Re: incompat in cygwin choice of using '+' as domain and user separator.

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

[-- Attachment #1: Type: text/plain, Size: 3003 bytes --]

On Aug 27 12:41, Corinna Vinschen wrote:
> On Aug 27 11:09, Corinna Vinschen wrote:
> > On Aug 26 20:32, L A Walsh wrote:
> > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > > ...
> > > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > > acl_to_text is the binary form, so it doesn't contain user or group
> > > > names, only uids and gids.  The usernames are only generated in the
> > > > output.
> > > ---
> > > 	Rats.  Of course, you're right.  	Then I nominate the problem being that it
> > > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > > can store in tar.
> > 
> > The problem with unknown SIDs is that there's no bijective
> > transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> > then... what?  How do you restore the information?  There's no SID for
> > uid/gid -1.
> > 
> > > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > > accounts on the linux-based PDC (samba 3.x).
> > 
> > What for?  This should work automatically and you would get rid of those
> > dreaded backslashes in the account names.  Using passwd/group files also
> > have a higher probability of account overlap with weird results.
> > 
> > Passwd and group files should only be used if you have very specific
> > problems to solve (like offline usage or see below), otherwise just use
> > the values you get from the account DBs.
> > 
> > > In this case, that user+group appear to correspond
> > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > > The domain/system part appears to be from some previous
> > > value for the machine's "sid"?  Not sure how to deliberately
> > > reproduce that, but maybe you have a tool to create an
> > > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > > in /etc/passwd.
> > > and something similar in /etc/group?
> 
> Actually, I just did that.  I added a user and a group to the files with
> weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
> different ACLs (created by Cygwin, created by native Windows) there are
> different results.  The problem is that uid/gid -1 can be created as a
> file ACL entry *and* at the same time have the meaning of "don't look
> for the uid/gid" when checking the ACL for validity.  To make matters
> worse, if you have multiple ACEs of unknown users, the resulting ACL is
> *always* invalid.
> 
> Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
> into a fix.

The only sane way to handle unknown SIDs in file ACLs is to ignore them
entirely.  The result will be that you never see them in getfacl, nor
will they be stored by tar or rsync.  They are just not there from the
Cygwin perspective.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]