[OpenIndiana-discuss] Solaris privileges and seteuid()

alka alka at hfg-gmuend.de
Thu Aug 16 23:28:01 UTC 2012


addition:

I think, you do not these this API really during normal use.
If you set ACLs via chmod, you use the current ephemeral UID
and it seems to be translated automatically to the according SID.

(I am not a OS developer but try to understand if my "best of all" is reachable)



Am 17.08.2012 um 00:55 schrieb alka:

> thank you Gordon
> 
> This API call is the missing link.
> With the help of this it is possible to use the ephemeral UID of an AD user from the idmap cache
> to request the according SID and write it together with file to be compatible with CIFS.
> 
> Question:
> The "real" Unix  UID of a file, written with CIFS  together with a Windows SID is nobody?
> 
> The idmap ephemeral mapping cache is generated on a CIFS user login.
> How can this be initiated from another process?
> 
> 
> 
> 
> 
> Am 17.08.2012 um 00:22 schrieb Gordon Ross:
> 
>> On Thu, Aug 16, 2012 at 2:01 PM, James Relph <james at themacplace.co.uk> wrote:
>> [...]
>>> That's interesting, although it'll give me a headache trying to work out which method would be best (definitely pluses and minuses to the built-in method, and to SAMBA).  The ephemeral mappings are the bit that is somewhat confusing.  From what I've been reading, it sounded like what it does is to actually store the SID on-disk and convert that on the fly to an ephemeral UID.  That might mean that the non-persistence of the ephemeral IDs across reboots doesn't matter (as the SID itself is still stored), but it's hard working out from the documentation exactly what's going on.
>>> 
>>> James.
>> 
>> Yes, ephemeral IDs are temporary representations of Security
>> Identifiers (SIDs).  The idmapd(1m) daemon maintains these in a cache,
>> with time-to-live (TTL) based expiration.  There's a library API for
>> turning an ephemeral ID back into a SID - see: idmap_get_sidbyuid
>> http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libidmap/common/idmap_api.c
>> 
>> 
>> -- 
>> Gordon Ross <gwr at nexenta.com>
>> Nexenta Systems, Inc.  www.nexenta.com
>> Enterprise class storage for everyone
>> 
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> --
> 
> 
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

--




More information about the OpenIndiana-discuss mailing list