HEADSUP: New getent tool to read passwd and group data

HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]

Hi guys,


I just uploaded the new getent package and sent the announcement,

I'm repeating myself here because this is really important and I'm
not sure everybody on this list reads the cygwin and cygwin-announce
lists.

In short, we want to get rid of the requirement to maintain /etc/passwd
and /etc/group files, per
http://cygwin.com/ml/cygwin/2014-02/msg00306.html

In future, tools and scripts, especially service installation helper
scripts like my ssh-host-config, must not rely on being able to grep
user and group information from /etc/passwd and /etc/group.

Rather, the scripts should be changed to use the getent tool as soon
as possible.  Usage for checking passwd:

  $ getent passwd <username...>

I'd like to ask all maintainers providing such scripts, including
myself, to look into their packages and fix them to use the getent tool.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2412 bytes --]

For some reason the original mail didn't make it to the list.

I assume this is because the mail body contains raw email addresses.
Can you please filter them out before sending?  Thanks!

On Feb 21 12:47, Pierre A. Humblet wrote:
> > -----Original Message-----
> > From: cygwin-apps-owner[...]
> >  On Behalf Of Corinna Vinschen
> > Sent: Thursday, February 20, 2014 14:38
> > To: cygwin-apps[...]
> > 
> > Hi guys,
> > 
> > 
> > I just uploaded the new getent package and sent the announcement,
> > 
> > I'm repeating myself here because this is really important and I'm not sure
> > everybody on this list reads the cygwin and cygwin-announce lists.
> > 
> > In short, we want to get rid of the requirement to maintain /etc/passwd and
> > /etc/group files, per http://cygwin.com/ml/cygwin/2014-02/msg00306.html
> > 
> > In future, tools and scripts, especially service installation helper scripts like
> > my ssh-host-config, must not rely on being able to grep user and group
> > information from /etc/passwd and /etc/group.
> > 
> > Rather, the scripts should be changed to use the getent tool as soon as
> > possible.  Usage for checking passwd:
> > 
> >   $ getent passwd <username...>
> > 
> > I'd like to ask all maintainers providing such scripts, including myself, to look
> > into their packages and fix them to use the getent tool.
> > 
> 
> Corinna,
> 
> For packages such as exim we need to find the uid of System and of Administrator, which the user can set any which way in passwd.
> So we lookup the SID (not the username) to get the uid (or gid).

The SID of the administrator or the SID of the administrors group?
The SID of the local administrator makes only marginal sense to me.
What do you need it for?

> Is there an equivalent mechanism using getent ?
> Else, could Cygwin disregard the passwd entries for these 2 users and use only the fixed values determined by the mapping from Windows? 

You should not have to expect a name change for the SYSTEM and the
Administrators account.  It should be entirely sufficient to check for
the user Administrator and the user SYSTEM or +SYSTEM.  If you really
want to check by SID, feel free to enumerate all accounts by just
omitting the username and scan for the SID you're looking for:

  $ getent passwd | grep ',S-1-5-32-544:'

  $ getent group | grep ':S-1-5-18:'


HTH,
Corinna

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 3174 bytes --]

On Feb 21 21:27, Corinna Vinschen wrote:
> For some reason the original mail didn't make it to the list.
> 
> I assume this is because the mail body contains raw email addresses.
> Can you please filter them out before sending?  Thanks!
> 
> On Feb 21 12:47, Pierre A. Humblet wrote:
> > > -----Original Message-----
> > > From: cygwin-apps-owner[...]
> > >  On Behalf Of Corinna Vinschen
> > > Sent: Thursday, February 20, 2014 14:38
> > > To: cygwin-apps[...]
> > > 
> > > Hi guys,
> > > 
> > > 
> > > I just uploaded the new getent package and sent the announcement,
> > > 
> > > I'm repeating myself here because this is really important and I'm not sure
> > > everybody on this list reads the cygwin and cygwin-announce lists.
> > > 
> > > In short, we want to get rid of the requirement to maintain /etc/passwd and
> > > /etc/group files, per http://cygwin.com/ml/cygwin/2014-02/msg00306.html
> > > 
> > > In future, tools and scripts, especially service installation helper scripts like
> > > my ssh-host-config, must not rely on being able to grep user and group
> > > information from /etc/passwd and /etc/group.
> > > 
> > > Rather, the scripts should be changed to use the getent tool as soon as
> > > possible.  Usage for checking passwd:
> > > 
> > >   $ getent passwd <username...>
> > > 
> > > I'd like to ask all maintainers providing such scripts, including myself, to look
> > > into their packages and fix them to use the getent tool.
> > > 
> > 
> > Corinna,
> > 
> > For packages such as exim we need to find the uid of System and of Administrator, which the user can set any which way in passwd.
> > So we lookup the SID (not the username) to get the uid (or gid).
> 
> The SID of the administrator or the SID of the administrors group?
> The SID of the local administrator makes only marginal sense to me.
> What do you need it for?
> 
> > Is there an equivalent mechanism using getent ?
> > Else, could Cygwin disregard the passwd entries for these 2 users and use only the fixed values determined by the mapping from Windows? 
> 
> You should not have to expect a name change for the SYSTEM and the
> Administrators account.  It should be entirely sufficient to check for
> the user Administrator and the user SYSTEM or +SYSTEM.  If you really
> want to check by SID, feel free to enumerate all accounts by just
> omitting the username and scan for the SID you're looking for:
> 
>   $ getent passwd | grep ',S-1-5-32-544:'
> 
>   $ getent group | grep ':S-1-5-18:'

