[OpenIndiana-discuss] Solaris privileges and seteuid()

Frank Lahm franklahm at gmail.com
Fri Aug 17 09:44:40 UTC 2012


2012/8/17 James Relph <james at themacplace.co.uk>:
> Yes, ephemeral IDs are temporary representations of Security
>   Identifiers (SIDs).  The idmapd(1m) daemon maintains these in a cache,
>   with time-to-live (TTL) based expiration.  There's a library API for
>   turning an ephemeral ID back into a SID - see: idmap_get_sidbyuid
>   http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libidmap/common/idmap_api.c
>
>
> Thanks very much for that confirmation, really doesn't seem obvious in a lot of the documentation!  I don't have a system handy to test today (will do over the weekend) but I'll try and get a better idea of how that works over the weekend (in particular after a reboot, what UID/GID will a file/folder show (ie. with ls) until the same user logs in again and the new ephemeral mapping is created?).

ephemeral ids break setuid/seteuid because they are not static on a
_running_ system. They may change anytime. Thus any POSIX compliant
application relying on these functions for privileges can not use
them.

Essentially you sacrifice UNIX for Windows.

-f



More information about the OpenIndiana-discuss mailing list