From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: incompat in cygwin choice of using '+' as domain and user separator.
Date: Mon, 27 Aug 2018 17:26:00 -0000 [thread overview]
Message-ID: <20180827104152.GC4733@calimero.vinschen.de> (raw)
In-Reply-To: <20180827090909.GA4733@calimero.vinschen.de>
[-- Attachment #1: Type: text/plain, Size: 2859 bytes --]
On Aug 27 11:09, Corinna Vinschen wrote:
> On Aug 26 20:32, L A Walsh wrote:
> > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > ...
> > > No, that's a wrong assumption. Think about it. The ACL given to
> > > acl_to_text is the binary form, so it doesn't contain user or group
> > > names, only uids and gids. The usernames are only generated in the
> > > output.
> > ---
> > Rats. Of course, you're right. Then I nominate the problem being that it
> > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > can store in tar.
>
> The problem with unknown SIDs is that there's no bijective
> transformation between SID <-> uid/gid. You get the uid/gid -1 and
> then... what? How do you restore the information? There's no SID for
> uid/gid -1.
>
> > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > accounts on the linux-based PDC (samba 3.x).
>
> What for? This should work automatically and you would get rid of those
> dreaded backslashes in the account names. Using passwd/group files also
> have a higher probability of account overlap with weird results.
>
> Passwd and group files should only be used if you have very specific
> problems to solve (like offline usage or see below), otherwise just use
> the values you get from the account DBs.
>
> > In this case, that user+group appear to correspond
> > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > The domain/system part appears to be from some previous
> > value for the machine's "sid"? Not sure how to deliberately
> > reproduce that, but maybe you have a tool to create an
> > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > in /etc/passwd.
> > and something similar in /etc/group?
Actually, I just did that. I added a user and a group to the files with
weird SIDs, then I switched /etc/nsswitch.conf to "db" only. With
different ACLs (created by Cygwin, created by native Windows) there are
different results. The problem is that uid/gid -1 can be created as a
file ACL entry *and* at the same time have the meaning of "don't look
for the uid/gid" when checking the ACL for validity. To make matters
worse, if you have multiple ACEs of unknown users, the resulting ACL is
*always* invalid.
Bottom line is, there are at least two bugs here in Cygwin. I'm looking
into a fix.
> If you want to keep the old, unknown accounts, just add them to
> your passwd and group files (one of those special problems).
> Alternatively remove them from all ACLs.
For the time being, use the above workaround.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-08-27 10:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 8:14 L A Walsh
2018-08-23 14:35 ` cyg Simple
2018-08-23 16:39 ` Corinna Vinschen
2018-08-23 15:59 ` Corinna Vinschen
2018-08-27 10:50 ` L A Walsh
2018-08-27 13:53 ` Corinna Vinschen
2018-08-27 17:26 ` Corinna Vinschen [this message]
2018-08-27 17:27 ` Corinna Vinschen
2018-08-27 22:47 ` Corinna Vinschen
2018-09-04 20:08 ` handling invalid user/groups (was incompat in cygwin choice of using '+' as domain and user separator.) L A Walsh
2018-09-05 8:04 ` Corinna Vinschen
2018-09-06 0:25 ` L A Walsh
2018-09-05 11:35 ` Andrey Repin
2018-09-05 23:57 ` Odd email symptoms (was Re: handling invalid user/groups) L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180827104152.GC4733@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).