"id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

"id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Mark A. Ziesemer]

Cygwin doesn't appear to properly support returning multiple groups for a
specific user, other than the current user (and only when not specifying the
current user's username.)

When "id" is called without a username, it calls the getgroups(...) function
which appears to work as expected.  However, when a specific username is
passed, even the username of the current user, getugroups(...) is called,
and does _not_ appear to work as expected.

This makes it difficult to properly configure and manage security, for
example, with the OpenSSH daemon.

This is easily reproducible, and is not specific to any particular version
of Cygwin.

I've posted about this before, without any results.

I've setup a public wiki with all the details where I hope we can
collaborate to finally solve this issue:
http://cygwin-getugroups.pbwiki.com/  Included there are the requested
cygcheck and related files.

Thanks!

--
Mark A. Ziesemer
www.ziesemer.com


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Corinna Vinschen]

On Jan 21 16:50, Mark A. Ziesemer wrote:
> Cygwin doesn't appear to properly support returning multiple groups for a
> specific user, other than the current user (and only when not specifying the
> current user's username.)
> 
> When "id" is called without a username, it calls the getgroups(...) function
> which appears to work as expected.  However, when a specific username is
> passed, even the username of the current user, getugroups(...) is called,
> and does _not_ appear to work as expected.

That's by design.  getgroups() has access to the user token of the
current process and returns every group which is in this token.
getgrent() is a function which enumerates /etc/groups.

> I've setup a public wiki with all the details where I hope we can
> collaborate to finally solve this issue:
> http://cygwin-getugroups.pbwiki.com/  Included there are the requested
> cygcheck and related files.

The place to discuss Cygwin stuff is this mailing list.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Corinna Vinschen on 1/22/2007 2:34 AM:
>> When "id" is called without a username, it calls the getgroups(...) function
>> which appears to work as expected.  However, when a specific username is
>> passed, even the username of the current user, getugroups(...) is called,
>> and does _not_ appear to work as expected.
> 
> That's by design.  getgroups() has access to the user token of the
> current process and returns every group which is in this token.
> getgrent() is a function which enumerates /etc/groups.

So my translation of this would be that the bug is not in id, but in the
fact that your /etc/groups is out-of-date.  Use mkgroups to remedy the
situation.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9@byu.net
volunteer cygwin coreutils maintainer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFtLYi84KuGfSFAYARAniSAJ98xc4e+t/eN6oyjTUJh3db5/DnLACgx3bC
WhRr6QVDuMuFUfJvp/zCRr8=
=OOLE
-----END PGP SIGNATURE-----

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Corinna Vinschen]

On Jan 22 06:03, Eric Blake wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> According to Corinna Vinschen on 1/22/2007 2:34 AM:
> >> When "id" is called without a username, it calls the getgroups(...) function
> >> which appears to work as expected.  However, when a specific username is
> >> passed, even the username of the current user, getugroups(...) is called,
> >> and does _not_ appear to work as expected.
> > 
> > That's by design.  getgroups() has access to the user token of the
> > current process and returns every group which is in this token.
> > getgrent() is a function which enumerates /etc/groups.
> 
> So my translation of this would be that the bug is not in id, but in the
> fact that your /etc/groups is out-of-date.  Use mkgroups to remedy the
> situation.

A little bit more specific:  Use the mkgroup -u flag.  By default,
mkgroup does not add the users to the gr_mem field since that's not
necessary for correct operation of setuid(2).  By adding the users
to the gr_mem field (the -u option), you probably get what you want.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re:

[Mark A. Ziesemer]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > >> When "id" is called without a username, it calls the getgroups(...)
> > >> function
> > >> which appears to work as expected.  However, when a specific username is
> > >> passed, even the username of the current user, getugroups(...) is called,
> > >> and does _not_ appear to work as expected.
> > > 
> > > That's by design.  getgroups() has access to the user token of the
> > > current process and returns every group which is in this token.
> > > getgrent() is a function which enumerates /etc/groups.
> > 
> > So my translation of this would be that the bug is not in id, but in the
> > fact that your /etc/groups is out-of-date.  Use mkgroups to remedy the
> > situation.
> 
> A little bit more specific:  Use the mkgroup -u flag.  By default,
> mkgroup does not add the users to the gr_mem field since that's not
> necessary for correct operation of setuid(2).  By adding the users
> to the gr_mem field (the -u option), you probably get what you want.

