rename a user using setfacl -- possible? how?

rename a user using setfacl -- possible? how?

[L A Walsh]

Have an acl on a file 'testfile' that appears to include a userid
with a GUID corresponding to some older value for the local system.

I'm gave the old guid a name in /etc/group different from its name,
say calling it 'oldname' (where current name, is say, 'curname').

I guess I don't know how to modify an entry to either 1-rename it, or
2 add the new entry.

I tried
setfacl -x group:oldname:rwx -m group:curname:rwx but got:

setfacl: illegal acl entries


will setfacl not work for this task?
How do you add a new user to the access list -- obviously -x removes
a user, but not sure if 'add' is covered by -m or whether or not you 'add'
by specifying the new entry.

BTW -- is there an easy way to see the numeric values it is using
for a given name?

Like:
group:Local account and member of Administrators group:rwx

I remember seeing that, but it isn't in my /etc/group file.

Tried getfacl with -n but that doesn't seem to be an option
to display a numeric GUID.

Thanks!
-Linda



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Brian Inglis]

On 2019-07-05 13:14, L A Walsh wrote:
> Have an acl on a file 'testfile' that appears to include a userid
> with a GUID corresponding to some older value for the local system.
> I'm gave the old guid a name in /etc/group different from its name,
> say calling it 'oldname' (where current name, is say, 'curname').
> I guess I don't know how to modify an entry to either 1-rename it, or
> 2 add the new entry.
> I tried
> setfacl -x group:oldname:rwx -m group:curname:rwx but got:
> setfacl: illegal acl entries
> will setfacl not work for this task?

Utilities like setfacl work with Windows ACLs, users, and groups defined and
displayed using net user|localgroup|group. You can't rename Windows users or
groups but you can add (or delete) them using the net commands and other
equivalent methods, and Windows will assign GUIDs, and Cygwin will show its
encoded RID/SID:
	/usr/share/doc/cygwin-doc/html/cygwin-ug-net/ntsec.html
	https://cygwin.com/cygwin-ug-net/ntsec.html

> How do you add a new user to the access list -- obviously -x removes
> a user, but not sure if 'add' is covered by -m or whether or not you 'add'
> by specifying the new entry.

Use -m to add or changes entries in [D]ACLs.

> BTW -- is there an easy way to see the numeric values it is using
> for a given name?
> Like:
> group:Local account and member of Administrators group:rwx
> I remember seeing that, but it isn't in my /etc/group file.
> Tried getfacl with -n but that doesn't seem to be an option
> to display a numeric GUID.

If they are Windows users or groups which can be displayed using net commands,
then you can use:
$ id [USER|GROUP]
e.g.
$ id Administrator
uid=197108(Administrator) gid=197121(None) groups=197121(None)
$ id Administrators
uid=544(Administrators) gid=544(Administrators) groups=544(Administrators)

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Andrey Repin]

Greetings, L A Walsh!

> Have an acl on a file 'testfile' that appears to include a userid
> with a GUID corresponding to some older value for the local system.

> I'm gave the old guid a name in /etc/group different from its name,
> say calling it 'oldname' (where current name, is say, 'curname').

> I guess I don't know how to modify an entry to either 1-rename it, or
> 2 add the new entry.

You don't.
If you want to change name for display purposes, look into nsswitch.conf and
associated documentation.
Cygwin do not invent its own users/groups/ids/guids. It maps Windows
permissions to some POSIX equivalent, but internally it still using native
permissions.

> I tried setfacl -x group:oldname:rwx -m group:curname:rwx but got:

> setfacl: illegal acl entries

Seems like it did not recognize the group name. At least that's how it react
here.

> will setfacl not work for this task?

It should, but I strongly suggest to avoid using it outside Cygwin directory
tree to maintain maximum interoperability with Windows programs.

> How do you add a new user to the access list -- obviously -x removes
> a user, but not sure if 'add' is covered by -m or whether or not you 'add'
> by specifying the new entry.

I just found out that if you configure cygdrive with noacl, getfacl tell
you to find better ways to express yourself. And setfacl will silently fail
(which is questionable behavior, TBH).

> BTW -- is there an easy way to see the numeric values it is using
> for a given name?

> Like:
> group:Local account and member of Administrators group:rwx

getent passwd
getent group

> I remember seeing that, but it isn't in my /etc/group file.

It should not.

> Tried getfacl with -n but that doesn't seem to be an option
> to display a numeric GUID.


-- 
With best regards,
Andrey Repin
Saturday, July 6, 2019 11:09:23

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[L A Walsh]

I don't think I explained things clearly.


