Hi all,
I'm having difficulties with Solaris privileges and seteuid().
I have a forking daemon process running as root. The process is afpd
from the Netatalk (OS AFP fileserver). The main afpd process accepts
network connections, authenticates users (through PAM) and, forks and
runs seteuid(USER)
First of all, I am not expert in Openindiana but if I were you I would try
using dtrace to show which function get called in response to fchown
syscall (I assume you are not running a highly loaded production system yet
so we can enable fbt safely)
#!/usr/sbin/dtrace -s
#pragma D option flowin
2012/8/16 Mohamed Khalfella :
> First of all, I am not expert in Openindiana but if I were you I would try
> using dtrace to show which function get called in response to fchown
> syscall (I assume you are not running a highly loaded production system yet
> so we can enable fbt safely)
>
> #!/u
Hi Frank,
> ...
> To prevent aliasing problems, all file systems, archive and
> backup formats, and protocols must store SIDs or map all
> UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody
> user and group.
> ...
>
I guess my question from that after seeing wh
Hi James,
2012/8/16 James Relph :
>> ...
>> To prevent aliasing problems, all file systems, archive and
>> backup formats, and protocols must store SIDs or map all
>> UIDs and GIDs in the 2^31 to 2^32 - 2 range to the nobody
>> user and group.
>> ...
>>
>
> I guess my q
>>
> I haven't wrapped my head around what Gea tried to describe, so I
> can't really comment on that but afaict it' wooly thinking (tm).
>
Shoop!
> However, I think I was able to solve the problem described here (it
> seems seteuid(0) is not enough if your effective gid is an ephemeral
> one,
On Thu, Aug 16, 2012 at 2:01 PM, James Relph wrote:
[...]
> That's interesting, although it'll give me a headache trying to work out
> which method would be best (definitely pluses and minuses to the built-in
> method, and to SAMBA). The ephemeral mappings are the bit that is somewhat
> confus
thank you Gordon
This API call is the missing link.
With the help of this it is possible to use the ephemeral UID of an AD user
from the idmap cache
to request the according SID and write it together with file to be compatible
with CIFS.
Question:
The "real" Unix UID of a file, written with CI
addition:
I think, you do not these this API really during normal use.
If you set ACLs via chmod, you use the current ephemeral UID
and it seems to be translated automatically to the according SID.
(I am not a OS developer but try to understand if my "best of all" is reachable)
Am 17.08.2012 u
Yes, ephemeral IDs are temporary representations of Security
Identifiers (SIDs). The idmapd(1m) daemon maintains these in a cache,
with time-to-live (TTL) based expiration. There's a library API for
turning an ephemeral ID back into a SID - see: idmap_get_sidbyuid
http://src.illumos.org/
2012/8/17 James Relph :
> Yes, ephemeral IDs are temporary representations of Security
> Identifiers (SIDs). The idmapd(1m) daemon maintains these in a cache,
> with time-to-live (TTL) based expiration. There's a library API for
> turning an ephemeral ID back into a SID - see: idmap_get_sid
On Fri, Aug 17, 2012 at 5:44 AM, Frank Lahm wrote:
> 2012/8/17 James Relph :
[...]
>>
>> Thanks very much for that confirmation, really doesn't seem obvious in a lot
>> of the documentation! I don't have a system handy to test today (will do
>> over the weekend) but I'll try and get a better id
2012-08-21 2:18, Gordon Ross пишет:
On Fri, Aug 17, 2012 at 5:44 AM, Frank Lahm wrote:
2012/8/17 James Relph :
[...]
Thanks very much for that confirmation, really doesn't seem obvious in a lot of
the documentation! I don't have a system handy to test today (will do over the
weekend) but
2012/8/21 Gordon Ross :
> On Fri, Aug 17, 2012 at 5:44 AM, Frank Lahm wrote:
>> 2012/8/17 James Relph :
> [...]
>>>
>>> Thanks very much for that confirmation, really doesn't seem obvious in a
>>> lot of the documentation! I don't have a system handy to test today (will
>>> do over the weekend)
> Really? Where is your evidence? I don't think I've ever seen one
> change except after a reboot.
>
The cache TTL for idmap is only 10 minutes from what I've seen (
http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ). I
read somewhere (sorry, can't find the source a
> The cache TTL for idmap is only 10 minutes from what I've seen (
> http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ).
> I read somewhere (sorry, can't find the source at the moment) that while a
> user is logged in their ephemeral UID won't change, but that may only
> The cache TTL for idmap is only 10 minutes from what I've seen (
> http://fxr.watson.org/fxr/source/common/idmap/idmap_cache.c?v=OPENSOLARIS ).
> I read somewhere (sorry, can't find the source at the moment) that while a
> user is logged in their ephemeral UID won't change, but that may only
17 matches
Mail list logo
