15027 The ls command should show SIDs instead of ephemeral IDs

Reviewed by: Matt Barden <mbarden@tintri.com>
Reviewed by: Sam Zaydel <szaydel@racktopsystems.com>
Reviewed-by: Jerry Jelinek <gjelinek@racktopsystems.com>
Portions contributed by: Rick Mesta <rick.mesta@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Approved by: Dan McDonald <danmcd@mnx.io>

5 files changed, 168 insertions, 31 deletions

diff --git a/usr/src/cmd/ls/ls.c b/usr/src/cmd/ls/ls.c
index 0479e6a46c..bdcf162522 100644
--- a/usr/src/cmd/ls/ls.c
+++ b/usr/src/cmd/ls/ls.c
@@ -23,6 +23,7 @@
  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 2012, Joyent, Inc. All rights reserved.
  * Copyright 2015 Gary Mills
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  * Copyright 2020 Peter Tribble
  */
 
@@ -233,6 +234,8 @@ static struct lbuf	**flist;	/* ptr to list of lbuf pointers */
 static struct lbuf	*gstat(char *, int, struct ditem *);
 static char		*getname(uid_t);
 static char		*getgroup(gid_t);
+static char		*getusid(uid_t);
+static char		*getgsid(gid_t);
 static char		*makename(char *, char *);
 static void		pentry(struct lbuf *);
 static void		column(void);
@@ -1279,20 +1282,36 @@ pentry(struct lbuf *ap)
 		(void) putchar(p->acl);
 		curcol++;
 
+		/*
+		 * When handling owner/group options (-o -g) note -n:
+		 * With no -n options, getname/getroup converts any
+		 * ephemeral IDs to a winname (if possible) or a SID.
+		 * With just one -n option, convert ephemeral IDs to SIDs
+		 * With two or more -n options, show the ephemeral ID
+		 * (which is a lot less helpful than the SID).
+		 */
 		curcol += printf("%3lu ", (ulong_t)p->lnl);
 		if (oflg) {
-			if (!nflg) {
+			if (nflg == 0) {
 				cp = getname(p->luid);
 				curcol += printf("%-8s ", cp);
-			} else
+			} else if (nflg == 1 && p->luid > MAXUID) {
+				cp = getusid(p->luid);
+				curcol += printf("%-8s ", cp);
+			} else {
 				curcol += printf("%-8lu ", (ulong_t)p->luid);
+			}
 		}
 		if (gflg) {
-			if (!nflg) {
+			if (nflg == 0) {
 				cp = getgroup(p->lgid);
 				curcol += printf("%-8s ", cp);
-			} else
+			} else if (nflg == 1 && p->lgid > MAXUID) {
+				cp = getgsid(p->lgid);
+				curcol += printf("%-8s ", cp);
+			} else {
 				curcol += printf("%-8lu ", (ulong_t)p->lgid);
+			}
 		}
 		if (p->ltype == 'b' || p->ltype == 'c') {
 			curcol += printf("%3u, %2u",
@@ -1427,7 +1446,16 @@ pentry(struct lbuf *ap)
 	if (vflg) {
 		new_line();
 		if (p->aclp) {
-			acl_printacl(p->aclp, num_cols, Vflg);
+			int pa_flags = 0;
+
+			if (Vflg)
+				pa_flags |= ACL_COMPACT_FMT;
+			if (nflg)
+				pa_flags |= ACL_NORESOLVE;
+			if (nflg < 2)
+				pa_flags |= ACL_SID_FMT;
+
+			acl_printacl2(p->aclp, num_cols, pa_flags);
 		}
 	}
 	/* Free extended system attribute lists */
@@ -2162,25 +2190,18 @@ makename(char *dir, char *file)
 	return (dfile);
 }
 
