Cygwin 3.5 mapping uid/gid on NFSv4 filesystem to unexpected IDs ...

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Nov 15 14:40:28 GMT 2023 

On Nov 15 13:57, Corinna Vinschen wrote:
>     In other words, you could add code to fs_info::update() which
>     recognizes the NFS4 string and sets another filesystem bit in the
>     fs_info class.  Then you create the matching methods in path_conv,
>     i. e., fs_is_nfs4() and a combining operator like fs_is_any_nfs().

While at it, the existing operator fs_is_nfs() shoulds be renamed to
fs_is_nfs3().  That makes sure that all occurences of fs_is_nfs() will
have to be scrutinized and changed accordingly.

>   - Now Cygwin is free to behave differently.  In particular there's no
>     reason left to use the Nfsv3Attr API.  Cygwin can decide to fetch
>     Windows standard security information via NtQuerySecurityObject if
>     path_conv::is_is_nfs4() is true.
> 
>   - As a result, the mapping from Unix ids to Cygwin ids doesn't
>     require to call a name service anymore, because the NFS4 client

..., aka NFS4 driver, if that was unclear, ...

>     can decide what SID to return on its own. These SIDs can be valid
>     Windows SIDs known to the local SAM or the responsible AD service,
>     i. e., existing Windows user or group SIDs.  As long as followup
>     calls to LookupAccountSidW/ LookupAccountNameW return with valid
>     information, you're done.

That should go without saying, but it's better talking about apparent
self-evidence than just implying it:

The id mapping should refrain from doing a fully automatic translation
along the lines of:

  UID --> S-1-5-21-<COMPUTER SID>-<UID-as-RID>
  GID --> S-1-5-21-<COMPUTER SID>-<GID-as-RID>

and vice versa.

Not only will that lead to collisions, it would also be dangerous,
especially if you're not using AD, but stand-alone Windows machines.
Assuming this scenario:

  WindowsMachine1
                   <---> NFSServer
  WindowsMachine2

The SIDs on the two machines are different, and the RIDs on both
machines are not necessarily the same for the same physical user,
even if the username is the same.  And even *iff* the RIDs for
an account of the same name is the same on both machines, the iron
rule is: if the SID is different, it's another user.

So whatever you do, you need some kind of mapping instance.


Corinna

More information about the Cygwin-developers mailing list