Aegis 4.25
Windows NT

Aegis depends on the underlying security provided by the operating system (rather than re-invent yet another security mechanism). However, in order to do this, Aegis uses the POSIX seteuid system call, which has no direct equivalent on Windows NT. This makes porting difficult. Single-user ports are possible (e.g. using Cygwin), but are not usually what folks want.

Compounding this is the fact that many sites want to develop their software for both Unix and Windows NT simultaneously. This means that the security of the repository needs to be guaranteed to be handled in the same way by both operating systems, otherwise one can act as a “back door” into the repository. Many sites do not have the same users and permissions (sourced from the same network register of users) on both Unix and Windows NT, making the mapping almost impossible even if the security models did actually correspond.

Most sites using Aegis and Windows NT together do so by running Aegis on the Unix systems, but building and testing on the NT systems. The work areas and repository are accessed via Samba or NFS.


Native Port Considerations

Caveat: I am not an NT security expert and I have never written NT programs, except via Cygwin. If I'm talking rubbish, please let me know.

If you have expertise in this area, and can offer a solution please let me know. This is an open source project, code is always welcome.

Cygwin possibilities

One of the more tempting approaches is to use the seteuid support described in http://www.cygwin.com/cygwin-ug-net/ntsec.html

This approach as two problems:

1. the example prompts the user for a password. This is not acceptable, because they aren't supposed to know it! I hope there is another way.

2. It says "An important restriction is that the application using LogonUser must have special permissions: Act as part of the operating system, Replace process level token, Increase quotas" but it doesn't say how you grant these permissions specifically to an application without granting them to a user. (This is precisely what the UNIX set-uid bit does.) As far as I know, this is impossible on Windows NT.

Server possibilities

The best idea I've seen so far is that when the system starts, it starts Aegis as a server with the appropriate permissions (I'm told this is possible, I don't know how, myself) and then the "aegis" command simply contacts the server process and passes on the command line and executing user's security token. The server process can then impersonate any user required.

If you have the necessary expertise to make this work I would like to header from you.

File share issue

There is a big problem with file shares, since the user password often has to be sent to the file server. Using the Cygwin possibility, the user doesn't know the password of any other. Using the server possibility, the server doesn't know the password of any user.

You may have to integrate changes on the file server itself.


The beautiful graphics on this web site are by Grégory Delattre. Return to the Aegis home page.