sun microsystems Systems Architecture Committee _________________________________________________________________ Subject: Unified POSIX and Windows Credentials for Solaris Submitted by: Mike Shapiro File: PSARC/2007/064/opinion.ms Date: March 14th, 2007 Committee: Gary Winiger, Kais Belgaied, James Carlson, Glenn Skinner, Bill Sommerfeld. Product Approval Committee: Solaris PAC solaris-pac-opinion@sun.com 1. Summary This project is an overview of and proposal for accommodat- ing non-POSIX identities in Solaris with minimum disruption to all existing interfaces. It provides a baseline upon which to evaluate other projects including those in [1] sec- tion 19. 2. Decision & Precedence Information This project is approved as specified in references [1], [2] and [3], but as modified by the required technical changes listed in Appendix A below. By itself, this project defines no concrete deliverables. Subprojects in [1] section 19, are expected to modify types uid_t and gid_t to allow for use of values in the range [0x80000000:0xfffffffe]. Such modification may be delivered in a minor release of Solaris. PSARC/2007/064 Copyright 2007 Sun Microsystems - 2 - 3. Interfaces The project exports the following interfaces. ______________________________________________________ | Interfaces Exported | |_________|________________|_________________________| |Interface| Classification| Comments | |_________|________________|_________________________| |uid_t | Committed | type change to unsigned| |gid_t | Committed | type change to unsigned| |_________|________________|_________________________| 4. Opinion The majority of the discussion involved the impact on the Solaris Community with respect to "negative" User and Group identifiers. The materials [1] and [3] provide an analysis of the impact. That analysis lead the committee to accept that it is unlikely that existing Sun and third party exe- cutables will experience a change in behavior. 4.1. Standards The project team has documented in [1] section 10 how the relevant programming interface (API) standards provide ven- dor latitude in values used for user and group identifier types uid_t and gid_t. The API standards require these be integral types. Analysis the project team provided shows existing programs written to conform to the: POSIX, Single UNIX- Specification, System V Interface Definition, Third Edition and X/Open Portability Guide standards are expected to continue to run correctly. However, relevant Application Binary Interface (ABI) stan- dards such as the System V ABI for Intel386(TM) and SPARC(TM) as well as the SPARC Compliance Definition, require that uid_t and gid_t types be signed long. Binary compatibility is preserved for existing application binaries. The project team cannot know the the complete set of Solaris applications that may be affected by recompila- tion. Incompatibilities may occur either due to the type change or assumptions about the nature of uid_t or gid_t values. The business plan required by the project that integrates the type change is intended to mitigate third _________________________ - UNIX is a registered trademark of The Open Group in the U.S. and other countries. PSARC/2007/064 Copyright 2007 Sun Microsystems - 3 - party applications. See 6. Advisory Information below. 4.2. Ephemeral User and Group IDs This project proposes two ranges for user and group IDs. The legacy POSIX range is defined in Solaris as the "posi- tive" 32 bit integers [0x0:0x7fffffff] and -1, and an ephem- eral range is defined as the "negative" 32 bit integers [0x80000000:0xfffffffe]. The ephemeral range is intended to be used to map Microsoft Security Identifiers (SIDs) [4] to 32 bit integers for use in Solaris uid_t and gid_t fields. Mappings are intended to be performed by the Winchester: Schema Mapping and ID Mapping for AD Interoperability (PSARC/2006/315) project. 4.3. Updated 20 Questions To assist project teams and the ARC in understanding and accessing the impact of changing user and group ID types, this project will update the PSARC 20 questions. 4.4. Sentinel User and Group IDs Standard interfaces setreuid(2) and setregid(2) specify -1 as a sentinel value. The value -1 is not included in the set of ephemeral identifiers. Additionally, some Solaris components have internally used other sentinel user and/or group identifiers. Until the impact on these components is verified, any implementation of ephemeral identifiers will reserve -2 and -3 ephemeral values. In particular, the NFS subsystem defines NFS_UID_NOBODY and NFS_GID_NOBODY as -2 in versions 2 and 3; the Solaris Audit subsystem uses (uid_t)- 1, (uid_t)-2 and (uid_t)-3 as sentinel values. 5. Minority Opinion(s) None. 6. Advisory Information 6.1. Advice for Subprojects During the discussion a number points of advice for the pro- posed subprojects were identified: o The CIFS Service (PSARC/2006/715) project will need to modify PAX. o The project that integrates the type change to uid_t and gid_t will need to provide developer documentation for how to deal with the type change. Furthermore, a business plan for how to handle ISVs who may have problems with their code PSARC/2007/064 Copyright 2007 Sun Microsystems - 4 - must be presented. o The project that integrates the type change must audit the use of uid_t and gid_t over as broad code base as possible to ensure that ephemeral IDs do not cause change in existing binary behavior. 6.2. Risks to Existing Code The Product Approval Committee is advised that acceptance of this project and its subprojects may pose unforeseen binary incompatibilities. Appropriate business plans need to be in place to mitigate any incompatibility. 6.3. ABI Standards The Product Approval Committee is advised that acceptance of this project and its subprojects places Solaris in violation of ABI standards. See 4.1. Standards above. Revision of the relevant standards may be desirable. 7.1. Technical Changes Required below and the business plan above are intended as mitigation. 7. Appendices 7.1. Appendix A: Technical Changes Required 1. Type changes for uid_t and gid_t may not be integrated unless all of the official generic and processor specific SPARC ABI conformance tests for the System V ABI pass. Equivalent tests are not defined for x86 and x64 systems[5]. The list of tests is: o SCD version 2.4.1. o gABI version 2.1. o psABI version 2.1. If the tests all pass successfully or all pass after any newly discovered bugs are fixed, then the type changes are accepted and may be integrated. If an unresolvable test issue is discovered, the project team must return to ARC to discuss an appropriate resolution, including dis- cussing the relative merits of leaving the types alone (i.e., "negative" values for ephemeral IDs) versus documenting a difference with respect to the ABI document (and thus conforming to the language of POSIX with respect to non-negative values). PSARC/2007/064 Copyright 2007 Sun Microsystems - 5 - 7.2. Appendix B: Technical Changes Advised None. 7.3. Appendix C: Reference Material Unless stated otherwise, path names are relative to the case directory PSARC/2007/064. 1. Project Specification File: commit.materials/spec.txt 2. Update to PSARC 20 Questions File: commit.materials/20questions.new 3. Answers to issues File: issues 4. Microsoft Security Identifiers http://technet2.microsoft.com/WindowsServer/en/library/86cf2457- 4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true 5. Discussion of ABI conformance tests File: x86x64-ABI File: mail PSARC/2007/064 Copyright 2007 Sun Microsystems