This is the mail archive of the cygwin-developers@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Alternate symlink usage


Chris Faylor wrote:
> 
> Corinna,
> Is it possible that we could use the NTSEC stuff to store information
> about whether a file is a symbolic link?  I talked to Jeremy Allison
> at Linux Expo and he said that he was doing lots of stuff with security
> type information for samba so if we could do this we might be able to
> have symbolic links on UNIX network drives.
> 
> Is this possible?
> 
> cgf

Hi Jeremy,

my name is Corinna, I have designed the usage of NT security
in cygwin, called NTSEC. If you are interested, I would like to
discuss the possibilities to support NTSEC with samba drives.
The additional ability to support symbolic links would be very
interested, too.

To give a short introduction (and to start the discussion) I
will describe the used methods of NTSEC in short:

- On each file related function, the full windows path is
  determined and used for calling GetVolumeInformation().
  Only files on file systems which has FS_PERSISTENT_ACLS
  flag set are possible in NTSEC calls.

- To read security descriptors, the following funtions are used:

    CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
    BackupRead();

- To write security descriptors:

    CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
    BackupWrite();
    
My latest checks with samba (version 2.0.6-16) has
given the following results in a domainless environment:

- GetVolumeInformation results in FS_PERSISTENT_ACLS == TRUE.

- BackupRead returns ACLs.

- The RIDs of user and group are not corresponding to the Linux
  uid/gid. Unfortunately, samba doesn't submit user and group
  names to the reading pc. I'm using W2K and typically the
  ACL content is shown like:
    COMPUTERNAME\USERNAME    permissions
  or
    DOMAINNAME\GROUPNAME     permissions

  If this information can't be determined by the reading
  PC, the security info is shown as
    S-1-5-21-1234455-23232232-4434343-2000      permissions

  This is the case with samba on my Linux box. Maybe, my
  configuration is not correct?!?

- The returned permissions are sometimes not correct when the
  Linux permission bits are uncommon (eg. r-x-wxr-- or sth like
  that).

- BackupWrite fails with WinAPI error 1337 (security ID structure
  is invalid). This seems to be related to the missing user/group
  informations.

I haven't checked it out in detail yet. I'm not blessed with
much time this month. Nevertheless I'm very interested in
a good solution.

What would you think is a good method to get information
about symbolic links via NTSEC? I had the idea to use
a self defined SID for submitting different informations
between samba and NT/W2K but unfortunately, BackupWrite()
checks SIDs. If it doesn't know a SID, the above 1337
error is generated. Maybe we could use an already defined
well known ID...

Ok, stop here. I would like to hear your opinion first.

Looking forward to your answer,
Corinna

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]