Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 2371 bytes --]

On Feb 21 16:20, Pierre A. Humblet wrote:
> > From:  Corinna Vinschen
> > > Corinna,
> > >
> > > For packages such as exim we need to find the uid of System and of
> > Administrator, which the user can set any which way in passwd.
> > > So we lookup the SID (not the username) to get the uid (or gid).
> > 
> > The SID of the administrator or the SID of the administrors group?
> > The SID of the local administrator makes only marginal sense to me.
> > What do you need it for?
> 
> I mean the administrators group.
> It's needed for example to set the ownership of the configuration file.
> The daemon checks that the file is owned/writable only by privileged users.
> Similarly in cron the crontab files need to be readable by admins. cronbug checks for that
>  
> > > Is there an equivalent mechanism using getent ?
> > > Else, could Cygwin disregard the passwd entries for these 2 users and use
> > only the fixed values determined by the mapping from Windows?
> > 
> > You should not have to expect a name change for the SYSTEM and the
> > Administrators account.  It should be entirely sufficient to check for the user
> > Administrator and the user SYSTEM or +SYSTEM.  
> 
> Is that independent of local language?

SYSTEM, yes, Administrators, no, unfortunately.

> > If you really want to check
> > by SID, feel free to enumerate all accounts by just omitting the username and
> > scan for the SID you're looking for:
> 
> >   $ getent passwd | grep ',S-1-5-32-544:'
> > 
> >   $ getent group | grep ':S-1-5-18:'
> 
> OK, thanks, that will work. 
> We have had cases of people in very large organizations trying to build the password with mkpasswd -d and that ended up taking hours. Won't the above run in the same issue?  This needs to run in postinstall.

It depends on the "db_enum" nsswitch.conf settings.  Did you read my
text about the change by any chance?  If not, see my latest version
here: http://cygwin.com/ml/cygwin/2014-02/msg00585.html

Yes, it might take time, even though the LDAP queries should be slightly
faster than the NetUserEnum call before.  Therefore it would make more
sense to check for the uid/gid values 18 and 544, IMHO.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]