FW: Speed comp. TNG & 2.2.alpha (fwd)

Steve Langasek vorlon at netexpress.net
Wed Feb 28 16:49:44 GMT 2001 

On Tue, 27 Feb 2001, Peter Samuelson wrote:

> [Steve Langasek]
> > Just a thought (one with no experimental backing), but would it be
> > possible by default to find namespace collisions (resolve the rid to
> > a gid, getgrgid(gid), get the name, getpwnam(group_name), tag as a
> > collision)

> This whole thing needs caching -- the above sounds like a lot of
> overhead.

That sounds like over-engineering to me.  This is little more than the work
done on a Unix system for every file you look at with ls -l, or when you
extract it from a tarball.  There are already quite good systems available to
speed up the getpwnam(), getgrgid(), etc. calls.  So I can see benefits to
caching these results internally, but I don't think the system would be
unusable without it.

Still, the fact that Luke thinks it would be necessary to be able to type in
the names of groups that are the same as users makes the whole idea rather
untenable.

> > and mangle them by appending a non-printable character to the group
> > name returned?

> Hmmm, interesting thought.  The above is a way of "tricking" the NT
> end-user into thinking the user and group are equivalent, while not
> tricking the system -- and as such its efficacy depends on the
> like-named user and group actually being semantically equivalent, for
> human purposes.

I don't think it really tricks the end-user; for the most part in NT, aren't
the user and group names displayed with icons next to them that indicate the
type of RID they represent?  So if I pull up the 'file permissions' dialog box
and see that FOO\vorlon (with a single face next to it) has Full Control (All)
over the file, and FOO\vorlon (with a globe and two faces) only has Read (RX)
access to it, no information has been lost in the translation.  The only place
we have difficulty is if we need to textually disambiguate between the group
FOO\vorlon and the user FOO\vorlon.

> I think I sort of like Andrew's proposal better -- ignore the duplicate
> group names entirely w/r/t sending and receiving security descriptor
> information.  (NT doesn't require it, since unlike Unix it doesn't
> assume that every file has a group.)  If the client wants to change the
> ACL of a file to have no groups in it, you can use the default
> nobody-group ('nogroup' on my Linux box).

How do you decide generally which group names should be ignored?  I can
certainly think of cases where I might have a file whose gid maps to a group
that conflicts with a username and I /do/ want to show the group in the file
permissions...

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list