This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: POSIX permission mapping and NULL SIDs
- From: Bill Zissimopoulos <billziss at navimatics dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Sun, 26 Jun 2016 20:46:58 +0000
- Subject: Re: POSIX permission mapping and NULL SIDs
- Authentication-results: sourceware.org; auth=none
- Authentication-results: spf=none (sender IP is ) smtp dot mailfrom=billziss at navimatics dot com;
- References: <D392BA70 dot 95D4%billziss at navimatics dot com> <20160624195144 dot GB27089 at calimero dot vinschen dot de> <D392F074 dot 962E%billziss at navimatics dot com> <20160624215948 dot GD27089 at calimero dot vinschen dot de>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On 6/24/16, 2:59 PM, "Corinna Vinschen" <cygwin-owner@cygwin.com on behalf
of corinna-cygwin@cygwin.com> wrote:
>>>If you want some specific mapping we can arrange that, but it must not
>> >be the NULL SID. If you know you're communicating with a Cygwin
>>process,
>> >what about using an arbitrary, unused SID like S-1-0-42?
>>
>> I am inclined to try S-1-5-7 (Anonymous). But I do not know if that is a
>> bad choice for some reason or other.
>
>I thought about Anonymous myself when I wrote my reply to your OP. I
>refrained from mentioning it because it might have some unexpected side
>effect we're not aware about.
I ended up implementing this a couple of days ago. I was just spending a
lazy Sunday morning and then it hit me: this is an exceptionally bad idea.
The problem is that Windows uses the Anonymous identity for accounts who
have not logged in using a password (as per Erik Soderquistâs email
regarding IIS behavior). Files in FUSE file systems that have a UID that
cannot be mapped to a SID, will suddenly be owned by that Anonymous user!
Obviously this is a huge security hole. I intend to fix this ASAP, but I
am now back to where we started. The obvious SID to use is the NULL SID,
but that is already used by Cygwin for other purposes.
>> The main reason that I am weary of using an unused SID is that Microsoft
>> may decide to assign some special powers to it in a future release (e.g.
>> GodMode SID). But I agree that this is rather unlikely in the S-1-0-X
>> namespace.
>
>I think it's very unlikely. We could chose any RID value we like and
>the chance for collision is nil. When I created the new implementation
>for POSIX ACLs, I toyed around with this already and used a special
>Cygwin SID within the NULL SID AUTHORITY. I'm not entirely sure why I
>changed this to the NULL SID deny ACE. I think I disliked the fact that
>almost every Cygwin ACL would contain a mysterious "unknown SID".
Ideally we should choose a SID that:
(1) Is very unlikely to be used by Microsoft at any point in the future.
(2) Cannot be associated to a user logon for any reason (see problem with
Anonymous SID) above.
(3) Maps to a reasonable UID in Cygwin.
I propose the following SID/UID mapping:
S-1-0-99 <=> UID 0xffffffff (32-bit -1)
This is a SID in the S-1-0 (Null Authority) namespace (same one that
contains the NULL SID), which is unlikely to be used by Microsoft. So it
likely satisfies (1).
For the same reason (that it is a new/unused SID in the S-1-0) namespace,
I think it also satisfies (2).
If we follow the rules from Cygwinâs "POSIX accounts, permission, and
securityâ document [IDMAP], the SID S-1-0-99 maps to 0x10063. But we can
make a special rule for this SID to map it to a different UID. Mapping it
to -1 may be the easiest option, but perhaps we can also consider mapping
it to 0xfffffffe (-2).
Bill
[IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html