From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by sourceware.org (Postfix) with ESMTPS id A74313858D32 for ; Thu, 7 Jul 2022 07:56:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A74313858D32 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.183]) with ESMTPSA (Nemesis) id 1Mg6mG-1neyJ12jSo-00hb5q for ; Thu, 07 Jul 2022 09:56:21 +0200 Received: by calimero.vinschen.de (Postfix, from userid 500) id 7D81AA807DB; Thu, 7 Jul 2022 09:56:20 +0200 (CEST) Date: Thu, 7 Jul 2022 09:56:20 +0200 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: The "TrustedInstaller" user can not be found by ID Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <1558196978.20220706133209@yandex.ru> <1282276604.20220706234513@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1282276604.20220706234513@yandex.ru> X-Provags-ID: V03:K1:82B/DQTNoj9FOPUrPQEbbOmDaVMDtUCtaZ72Qwky2LoMB7nxC0+ 09olSh1cnbl/gF2kHaCkhDfAWyKRtIGOimAtYzTLotS4qplXj8A4M+Cjcjn3jdwcAIK0XgJ VZggZsYwwlnYv3F/dfUCbFF00/6+S1yN6VXHfl4tiCBCeE9Nl9N0RwXgukHySjH0W/GzEAf j+u96CTHqB7olyRo8zVwg== X-UI-Out-Filterresults: notjunk:1;V03:K0:xZrKlYXYDGI=:KUKtavQ2Kc7WfeAgAZR5ML tGuehaxtkqq6//kemZigZN7ZzA9T1ZhSX8ukC6SUeOfUK6I4us+hI9tgie20IvGoJZJ6yZ9nS F1m2d6DyKcszwjewmbSDQ/ZwtcxTs6SI5Mkt3GU1wABdGhM3tdaV/BamQhp/XSp4vFZmP4Etg smP4wCLLoanp8sTH5VOcoa2bdawnLWiVhOpcpxIV9xtd7Lobqaz5aTACLBYS/INnjhOgrGZf7 egEVRvw/kp6j3hbDldfhIWfEAdwWvNCxGL6y/ANLzeg1mYljwAxrDfkJbeiuWqTQwh2WxtSsk cj+q/2sfvoye/lVp7xkIu8XB7jw42dUmNvYiSXTGOG/88VfSN9NSAiEKLXoan3isfw6fZ1o+I wlqe97YVd7Bewl8rR/mCwX+FDc2K9+VZwK/UIo+LXhnpqvMpqhWXSPH6Z7hyYfe5HND1wGeSe uocORsn8jKZlkZhu0bGEJL68+bKwsJyjTqT4frNkqpPOB3YKjmcMiEkZDlTeL2hbCjJdOmwgH e4se2wweBQiKdSpIFeLPBNi8ae0mtWIu1aXDPOvT188i1LEXSI4P8GnKBIwDyPOVjVNR+84I/ VMjPyEQBIMaaT5smzGIt4fQXO8ZKt5SKcH4MmtBW/0mBwkieyWeljIMmMIoty9/h7lioE9bMW sYwS7MN+9orcE1IjioPmY6sptyYh10Y0HelLWWXFudSlugNHdMJNdG0UJD8rqXAowJnzgCRTl 9nf/yHOQgiOXSKlPRcxpUrIUJp8gXPif/Rd2SCIO87uyU6HDedWL6SF5Kyo= X-Spam-Status: No, score=-93.6 required=5.0 tests=BAYES_00, BODY_8BITS, GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H2, SPF_FAIL, SPF_HELO_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2022 07:56:25 -0000 On Jul 6 23:45, Andrey Repin wrote: > Greetings, Corinna Vinschen! > > > On Jul 6 13:32, Andrey Repin wrote: > >> Greetings, All! > >> > >> Been doing some housekeeping in my Cygwin installation at work, and wanted to > >> change the owner of the files to something other than myself. > >> TrustedInstaller seemed like a good neutral target, but it took me a little > >> while to find out it is > >> > >> 1. …named "NT SERVICE+TrustedInstaller" actually (which is predictable > >> somewhat); > >> $ getent passwd | grep -i trust > >> NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin > >> > >> 2. …can not be accessed by any other name (unlike "NT AUTHORITY\SYSTEM"); > >> $ getent passwd System > >> system:*:18:18:U-NT AUTHORITY\system,S-1-5-18:/home/system:/bin/bash > >> $ getent passwd 18 > >> система:*:18:18:U-NT AUTHORITY\система,S-1-5-18:/home/система:/bin/bash > > > This is by design. Only builtin stuff and the primary domain members > > can be accessed name-only. "NT SERVICE" is not builtin, but rather a > > kind of foreign domain identifier (but don't take this literally), so > > you have to use the full name "NT SERVICE+TrustedInstaller". Note > > that this is a restriction in the Windows function LookupAccountName, > > as documented in the source: > > > https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=winsup/cygwin/uinfo.cc;hb=HEAD#l2032 > > That explains it, thank you. > > >> 3. …can not be accessed by ID! Which is rather surprising. > >> $ getent passwd 328384 > >> [2] <- user not found > >> > >> Is this some special case of some kind of Windows' kinks? > > > This is impossible with the current code. Cygwin tries to perform > > bijective SID<->id mappings, if possible. "NT SERVICE" accounts are a > > bit of a problem and TrustedInstaller is no exception in that the SIDs > > don't follow the usual rules for BUILTIN / NT AUTHORITY / normal > > accounts. They are also not exactly predictable, even though > > TrustedInstaller always has the same SID on all systems. To handle > > 328384 as TrustedInstaller, it needs actual special casing. We can add > > that, but that would only allow the explicit mapping between "NT > > SERVICE+TrustedInstaller" and uid/gid 328384. This would not cover > > other NT SERVICE accounts. > > I was thinking cygserver could level such troubles. > Since name resolution coming through it more or less, it could maintain the > mappings of uid => SID of the accounts it had seen, and respond correctly if > `db_enum` contains "cache". Caching is just caching, not an entirely different algorithm. When you use cygserver, it just asks the Cygwin DLL on behalf of another process. The caching itself actually occurs inside the Cygwin DLL and is always present, even without cygserver: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-caching Having said that, in my case, starting tcsh via mintty with no cygserver running, I can request the info just fine: $ getent passwd 328384 NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin If I start tcsh inside a Windows console, the above command fails, so I guess mintty already requests the info under some circumstances so I can happily request the cached passwd entry. Having said that, caching doesn't help, if the info hasn't been requested before. You always need at least one request for "NT SERVICE+TrustedInstaller" inside your process tree to allow a subsequent successful reverse mapping. Caching is nice and all, but fact is, that I can't get the info from the OS, and that's the actual problem. > > Given that TrustedInstaller is only used by the OS at installation time, > > I always looked at it as a kind of "read-only account". I'm really not > > sure if it's worth special casing this account just to allow id->SID > > mapping... Corinna