This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member

On Fri, Nov 15, 2002 at 12:29:44PM -0500, Pierre A. Humblet wrote:
> Corinna Vinschen wrote:
> > Yep.  But as far as I'm concerned we should drop that part of your
> > patch until I could update ssh.
> What about putting it in with #if 0 ?
> It will then be easier to turn it on when ssh is ready.
> Alternatively I could add it, but add a check for group 
> sid is SYSTEM, and then skip the step. That would be very easy
> to do, and to remove later when ssh is ready.
> I like this best actually.

Good idea!  Me too.  But that must go into both functions,
get_attribute_from_acl() and alloc_sd().

> > Since is_grp_member() isn't that slow anymore, what does it hurt to
> > get the situation right in the first place?  I'm somehow more and more
> > convinced that this is just a matter of taste.
> As far as I can see there is absolutely no advantage to calling  
> is_grp_member() in alloc_sd() and by potentially omitting the owner_deny
> we are making the situation worse! So here I am insistent!


> By the way could you ask your friend if large organizations really
> use deny ACEs? Are there tools that insert them in ACLs? 

Historically they are currently not using deny ACEs since they were
more or less unknown under NT4.  In the next months, they will
upgrade to 2K and the usage of deny ACEs is officially projected.

Greetings from him (Michael Hirmke), btw.!

> Have a relaxing weekend!

Thanks, you too,

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                      
Red Hat, Inc.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]