site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Thu, 20 Nov 2008, Terry Lambert wrote: Ok, thanks to the help you guys have provided, I've been able to code most of it. I have run into one more glitch w.r.t. handling ace_applicable when setting an ACL. If kauth_wellknown_guid() returns KAUTH_WKG_NOT, I have an ace_applicable that I need to turn into: name@dns.domain and to do that, I need to know: - is it a user or group? kauth_cred_guid2gid() first and assuming it is a group, if it succeeds. (Which won't work if a given guid_t represents both a gid and uid.) Any suggestions on how to handle this? Thanks in advance for any help, rick _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... [good stuff snipped] So if I have an ACE I am trying to set, since the storage format *happens* to be GUID, then we translate the integer for the gid and uid of the current credential into a GUID for the purposes of storage. For the purposes of comparison on lookup, we then convert the current credential into a GUID (in general, the uid, since that is the primary identity in a credential), and compare the GUID to the GUID in the ACE. This is handled in xnu in bsd/kern/kern_authorization.c:kauth_acl_evaluate(). Although there are support functions for translating the other direction, e.g. kauth_cred_guid2uid(), and kauth_cred_guid2gid() no one uses them, and I would, in fact, like to keep things that way. The only exception to this is kauth_cred_guid2gid() is used by kauth_cred_ismember_guid() when attempting to set a group owner on a file. This use is poorly supported by the rest of the code and should be avoided. Once I know that, I can use kauth_cred_guid2uid() or kauth_cred_guid2gid(). (I know you say you'd rather they not be used, but I don't see another way.)
From looking at kern_credential.c, all I can think of is doing
This email sent to site_archiver@lists.apple.com