On 2019/07/06 02:06, Andrey Repin wrote:
>> I guess I don't know how to modify an entry to either 1-rename it, or
>> 2 add the new entry.
> 
> You don't.
> If you want to change name for display purposes, look into nsswitch.conf and
> associated documentation.
---
	My machine's GUID changed.  This file has entry for userX
on the old machine-GUID.  UserX also exists on the new machine GUID.

So I renamed the old entry to UserXold so I could find all the places
where the old GUID is referenced then change it to the machine's new guid.

I'm not having cygwin create new groups or whatever, but trying to replace
references to this Userid in the machine's old GUID and replace them with
reference to the Uid with the machine's new GUID.

if it was the main group, I'd just use find to locate instances of old
and do chgrp to change ownership to new.  However, this is a group entry
in an acl list -- so I need to change the name of 1 entry in the acl list.


> 
> It should, but I strongly suggest to avoid using it outside Cygwin directory
> tree to maintain maximum interoperability with Windows programs.
---
	No problem.  my cygwin directory is at 'C:\', where it
has been since WinXP...  (:^|)

> 
> getent passwd
> getent group
---
	those don't display GUID/UUIDs, but *nix user+group ids.

I wanted to see the windows guid associated with an identity.

Since the one I was looking for was a well-known-id I found it, but
in non-well-known cases,...?  

Thanks and sorry my explanation was confusing -- 

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Sam Edge]

On 06/07/2019 10:39, L A Walsh wrote:
> My machine's GUID changed. This file has entry for userX
> on the old machine-GUID.  UserX also exists on the new machine GUID.
>
> So I renamed the old entry to UserXold so I could find all the places
> where the old GUID is referenced then change it to the machine's new guid.
>
> I'm not having cygwin create new groups or whatever, but trying to replace
> references to this Userid in the machine's old GUID and replace them with
> reference to the Uid with the machine's new GUID.
>
> if it was the main group, I'd just use find to locate instances of old
> and do chgrp to change ownership to new.  However, this is a group entry
> in an acl list -- so I need to change the name of 1 entry in the acl list.

This sounds like a Windows maintenance issue. While you can use Cygwin
tools to manipulate the NTFS ACLs I'd be inclined to look at native
tools, probably using a Powershell script if you need to automate it. If
you use setfacl on paths outside your 'Cygwin domain' it's going to mess
up the more normal Windows/NTFS ACL usage especially the inheritance and
ordering.


--
Sam Edge


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Andrey Repin]

Greetings, L A Walsh!

> I don't think I explained things clearly.


> On 2019/07/06 02:06, Andrey Repin wrote:
>>> I guess I don't know how to modify an entry to either 1-rename it, or
>>> 2 add the new entry.
>> 
>> You don't.
>> If you want to change name for display purposes, look into nsswitch.conf and
>> associated documentation.
> ---
>         My machine's GUID changed.  This file has entry for userX
> on the old machine-GUID.  UserX also exists on the new machine GUID.
> So I renamed the old entry to UserXold so I could find all the places
> where the old GUID is referenced then change it to the machine's new guid.


> I'm not having cygwin create new groups or whatever, but trying to replace
> references to this Userid in the machine's old GUID and replace them with
> reference to the Uid with the machine's new GUID.

> if it was the main group, I'd just use find to locate instances of old
> and do chgrp to change ownership to new.  However, this is a group entry
> in an acl list -- so I need to change the name of 1 entry in the acl list.


>> 
>> It should, but I strongly suggest to avoid using it outside Cygwin directory
>> tree to maintain maximum interoperability with Windows programs.
> ---
>         No problem.  my cygwin directory is at 'C:\', where it
> has been since WinXP...  (:^|)

THAT is a problem. A big problem.

>> 
>> getent passwd
>> getent group
> ---
>         those don't display GUID/UUIDs, but *nix user+group ids.

Try it sometime. They do.

> I wanted to see the windows guid associated with an identity.

> Since the one I was looking for was a well-known-id I found it, but
> in non-well-known cases,...?  

Set nsswitch.conf to:

passwd: db
group: db

db_enum: all

then check `getent passwd`


-- 
With best regards,
Andrey Repin
Saturday, July 6, 2019 17:11:57

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Brian Inglis]

On 2019-07-06 10:01, Andrey Repin wrote:
>> On 2019/07/06 02:06, Andrey Repin wrote:
>>>> I guess I don't know how to modify an entry to either 1-rename it, or
>>>> 2 add the new entry.
>>> You don't.
>>> If you want to change name for display purposes, look into nsswitch.conf and
>>> associated documentation.
>>         My machine's GUID changed.  This file has entry for userX
>> on the old machine-GUID.  UserX also exists on the new machine GUID.
>> So I renamed the old entry to UserXold so I could find all the places
>> where the old GUID is referenced then change it to the machine's new guid.
>> I'm not having cygwin create new groups or whatever, but trying to replace
>> references to this Userid in the machine's old GUID and replace them with
>> reference to the Uid with the machine's new GUID.
>> if it was the main group, I'd just use find to locate instances of old
>> and do chgrp to change ownership to new.  However, this is a group entry
>> in an acl list -- so I need to change the name of 1 entry in the acl list.
>>> It should, but I strongly suggest to avoid using it outside Cygwin directory
>>> tree to maintain maximum interoperability with Windows programs.
>>         No problem.  my cygwin directory is at 'C:\', where it
>> has been since WinXP...  (:^|)
> THAT is a problem. A big problem.
>>> getent passwd
>>> getent group
>>         those don't display GUID/UUIDs, but *nix user+group ids.
> Try it sometime. They do.