Btw., the uids and gids are fixed values in the new model and they are
probably never changed by most users of /etc/passwd and /etc/group
either.  I think it's perfectly sensible to check for uid 18 when
looking for system, for instance:

  $ getent passwd 18
  +SYSTEM:*:18:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/home/SYSTEM:/bin/bash
  $ getent passwd 544
  +Administrators:*:544:513:U-BUILTIN\Administrators,S-1-5-32-544:/home/Administrators:/bin/bash


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

RE: HEADSUP: New getent tool to read passwd and group data

[Pierre A. Humblet]

> From:  Corinna Vinschen
> Sent: Friday, February 21, 2014 15:28
> On Feb 21 12:47, Pierre A. Humblet wrote:
> > > From: cygwin-apps-owner[...]
> > >  On Behalf Of Corinna Vinschen
> > > Sent: Thursday, February 20, 2014 14:38
> > > To: cygwin-apps[...]
> > >
> > > Hi guys,
> > >
> > >
> > > I just uploaded the new getent package and sent the announcement,
> > >
> > > I'm repeating myself here because this is really important and I'm
> > > not sure everybody on this list reads the cygwin and cygwin-announce
> lists.
> > >
> > > In short, we want to get rid of the requirement to maintain
> > > /etc/passwd and /etc/group files, per
> > > http://cygwin.com/ml/cygwin/2014-02/msg00306.html
> > >
> > > In future, tools and scripts, especially service installation helper
> > > scripts like my ssh-host-config, must not rely on being able to grep
> > > user and group information from /etc/passwd and /etc/group.
> > >
> > > Rather, the scripts should be changed to use the getent tool as soon
> > > as possible.  Usage for checking passwd:
> > >
> > >   $ getent passwd <username...>
> > >
> > > I'd like to ask all maintainers providing such scripts, including
> > > myself, to look into their packages and fix them to use the getent tool.
> > >
> >
> > Corinna,
> >
> > For packages such as exim we need to find the uid of System and of
> Administrator, which the user can set any which way in passwd.
> > So we lookup the SID (not the username) to get the uid (or gid).
> 
> The SID of the administrator or the SID of the administrors group?
> The SID of the local administrator makes only marginal sense to me.
> What do you need it for?

I mean the administrators group.
It's needed for example to set the ownership of the configuration file.
The daemon checks that the file is owned/writable only by privileged users.
Similarly in cron the crontab files need to be readable by admins. cronbug checks for that
 
> > Is there an equivalent mechanism using getent ?
> > Else, could Cygwin disregard the passwd entries for these 2 users and use
> only the fixed values determined by the mapping from Windows?
> 
> You should not have to expect a name change for the SYSTEM and the
> Administrators account.  It should be entirely sufficient to check for the user
> Administrator and the user SYSTEM or +SYSTEM.  

Is that independent of local language?

> If you really want to check
> by SID, feel free to enumerate all accounts by just omitting the username and
> scan for the SID you're looking for:

>   $ getent passwd | grep ',S-1-5-32-544:'
> 
>   $ getent group | grep ':S-1-5-18:'

OK, thanks, that will work. 
We have had cases of people in very large organizations trying to build the password with mkpasswd -d and that ended up taking hours. Won't the above run in the same issue?  This needs to run in postinstall.

Pierre
 

Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1935 bytes --]

On Feb 21 22:10, Corinna Vinschen wrote:
> On Feb 21 21:27, Corinna Vinschen wrote:
> > On Feb 21 12:47, Pierre A. Humblet wrote:
> > > For packages such as exim we need to find the uid of System and of Administrator, which the user can set any which way in passwd.
> > > So we lookup the SID (not the username) to get the uid (or gid).
> > 
> > The SID of the administrator or the SID of the administrors group?
> > The SID of the local administrator makes only marginal sense to me.
> > What do you need it for?
> > 
> > > Is there an equivalent mechanism using getent ?
> > > Else, could Cygwin disregard the passwd entries for these 2 users and use only the fixed values determined by the mapping from Windows? 
> > 
> > You should not have to expect a name change for the SYSTEM and the
> > Administrators account.  It should be entirely sufficient to check for
> > the user Administrator and the user SYSTEM or +SYSTEM.  If you really
> > want to check by SID, feel free to enumerate all accounts by just
> > omitting the username and scan for the SID you're looking for:
> > 
> >   $ getent passwd | grep ',S-1-5-32-544:'
> > 
> >   $ getent group | grep ':S-1-5-18:'
> 
> Btw., the uids and gids are fixed values in the new model and they are
> probably never changed by most users of /etc/passwd and /etc/group
> either.  I think it's perfectly sensible to check for uid 18 when
> looking for system, for instance:
> 
>   $ getent passwd 18
>   +SYSTEM:*:18:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/home/SYSTEM:/bin/bash
>   $ getent passwd 544
>   +Administrators:*:544:513:U-BUILTIN\Administrators,S-1-5-32-544:/home/Administrators:/bin/bash