-
-#include <pwd.h>
-#include <grp.h>
-#include <utmpx.h>
-
-struct	utmpx utmp;
-
-#define	NMAX	(sizeof (utmp.ut_name))
-#define	SCPYN(a, b)	(void) strncpy(a, b, NMAX)
-
+#define	NMAX		256	/* The maximum size of a SID in string format */
+#define	SCPYN(a, b)	(void) strlcpy(a, b, NMAX)
 
 struct cachenode {		/* this struct must be zeroed before using */
 	struct cachenode *lesschild;	/* subtree whose entries < val */
 	struct cachenode *grtrchild;	/* subtree whose entries > val */
 	long val;			/* the uid or gid of this entry */
 	int initted;			/* name has been filled in */
-	char name[NMAX+1];		/* the string that val maps to */
+	char name[NMAX];		/* the string that val maps to */
 };
 static struct cachenode *names, *groups;
+static struct cachenode *user_sids, *group_sids;
 
 static struct cachenode *
 findincache(struct cachenode **head, long val)
@@ -2215,19 +2236,28 @@ findincache(struct cachenode **head, long val)
 /*
  * get name from cache, or passwd file for a given uid;
  * lastuid is set to uid.
+ *
+ * If an ephemeral UID (> MAXUID) try to convert to either a
+ * name or a sid.
  */
 static char *
 getname(uid_t uid)
 {
 	struct passwd *pwent;
 	struct cachenode *c;
+	char *sid;
 
 	if ((uid == lastuid) && lastuname)
 		return (lastuname);
 
 	c = findincache(&names, uid);
 	if (c->initted == 0) {
-		if ((pwent = getpwuid(uid)) != NULL) {
+		sid = NULL;
+		if (uid > MAXUID &&
+		    sid_string_by_id(uid, B_TRUE, &sid, 0) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else if ((pwent = getpwuid(uid)) != NULL) {
 			SCPYN(&c->name[0], pwent->pw_name);
 		} else {
 			(void) sprintf(&c->name[0], "%-8u", (int)uid);
@@ -2242,19 +2272,28 @@ getname(uid_t uid)
 /*
  * get name from cache, or group file for a given gid;
  * lastgid is set to gid.
+ *
+ * If an ephemeral GID (> MAXUID) try to convert to either a
+ * name or a sid.
  */
 static char *
 getgroup(gid_t gid)
 {
 	struct group *grent;
 	struct cachenode *c;
+	char *sid;
 
 	if ((gid == lastgid) && lastgname)
 		return (lastgname);
 
 	c = findincache(&groups, gid);
 	if (c->initted == 0) {
-		if ((grent = getgrgid(gid)) != NULL) {
+		sid = NULL;
+		if (gid > MAXUID &&
+		    sid_string_by_id(gid, B_FALSE, &sid, 0) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else if ((grent = getgrgid(gid)) != NULL) {
 			SCPYN(&c->name[0], grent->gr_name);
 		} else {
 			(void) sprintf(&c->name[0], "%-8u", (int)gid);
@@ -2266,6 +2305,60 @@ getgroup(gid_t gid)
 	return (lastgname);
 }
 
+/*
+ * get SID from cache, or from idmap for a given (ephemeral) uid;
+ *
+ * Always an ephemeral UID (> MAXUID) here.
+ * Just convert to a SID (no winname lookup)
+ */
+static char *
+getusid(uid_t uid)
+{
+	struct cachenode *c;
+	char *sid;
+
+	c = findincache(&user_sids, uid);
+	if (c->initted == 0) {
+		sid = NULL;
+		if (sid_string_by_id(uid, B_TRUE, &sid, ACL_NORESOLVE) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else {
+			(void) sprintf(&c->name[0], "%-8u", (int)uid);
+		}
+		c->initted = 1;
+	}
+
+	return (&c->name[0]);
+}
+
+/*
+ * get SID from cache, or from idmap for a given (ephemeral) gid;
+ *
+ * If an ephemeral UID (> MAXUID) try to convert to a SID
+ * (no winname lookup here)
+ */
+static char *
+getgsid(gid_t gid)
+{
+	struct cachenode *c;
+	char *sid;
+
+	c = findincache(&group_sids, gid);
+	if (c->initted == 0) {
+		sid = NULL;
+		if (sid_string_by_id(gid, B_FALSE, &sid, ACL_NORESOLVE) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else {
+			(void) sprintf(&c->name[0], "%-8u", (int)gid);
+		}
+		c->initted = 1;
+	}
+
+	return (&c->name[0]);
+}
+
 /* return >0 if item pointed by pp2 should appear first */
 static int
 compar(struct lbuf **pp1, struct lbuf **pp2)
diff --git a/usr/src/lib/libsec/common/acltext.c b/usr/src/lib/libsec/common/acltext.c
index 42a31ad995..9c9953c896 100644
--- a/usr/src/lib/libsec/common/acltext.c
+++ b/usr/src/lib/libsec/common/acltext.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  */
 
