ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member

[Pierre A. Humblet]

Corinna Vinschen wrote:

> Yep.  But as far as I'm concerned we should drop that part of your
> patch until I could update ssh.

What about putting it in with #if 0 ?
It will then be easier to turn it on when ssh is ready.

Alternatively I could add it, but add a check for group 
sid is SYSTEM, and then skip the step. That would be very easy
to do, and to remove later when ssh is ready.
I like this best actually.
 
> > It's not a group_deny, it's an owner deny (which would go on top, so canonical
> > order is OK here).
> 
> Oops, thick fingers...
> 
> > Also if the owner is not in the group when alloc_sd is called, and is placed
> > in the group later, then the owner access mode of the file would change, which
> > isn't POSIX.
> > Let's look at it from another angle: what is gained by going through the trouble
> > of calling is_grp_member and possibly omitting the owner_deny?
> 
> Since is_grp_member() isn't that slow anymore, what does it hurt to
> get the situation right in the first place?  I'm somehow more and more
> convinced that this is just a matter of taste.

As far as I can see there is absolutely no advantage to calling  
is_grp_member() in alloc_sd() and by potentially omitting the owner_deny
we are making the situation worse! So here I am insistent!

> > The non canonical order is produced when the group has less permission
> > than everyone, which I agree is unlikely.
> 
> Yeah, my mind was on another issue.  Time for weekend.
> 
> > It's 100% OK with me to give preference to being nice!
> 
> Ok.  I'm really sorry that I'm making your live that hard but I assume
> you know that I'm just trying to find something as a best solution (if
> that's at all possible).

Sure, and it's reciprocal.

By the way could you ask your friend if large organizations really
use deny ACEs? Are there tools that insert them in ACLs? 

Have a relaxing weekend!

Pierre