Better, but could still use improvement, IMO...

The documentation isn't very strong here, so I'm sorry I didn't find this
earlier.  From http://cygwin.com/cygwin-ug-net/using-utils.html#mkgroup:
"The -u option causes mkgroup to enumerate the users for each group, placing
the group members in the gr_mem (last) field. Note that this can greatly
increase the time for mkgroup to run in a large domain. Having gr_mem fields
is helpful when a domain user logs in remotely while the local machine is
disconnected from the Domain Controller"

This implies that "-u" is not required for proper groups functionality, but
is maybe just used as a backup when the DC is unavailable.  (And in my case,
there is no domain.)

Also, this means that "mkgroup -ul >/etc/group" will have to be re-run every
time there is a change in group membership - not the best option.

Since Cygwin already lets the underlying OS take care of much of the
security (handling passwords, etc.), can't Cygwin just ask Windows for the
user's groups when needed, to?

--
Mark A. Ziesemer


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Corinna Vinschen]

On Jan 22 15:18, Mark A. Ziesemer wrote:
> Since Cygwin already lets the underlying OS take care of much of the
> security (handling passwords, etc.), can't Cygwin just ask Windows for the
> user's groups when needed, to?

How?  Consider that getgrent just enumerates /etc/group.  It doesn't
know for what purpose the calling application does it.  I don't think it
makes a lot of sense to call a OS function for each getgrent call to
fill out the gr_mem field on the fly.

Having said that, I don't intend to change this behaviour myself.
However, I'm certainly not averse to patches to Cygwin which add this
behaviour, as long as it's not getting too slow by this.


Corinna


P.S.: How did the subject disappear?!?


-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Mark A. Ziesemer]

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Since Cygwin already lets the underlying OS take care of much of the
> > security (handling passwords, etc.), can't Cygwin just ask Windows for the
> > user's groups when needed, to?
> 
> How?  Consider that getgrent just enumerates /etc/group.  It doesn't
> know for what purpose the calling application does it.  I don't think it
> makes a lot of sense to call a OS function for each getgrent call to
> fill out the gr_mem field on the fly.
> 
> Having said that, I don't intend to change this behaviour myself.
> However, I'm certainly not averse to patches to Cygwin which add this
> behaviour, as long as it's not getting too slow by this.
> 
> Corinna
> 
> P.S.: How did the subject disappear?!?

No clue about the subject - I'm using Gmane to reply, since I'm usually
without reliable SMTP access.

If group membership IS currently required to be listed in /etc/group for
these functions (groups, id, getugroups(), getgrent(), etc...), shouldn't
mkgroup -ul, with the "-u", be run by default at Cygwin first-run?  Also,
including this better in the documentation would be a plus.

Also, "mkgroup -u" has a bug, as far as I'm concerned.  It always includes the
Windows' username, even if renamed in /etc/passwd for Cygwin-purposes.  For
example, take a Windows username of "John Smith".  I renamed the first field
in /etc/passwd to "jsmith" to avoid the space.  "jsmith" should (and needs) to
be included in the gr_mem field, not "John Smith", otherwise all of the above
functions fail to see that this user is a member of any groups...

I do see one issue with implementing the OS-group-calls into Cygwin - 
Win95/98 don't have any concept of user groups.  This would have to be
accounted for...  Maybe I'll convert the
http://http://cygwin-getugroups.pbwiki.com/ site to address the
possibility of adding this functionality...

Thanks for the replies!


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Mark A. Ziesemer on 1/22/2007 6:11 PM:
> 
> I do see one issue with implementing the OS-group-calls into Cygwin - 
> Win95/98 don't have any concept of user groups.  This would have to be
> accounted for...  Maybe I'll convert the
> http://http://cygwin-getugroups.pbwiki.com/ site to address the
> possibility of adding this functionality...