Try:

$ id user|group

and see below for getent nsswitch changes suggested.

>> I wanted to see the windows guid associated with an identity.
>> Since the one I was looking for was a well-known-id I found it, but
>> in non-well-known cases,...?  
> Set nsswitch.conf to:
> passwd: db
> group: db
> db_enum: all
> then check `getent passwd`

In your work environment, you might want to try:

# passwd:	files db
# group:	files db
db_enum:	cache files local builtin primary alltrusted

See docs in - paste into browser:
/usr/share/doc/cygwin-doc/html/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch
or
$ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Achim Gratz]

L A Walsh writes:
> Have an acl on a file 'testfile' that appears to include a userid
> with a GUID corresponding to some older value for the local system.

That problem is surprisingly hard to tackle (even though it is quite
common when you need to move data disks between machines) unless you
want to completely nuke and rewrite the DACL or copy the whole data.
These days you're probably expected to use PowerShell, but you might
want to check out a program called subinacl that used to be part of the
Server Resource Toolkit for Windows and has since been made available
for download from the Windows support site.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[L A Walsh]

On 2019/07/06 10:01, Brian Inglis wrote:
> On 2019-07-06 10:01, Andrey Repin wrote:
>   
>>>
>>>> It should, but I strongly suggest to avoid using it outside Cygwin directory
>>>> tree to maintain maximum interoperability with Windows programs.
>>>>         
>>>         No problem.  my cygwin directory is at 'C:\', where it
>>> has been since WinXP...  (:^|)
>>>       
>> THAT is a problem. A big problem.
>>     
----
    Forgot to get back on this.  But why would the above be a problem. 
It never
used to be and I have found it to be very useful. 



>>>> getent passwd
>>>> getent group
>>>>         
>>>         those don't display GUID/UUIDs, but *nix user+group ids.
>>>       
>> Try it sometime. They do.
>>     
>
> Try:
> $ id user|group
> and see below for getent nsswitch changes suggested.
>   
----
    I tried the above, BTW, and was surprised at the changes!


    Had a related question.  I made changes to my /etc/password and
/etc/group
files.  I seem to remember how those files were read by cygwin when it
was first starting, but I don't remember how to propagate changes in
those files into
cygwin.  Is there a way to send a command to one of the demons to reread
those files?

Thanks!


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: rename a user using setfacl -- possible? how?

[Andrey Repin]

Greetings, L A Walsh!

> On 2019/07/06 10:01, Brian Inglis wrote:
>> On 2019-07-06 10:01, Andrey Repin wrote:
>>   
>>>>
>>>>> It should, but I strongly suggest to avoid using it outside Cygwin directory
>>>>> tree to maintain maximum interoperability with Windows programs.
>>>>>         
>>>>         No problem.  my cygwin directory is at 'C:\', where it
>>>> has been since WinXP...  (:^|)
>>>>       
>>> THAT is a problem. A big problem.
>>>     
> ----
>     Forgot to get back on this.  But why would the above be a problem. 
> It never
> used to be and I have found it to be very useful. 

I though so too, back when I was using Windows XP.
But since then, I'm content with "/" cygdrive prefix. It's all that is needed.

>>>>> getent passwd
>>>>> getent group
>>>>>         
>>>>         those don't display GUID/UUIDs, but *nix user+group ids.
>>>>       
>>> Try it sometime. They do.
>>>     
>>
>> Try:
>> $ id user|group
>> and see below for getent nsswitch changes suggested.
>>   
> ----
>     I tried the above, BTW, and was surprised at the changes!


>     Had a related question.  I made changes to my /etc/password and
> /etc/group
> files.  I seem to remember how those files were read by cygwin when it
> was first starting, but I don't remember how to propagate changes in
> those files into
> cygwin.  Is there a way to send a command to one of the demons to reread
> those files?

They are read by the leading process in the tree, or if you are using
cygserver, that one may also cache them.
So, restart cygserver and all cygwin processes you have running.


-- 
With best regards,
Andrey Repin
Wednesday, July 17, 2019 12:00:16

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple