Re: get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?)

[Christopher Faylor <cgf-use-the-mailinglist-please@cygwin.com>]

On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote:
>On Feb 13 09:35, Christopher Faylor wrote:
>> On Thu, Feb 13, 2014 at 11:00:25AM +0100, Corinna Vinschen wrote:
>> >On Feb 12 16:37, Christopher Faylor wrote:
>> >> On Wed, Feb 12, 2014 at 08:59:31PM +0100, Corinna Vinschen wrote:
>> >> >There's only one tiny problem.  Whatever I think about the full
>> >> >enumerate being right or wrong, I have this vague feeling that I'd like
>> >> >to have this implemented fully at one point.  My cat disapproves, but we
>> >> >can't agree on everything, I guess.  Another configuration option in
>> >> >/etc/nsswitch.conf might comfort her.
>> >> 
>> >> I don't know if this has been mentioned but would a cache help here,
>> >> i.e., nscd?  I think that's how Linux deals with this type of situation.
>> >
>> >Caching is wonderful for the usual requests for single entries from the
>> >DB, and for this we have already two caches, the LSA cache and Cygwin's
>> >own cache.  But caching doesn't help at all when enumerating.
>> >
>> >There's also the problem to rely on an external program.
>> 
>> But that's no different than Linux.  I've never looked at the code but
>> apparently libc has hooks for talking to nscd.  We could do the same
>> with cygserver.
>> 
>> >If it turns out that the current implementation is too slow, I'm
>> >prepared to add caching to cygserver to have a system-wide caching
>> >server, but Cygwin shouldn't *require* that cygserver runs.  And either
>> >way, it still wouldn't help when enumerating all accounts.
>> 
>> nscd does more than just keep information around in memory.  As I said,
>> it's how Linux deals with this situation.  I know because I didn't install
>> nscd when setting up a minimal Fedora 20 server at work and was met with
>> awful lags and timeouts in services which tried to read from our nis.
>> So Fedora doesn't require nscd but it sure does help.
>> 
>> But, even after having set it up, I still have to remember not to do
>> ls ~cg<tab> because it just takes forever.  So, if it is possible to
>> enumerate users then I think you just do it and let people learn the
>> cost.
>
>Yes, I think so too.  I have some preliminary code (actually, just
>empty function shells right now) which are supposed to implement
>full enumerating.
>
>However, system admins might not exactly approve.  I discussed this
>with our Linux folks, and I learned that NSS backends like SSSD or
>winbind default to NOT allowing enumerating, but giving the admin a
>choice to enable it.
>
>So I think for our case a configuration option in /etc/nsswitch.conf
>to limit the scope of the enumeration might be feasible.

Or, nscd.conf which has stuff like:

    enable-cache            passwd          yes
    positive-time-to-live   passwd          600
    negative-time-to-live   passwd          20
    suggested-size          passwd          211
    check-files             passwd          yes
    persistent              passwd          yes
    shared                  passwd          yes
    max-db-size             passwd          33554432
    auto-propagate          passwd          yes

I understand why a sysadmin might not want you to be able to enumerate
user names but that really isn't, IMO, a reason not to implement the
functionality (not that you are proposing this).  You obviously can't
assume that people won't exercise the capability if it is available.

Security through obscurity...?  Nah.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple