This is the mail archive of the
cygwin-patches@cygwin.com
mailing list for the Cygwin project.
Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
On Wed, Nov 13, 2002 at 12:32:31PM -0500, Pierre A. Humblet wrote:
> Corinna Vinschen wrote:
> > It doesn't add any overhead which isn't already there.
> >
> If "already" is before the patch, it scans the group file instead of scanning
> the token groups. If "already" is after the patch, it scans the group file
> instead of scanning the token groups or doing nothing, depending if the uid
> of the file owner differs from the uid of the process.
So what? It just uses /etc/group to determine the group membership
of user "username". What's wrong with that? "username" is !=
current user so it reflects the default circumstances for that user.
I don't think we can get it better due to Win/POSIX divergence.
> The fundamental problem is that there is not enough information to know
> the "real permissions" of the owner. Is User_foo a member of Admins or not,
> at the time she accesses the file ?
Sure. We can't know that. We're reflecting the default.
> You make a lot of assumptions in your example. A more detailed description of
> the way the code works today (before patch) is this:
>
> If the process running ls -l is a member of Admins:
> rwxrwxr--
> If the process running ls -l in not a member of Admins:
> ---rwxr--
> and that's the case *whether or not* User_foo is *nominally* a member of Admins.
Wait, I'm assuming that we have a corrected version of is_grp_member().
We already know that is_grp_member() isn't quite right, currently.
Let's assume is_grp_member() works as expected which means, including
my small patch plus a patch to take all groups in the ACL into account.
Then the most ugly problem - using the access token of another user -
is dropped from our analyzis.
Back to the example. Assume that user_foo is a member of Admins in
the SAM. The default case is that access tokens are created with
Admin being one of the token groups.
> With the current patch, the output of ls -l would be
> ---rwxr--
> if ls -l is run by somebody else than User_foo
> It would be
> rwxrwxr--
> if ls -l is run by User_foo if User_foo is *currently* a member of Admins, and
> ---rwxr--
> if ls -l is run by User_foo if User_foo is NOT *currently* a member of Admins
> To me, that's slightly better than currently.
I'm sorry if I miss something here but with my patch it would be
rwxrwxr--
if ls -l is run by somebody else than User_foo.
> Note also that your example assumes implicitly that the ACL was not created
> by Cygwin.
Sure. That's the whole point in this discussion, isn't it? Pure Cygwin
ACLs are created according to POSIX rules so that's a non-issue.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
- References:
- Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
- Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
- Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
- Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member
- Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member