 /*LINTLIBRARY*/
@@ -172,6 +172,15 @@ getsidname(uid_t who, boolean_t user, char **sidp, boolean_t noresolve)
 	return (*sidp ? 0 : 1);
 }
 
+/*
+ * sid_string_by_id() is an exposed interface via -lsec
+ */
+int
+sid_string_by_id(uid_t who, boolean_t user, char **sidp, boolean_t noresolve)
+{
+	return (getsidname(who, user, sidp, noresolve));
+}
+
 static void
 aclent_printacl(acl_t *aclp)
 {
@@ -729,10 +738,10 @@ ace_inherit_txt(dynaclstr_t *dstr, uint32_t iflags, int flags)
 char *
 aclent_acltotext(aclent_t  *aclp, int aclcnt, int flags)
 {
-	dynaclstr_t 	*dstr;
+	dynaclstr_t	*dstr;
 	char		*aclexport = NULL;
 	int		i;
-	int 		error = 0;
+	int		error = 0;
 
 	if (aclp == NULL)
 		return (NULL);
@@ -884,7 +893,7 @@ ace_acltotext(acl_t *aceaclp, int flags)
 	int		i;
 	int		error = 0;
 	int		isdir = (aceaclp->acl_flags & ACL_IS_DIR);
-	dynaclstr_t 	*dstr;
+	dynaclstr_t	*dstr;
 	char		*aclexport = NULL;
 	char		*rawsidp = NULL;
 
@@ -1028,7 +1037,7 @@ acl_parse(const char *acltextp, acl_t **aclp)
 }
 
 static void
-ace_compact_printacl(acl_t *aclp)
+ace_compact_printacl(acl_t *aclp, int flgs)
 {
 	int cnt;
 	ace_t *acep;
@@ -1050,7 +1059,7 @@ ace_compact_printacl(acl_t *aclp)
 		dstr->d_aclexport[0] = '\0';
 		dstr->d_pos = 0;
 
-		if (ace_type_txt(dstr, acep, 0))
+		if (ace_type_txt(dstr, acep, flgs))
 			break;
 		len = strlen(&dstr->d_aclexport[0]);
 		if (ace_perm_txt(dstr, acep->a_access_mask, acep->a_flags,
@@ -1070,18 +1079,18 @@ ace_compact_printacl(acl_t *aclp)
 }
 
 static void
-ace_printacl(acl_t *aclp, int cols, int compact)
+ace_printacl(acl_t *aclp, int cols, int flgs)
 {
 	int  slot = 0;
 	char *token;
 	char *acltext;
 
-	if (compact) {
-		ace_compact_printacl(aclp);
+	if (flgs & ACL_COMPACT_FMT) {
+		ace_compact_printacl(aclp, flgs);
 		return;
 	}
 
-	acltext = acl_totext(aclp, 0);
+	acltext = acl_totext(aclp, flgs);
 
 	if (acltext == NULL)
 		return;
@@ -1111,15 +1120,33 @@ ace_printacl(acl_t *aclp, int cols, int compact)
  * print a "slot" number.
  */
 void
+acl_printacl2(acl_t *aclp, int cols, int flgs)
+{
+
+	switch (aclp->acl_type) {
+	case ACLENT_T:
+		aclent_printacl(aclp);
+		break;
+	case ACE_T:
+		ace_printacl(aclp, cols, flgs);
+		break;
+	}
+}
+
+/*
+ * Historical, compatibility version of the above.
+ */
+void
 acl_printacl(acl_t *aclp, int cols, int compact)
 {
+	int flgs = compact ? ACL_COMPACT_FMT : 0;
 
 	switch (aclp->acl_type) {
 	case ACLENT_T:
 		aclent_printacl(aclp);
 		break;
 	case ACE_T:
-		ace_printacl(aclp, cols, compact);
+		ace_printacl(aclp, cols, flgs);
 		break;
 	}
 }
diff --git a/usr/src/lib/libsec/common/aclutils.h b/usr/src/lib/libsec/common/aclutils.h
index e3e6d130f6..706d880e4b 100644
--- a/usr/src/lib/libsec/common/aclutils.h
+++ b/usr/src/lib/libsec/common/aclutils.h
@@ -22,6 +22,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  * Copyright 2022 RackTop Systems, Inc.
  */
 
