generic ACL interface (RFC)
Jeremy Allison
jallison at cthulhu.engr.sgi.com
Thu Jul 29 18:24:28 GMT 1999
Luke Kenneth Casson Leighton wrote:
> how can group "y" be "associated" with a process [owned by user x]?
Group 'y' is in the current list of groups attached to the
process data structure in the kernel. That's how.
> *sigh*... ok.... hmmm... it's different in nt: processes inherit security
> contexts, but the security context contains a single SID (methinks...)
> which can represent SYSTEM, user, group, alias etc.
Nope. The security context of a process (known as the
'token' in NT) contains a *list* of SIDs. One is the
process primary SID (user SID), one is a process group-primary
SID (treated no differently than any other group SID in NT, but
treated as the primary group SID by the NT POSIX subsystem) and
the rest are the list of group-SIDs that the user is in.
This is exactly the security context info that a Win2K
kerberos5 ticket-granting-ticket will contain encrypted
in a format that Microsoft have so far refused to document
(and is what all the fuss over "extending" the krb5 standard
is about).
These are stored in the WinNT kernel as an "access token"
which is *exactly* the same conceptually as the uid_t owner
and list of associated groups stored in the process data
structure in the UNIX kernel.
There are even functions to change the group list of
a process access token (AdjustTokenGroups() ) that is
similar to the setgroups() call in UNIX.
The two security models are quite similar, except that
(as usual) NT makes it *much* more complicated by adding
things like "impersonation tokens", which are really just
ways of associating more than one uid/group[array] structure
with a process and allowing the process to swap between them
at will (but only if the secondary structure was given to the
process by a 'valid' method, ie. via the kernel or from some
other process).
This is why I don't want to duplicate this dogs-dinner
on UNIX in Samba :-).
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list