Btw., ssh-host-config is using the value 544 to chgrp /var/empty
for many years already,


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2371 bytes --]

On Feb 21 16:20, Pierre A. Humblet wrote:
> > From:  Corinna Vinschen
> > > Corinna,
> > >
> > > For packages such as exim we need to find the uid of System and of
> > Administrator, which the user can set any which way in passwd.
> > > So we lookup the SID (not the username) to get the uid (or gid).
> > 
> > The SID of the administrator or the SID of the administrors group?
> > The SID of the local administrator makes only marginal sense to me.
> > What do you need it for?
> 
> I mean the administrators group.
> It's needed for example to set the ownership of the configuration file.
> The daemon checks that the file is owned/writable only by privileged users.
> Similarly in cron the crontab files need to be readable by admins. cronbug checks for that
>  
> > > Is there an equivalent mechanism using getent ?
> > > Else, could Cygwin disregard the passwd entries for these 2 users and use
> > only the fixed values determined by the mapping from Windows?
> > 
> > You should not have to expect a name change for the SYSTEM and the
> > Administrators account.  It should be entirely sufficient to check for the user
> > Administrator and the user SYSTEM or +SYSTEM.  
> 
> Is that independent of local language?

SYSTEM, yes, Administrators, no, unfortunately.

> > If you really want to check
> > by SID, feel free to enumerate all accounts by just omitting the username and
> > scan for the SID you're looking for:
> 
> >   $ getent passwd | grep ',S-1-5-32-544:'
> > 
> >   $ getent group | grep ':S-1-5-18:'
> 
> OK, thanks, that will work. 
> We have had cases of people in very large organizations trying to build the password with mkpasswd -d and that ended up taking hours. Won't the above run in the same issue?  This needs to run in postinstall.

It depends on the "db_enum" nsswitch.conf settings.  Did you read my
text about the change by any chance?  If not, see my latest version
here: http://cygwin.com/ml/cygwin/2014-02/msg00585.html

Yes, it might take time, even though the LDAP queries should be slightly
faster than the NetUserEnum call before.  Therefore it would make more
sense to check for the uid/gid values 18 and 544, IMHO.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: HEADSUP: New getent tool to read passwd and group data

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2542 bytes --]

On Feb 21 22:42, Corinna Vinschen wrote:
> On Feb 21 16:20, Pierre A. Humblet wrote:
> > > From:  Corinna Vinschen
> > > > Corinna,
> > > >
> > > > For packages such as exim we need to find the uid of System and of
> > > Administrator, which the user can set any which way in passwd.
> > > > So we lookup the SID (not the username) to get the uid (or gid).
> > > [...]
> > > > Is there an equivalent mechanism using getent ?
> > > > Else, could Cygwin disregard the passwd entries for these 2 users and use
> > > only the fixed values determined by the mapping from Windows?
> > > 
> > > You should not have to expect a name change for the SYSTEM and the
> > > Administrators account.  It should be entirely sufficient to check for the user
> > > Administrator and the user SYSTEM or +SYSTEM.  
> > 
> > Is that independent of local language?
> 
> SYSTEM, yes, Administrators, no, unfortunately.
> 
> > > If you really want to check
> > > by SID, feel free to enumerate all accounts by just omitting the username and
> > > scan for the SID you're looking for:
> > 
> > >   $ getent passwd | grep ',S-1-5-32-544:'
> > > 
> > >   $ getent group | grep ':S-1-5-18:'
> > 
> > OK, thanks, that will work. 
> > We have had cases of people in very large organizations trying to build the password with mkpasswd -d and that ended up taking hours. Won't the above run in the same issue?  This needs to run in postinstall.
> 
> It depends on the "db_enum" nsswitch.conf settings.  Did you read my
> text about the change by any chance?  If not, see my latest version
> here: http://cygwin.com/ml/cygwin/2014-02/msg00585.html
> 
> Yes, it might take time, even though the LDAP queries should be slightly
> faster than the NetUserEnum call before.  Therefore it would make more
> sense to check for the uid/gid values 18 and 544, IMHO.

For the records:

I prepared the Cygwin DLL to allow fetching passwd and group entries by
SID, and I have a new version of getent ready for upload which allows
to fetch passwd and group entries by SID:

  $ getent passwd S-1-5-32-544
  $ getent group S-1-5-18

This also works with the current file-only based passwd/group handling,
but the change requires at least the upcoming Cygwin 1.7.29.

So, if you want to use getent with SIDs, just wait a couple more days
until we released 1.7.29.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]