Group name madness: "CurrentSession" vs. "LogonSessionId_0_111590" vs. "NT AUTHORITY\LogonSessionId_0_111590" ...

Corinna Vinschen
Mon Feb 19 10:09:44 GMT 2024

On Feb 19 08:11, Roland Mainz via Cygwin wrote:
> Hi!
> ----
> While implementing chown/chgrp support in the ms-nfs41-client (Windows
> NFSv4.1 client filesystem driver) I encountered an issue with group
> names.
> I tried a simple $ chgrp CurrentSession myfile #, which returned
> "Permission denied".

Works for me:

  $ chgrp CurrentSession x.c
  $ ls -l x.c
  -rw-r--r-- 1 corinna CurrentSession 906 Jan 23 21:40 x.c
  $ icacls x.c
  x.c VINSCHEN\corinna:(R,W,D,WDAC,WO)
      NT AUTHORITY\LogonSessionId_0_2027255:(R)

  Successfully processed 1 files; Failed processing 0 files

> OK, /usr/bin/id -a shows that the current user is a member of this
> group, so I added a new group called "CurrentSession" to the NFSv4.1
> server side ([1]).

Just don't do that.  This group is a *temporary* group which is created
from your login session ID.  Your login session is basically a pair of
two 32 bit values, generated via NtAllocateLocallyUniqueId().  From
there, Windows creates a SID


These days, when you call LookupAccountSidW() on this SID, you get the

  Namme:  LogonSessionId_0_2027255

This SID is used inside your user token to connect your token with the
login session for which this token has been created.  It can be used for
authorization purposes, but it's not meant to be used as a SID in file
ownership, even though it's possible (basically any SID can be added
to files).

So, what's that about "CurrentSession" in Cygwin?

The reason is that this is historically what Interix did.  Keep in
mind that Interix (as well as Cygwin, but that doesn't matter here)
exist since Windows NT 3.5 times.

The above naming mechanism didn't exist at the time.  If you fetched the
Logon SID from the token and called LookupAccountSidW() on it, the call
failed, i. e., there was no name attached to the SID.

So... given that a Logon SID is unique to the logon session, given that
the SID has no unambiguous name attached, and given that the Logon SID
makes *no sense at all* outside its session, the Interix guys decided to
solve this little problem like this:

- If the inspected token contains the Logon SID equivalent to the
  current user session, call it "CurrentSession" with unique gid 4095.

- If the inspected token contains a Logon SID which is not attached
  to the current Logon Session we're running in, call it "OtherSession"
  with the non-unique gid 4094.

This is the model Cygwin follows as well.  The Logon SIDs shouldn't
really concern you in terms of file access.  From the user perspective
they are barely informative at all.  They *could* make sense in terms
of temporary files, but I don't know of any useful example.

> But that did not work either, /usr/bin/chgrp # still failed.

I can't tell you why it didn't work for you while it works out of the
box for me.  However, there isn't much sense in there to attach these
SIDs to a file.  Logout, login again, and you will have a new Logon SID
anyway ¯\_(ツ)_/¯


More information about the Cygwin mailing list