@@ -130,6 +131,7 @@ extern int acl_addentries(acl_t *, acl_t *, int);
 extern int acl_removeentries(acl_t *, acl_t *, int, int);
 extern int acl_modifyentries(acl_t *, acl_t *, int);
 extern void acl_printacl(acl_t *, int, int);
+extern void acl_printacl2(acl_t *, int, int);
 extern char *acl_strerror(int);
 extern acl_t *acl_dup(acl_t *);
 extern int acl_type(acl_t *);
@@ -142,6 +144,7 @@ extern int yyparse(void);
 extern void yyreset(void);
 extern void yycleanup(void);
 extern acl_t *acl_to_aclp(enum acl_type, void *, int);
+extern int sid_string_by_id(uid_t, boolean_t, char **, boolean_t);
 extern int sid_to_id(char *, boolean_t, uid_t *);
 extern int sid_to_xid(char *, int *, uid_t *);
 
diff --git a/usr/src/lib/libsec/common/mapfile-vers b/usr/src/lib/libsec/common/mapfile-vers
index 87e9ea6019..3fb8b52e25 100644
--- a/usr/src/lib/libsec/common/mapfile-vers
+++ b/usr/src/lib/libsec/common/mapfile-vers
@@ -20,6 +20,7 @@
 #
 #
 # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
 #
 
 #
@@ -83,10 +84,12 @@ SYMBOL_VERSION SUNWprivate_1.1 {
 	acl_modifyentries;
 	acl_parse;
 	acl_printacl;
+	acl_printacl2;
 	acl_removeentries;
 	acl_strerror;
 	acl_to_aclp;
 	acl_type;
+	sid_string_by_id;
 	sid_to_id;
     local:
 	*;
diff --git a/usr/src/man/man1/ls.1 b/usr/src/man/man1/ls.1
index 952b65c845..bbd98e7556 100644
--- a/usr/src/man/man1/ls.1
+++ b/usr/src/man/man1/ls.1
@@ -43,7 +43,7 @@
 .\" Copyright 1989 AT&T
 .\" Portions Copyright (c) 1992, X/Open Company Limited All Rights Reserved
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
-.\" Copyright 2014 Nexenta Systems, Inc.  All Rights Reserved.
+.\" Copyright 2016 Nexenta Systems, Inc.  All Rights Reserved.
 .\"
 .TH LS 1 "Apr 25, 2020"
 .SH NAME
@@ -1183,7 +1183,12 @@ Streams output format. Files are listed across the page, separated by commas.
 .sp .6
 .RS 4n
 The same as \fB-l\fR, except that the owner's \fBUID\fR and group's \fBGID\fR
-numbers are printed, rather than the associated character strings.
+numbers are printed, rather than the associated character strings. For files
+which owner and/or group is a Windows Security Identifier (\fBSID\fR), \fB-n\fR
+suppresses any lookups for the Windows Name string and prints only the raw SID.
+Moreover, a second instance of this flag (\fB-nn\fR) can be used to further
+suppress \fBidmapd\fR(1M) lookups of the file's owner and/or group SID, thus
+forcing \fBls\fR into printing the raw ephemeral numeric identifiers.
 .RE
 
 .sp
@@ -2829,3 +2834,9 @@ overridden by the \fBLC_COLLATE\fR environment variable. For example, if
 beginning with upper-case letters, then followed by names beginning with
 lower-case letters. But if \fBLC_COLLATE\fR equals \fBen_US.ISO8859-1\fR, then
 leading dots as well as case are ignored in determining the sort order.
+.sp
+.LP
+For additional information regarding Windows Security Identifiers, consult
+Microsoft support document, \fIWell-known security identifiers in Windows
+operating systems\fR, which can be found at Microsoft's support site:
+https://support.microsoft.com/en-us/kb/243330/.