Win9x support is dying.  Microsoft no longer supports those old systems.
And while we are not actively trying to break support for them, neither
are we actively trying to maintain them.  And Corinna meant what she said
that you will get more support by discussing your issues on this list than
you will by opening yet another wiki somewhere else.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             ebb9@byu.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFtX8f84KuGfSFAYARAiZuAJ4pBmLNRkavimsF4AYpFyZUNNBrwQCeNYWM
s25Xo213IJYdSoA0QlGYtzU=
=PZvW
-----END PGP SIGNATURE-----

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[Mark A. Ziesemer]

Eric Blake <ebb9 <at> byu.net> writes:
> And Corinna meant what she said
> that you will get more support by discussing your issues on this list
> than you will by opening yet another wiki somewhere else.

I apologize for trying to be innovative.  Frankly, a mailing list such
as this does not work the best for me, and I'm sure I'm not the only one
with the same issues.  It's difficult to keep track of messages and issues.
There's no concept of "watching a thread", as far as I can tell.
A stand-alone client doesn't work the best when roaming from computer
to computer.  Gmane is the only method I've found to post by the web,
and it can't even automatically wrap long lines.  (I'd look forward to
your response, but I'm not sure when I'll be back to check this thread,
without getting any email notifications... :-)

(If anyone has any suggestions on how to handle any of this, please
reply!  I'm open to ideas.  And maybe such suggestions can be included
at http://cygwin.com/lists.html under notes...)

I commented about fixing the documentation regarding mkgroup.  At the
moment, I don't even know how to go about getting this fixed, other than
mentioning it here, which I already did, and that means it's left up
to one of the Cygwin maintainers to have to find and read that message,
and then go update the HTML.

With as many other open-source and other development sites that are
using Bugzilla, wikis, and related tools, they can't all be bad...

I realize that I'm still relatively new here.  I don't expect Cygwin to
just change because I asked.  I'm just feeling a bit turned away because
I'd like to help and contribute to this excellent project, but instead,
I usually feel turned away.

--
Mark A. Ziesemer


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?

[dmccunney]

On 1/23/07, Mark A. Ziesemer <mark_z@charter.net> wrote:

> I apologize for trying to be innovative.  Frankly, a mailing list such
> as this does not work the best for me, and I'm sure I'm not the only one
> with the same issues.  It's difficult to keep track of messages and issues.
> There's no concept of "watching a thread", as far as I can tell.
> A stand-alone client doesn't work the best when roaming from computer
> to computer.  Gmane is the only method I've found to post by the web,
> and it can't even automatically wrap long lines.  (I'd look forward to
> your response, but I'm not sure when I'll be back to check this thread,
> without getting any email notifications... :-)
>
> (If anyone has any suggestions on how to handle any of this, please
> reply!  I'm open to ideas.  And maybe such suggestions can be included
> at http://cygwin.com/lists.html under notes...)

I'm not sure what imposes the limitations you are working under, but I
can make a suggestion or two.

First, Gmane.org gates mailing lists like this to nntp format, where
they can be read with a newsreader.  Gmane is not responsible for
wrapping lines.  Whatever you use to read Gmane traffic is.  Are you
reading it with a newsreader?  If so, which?  If you are reading it
via a web interface, which browser are you using?

Second, you might wish to look at a web based email solution.  These
days, I have Cygwin mail sent to my GMail account.  This offers
several advantages:

1) With 2.8GB of storage and counting, I don't have to worry about
Cygwin list traffic bouncing because my mailbox is full.

2) GMail's "Conversation View" is just *made* for traffic like this.
It provides the sort of threading you want.  (It's not perfect: a
Conversation is distinguished by Subject:, and then sorted by arrival
date.  Variances in subject can result in messages not being included
in the conversation.)

3) I can use Google search facilities to search the mail store for
specific things.

4) The mail is on Google's servers, not my machine.  (I used to use
Outlook for this.  Outlook has problems when the local mail database
file hits 2GB.  That happens sooner rather than later when subscribed
to high volume lists like this.)

5) I can read and reply to the mail from wherever I have a browser and
an internet connection.

6) Gmail is free. :-)

Incidentally, GMail offers an SMTP server.  Works fine.

I've sent you a GMail invitation under separate cover to your personal
email address.

> Mark A. Ziesemer
______
Dennis

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/