From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.135]) by sourceware.org (Postfix) with ESMTPS id 040903858C39 for ; Wed, 6 Jul 2022 17:32:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 040903858C39 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPSA (Nemesis) id 1N8XHV-1nV7Bi3YAL-014T2C for ; Wed, 06 Jul 2022 19:32:11 +0200 Received: by calimero.vinschen.de (Postfix, from userid 500) id E394FA80A3C; Wed, 6 Jul 2022 19:32:10 +0200 (CEST) Date: Wed, 6 Jul 2022 19:32:10 +0200 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: The "TrustedInstaller" user can not be found by ID Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <1558196978.20220706133209@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1558196978.20220706133209@yandex.ru> X-Provags-ID: V03:K1:xiVYx94sOpVTahqNb7x4mckAaO1LthSZ9zbueN7Zej7Aioy+EHv 9dTsUedQ7tadlAU0qlSHiEYxlbPzwmFpMh8vrxDhBOT4JfqT5/uYRtEubLPJ0r7nPAQAcRN RpX7rdqfm2JWEeElXT+cEUgmoR3tTPai4PfAY7rRTTPwRuNZLAOYbd2YZfJ5hEC6bE8Oe/w 3pgUCdpJ3pOwrB28hmnCw== X-UI-Out-Filterresults: notjunk:1;V03:K0:RsI4yCAHQUw=:jQKKD71ltSuSPfNx1BzWOP A6VwJilPtUnK3FZaO1vWYJGDSqX2X81bj42RWMFLHitidMMk9A83fYp4bg5vA8cjopcCRa3+K fN9JSXjjCcWNJR1KhGNTDGmvehDQHxzSZsvYxwBVGJMDTN2Stx1XuJHDR3vwDnEQT/7Adt3b9 M/XsB4GR+scgfAk6TT8+5pQQrsXounoU9lcxFr4yjvcsW7A7wyb28e2FPvCJU37tDanb2UFT5 uxr8jAKtaJyHyHIFkIe33qNdBSmXv4T/dT6Ku66u7x/GLJS0dYtAJdKqwx67cmfgm1G1+eEoJ UamZAHqDKJ+hjpmF1obADDd0Wk7bOOpWUk6mq+9fkkhUg6B9lP+KqLO0w2jUpr1rMSVRP1dv6 tXfYgOK8JQif9RkF2Sk2nKY5iiZ5YzoUX1GIyTJWohedRs/ye//6R+IeqAFSIaYXyeqoUZfqP VMRx2ZeAfdyK8SjWzvouiiSpP850w35Q2hJMvN+y5Kq1x+fGLy1ZNJEXEOZ+g1xu+92yYpluD 8q9J41E/pVdg9LB6+BDCgUEzLrOKPK3B84QMtAc8qZ9Ibm0Ipjq3fYCXV8rdcKfXhFQEFXr9y ToYEyblUSh/X4NPszO7jdGgb6KVGXSj5feov2tGlI3MV4awRnpNaeRP4htncpNBthJKyZFaJ8 BJ6toaKWOFszmj2hEd+rg/lozhgdxLU7uzJ3ewNdWtSOpZ2FI4n0ifJwkVWChuylvriaDfET+ pT47quSAx+1kCd1t1bIB0j3a98rOQgtqrGQt0WRckLKnPAIA15gQeTLTi+g= X-Spam-Status: No, score=-93.6 required=5.0 tests=BAYES_00, BODY_8BITS, GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_FAIL, SPF_HELO_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2022 17:32:15 -0000 On Jul 6 13:32, Andrey Repin wrote: > Greetings, All! > > Been doing some housekeeping in my Cygwin installation at work, and wanted to > change the owner of the files to something other than myself. > TrustedInstaller seemed like a good neutral target, but it took me a little > while to find out it is > > 1. …named "NT SERVICE+TrustedInstaller" actually (which is predictable > somewhat); > $ getent passwd | grep -i trust > NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin > > 2. …can not be accessed by any other name (unlike "NT AUTHORITY\SYSTEM"); > $ getent passwd System > system:*:18:18:U-NT AUTHORITY\system,S-1-5-18:/home/system:/bin/bash > $ getent passwd 18 > система:*:18:18:U-NT AUTHORITY\система,S-1-5-18:/home/система:/bin/bash This is by design. Only builtin stuff and the primary domain members can be accessed name-only. "NT SERVICE" is not builtin, but rather a kind of foreign domain identifier (but don't take this literally), so you have to use the full name "NT SERVICE+TrustedInstaller". Note that this is a restriction in the Windows function LookupAccountName, as documented in the source: https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=winsup/cygwin/uinfo.cc;hb=HEAD#l2032 > 3. …can not be accessed by ID! Which is rather surprising. > $ getent passwd 328384 > [2] <- user not found > > Is this some special case of some kind of Windows' kinks? This is impossible with the current code. Cygwin tries to perform bijective SID<->id mappings, if possible. "NT SERVICE" accounts are a bit of a problem and TrustedInstaller is no exception in that the SIDs don't follow the usual rules for BUILTIN / NT AUTHORITY / normal accounts. They are also not exactly predictable, even though TrustedInstaller always has the same SID on all systems. To handle 328384 as TrustedInstaller, it needs actual special casing. We can add that, but that would only allow the explicit mapping between "NT SERVICE+TrustedInstaller" and uid/gid 328384. This would not cover other NT SERVICE accounts. Given that TrustedInstaller is only used by the OS at installation time, I always looked at it as a kind of "read-only account". I'm really not sure if it's worth special casing this account just to allow id->SID mapping... Corinna