for informational purposes and should not be 
> construed as a solicitation or offer to buy or sell any securities or 
> related financial instruments.
>

More information about the samba-technical mailing list