This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re:

From: Mark A. Ziesemer <mark_z at charter dot net>
To: cygwin at cygwin dot com
Date: Mon, 22 Jan 2007 15:18:12 +0000 (UTC)
Subject: Re:
References: <001a01c73dae$7dec4af0$6152a8c0@ziesemermark> <20070122093419.GR27843@calimero.vinschen.de> <45B4B622.9040406@byu.net> <20070122132934.GU27843@calimero.vinschen.de>

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > >> When "id" is called without a username, it calls the getgroups(...)
> > >> function
> > >> which appears to work as expected.  However, when a specific username is
> > >> passed, even the username of the current user, getugroups(...) is called,
> > >> and does _not_ appear to work as expected.
> > > 
> > > That's by design.  getgroups() has access to the user token of the
> > > current process and returns every group which is in this token.
> > > getgrent() is a function which enumerates /etc/groups.
> > 
> > So my translation of this would be that the bug is not in id, but in the
> > fact that your /etc/groups is out-of-date.  Use mkgroups to remedy the
> > situation.
> 
> A little bit more specific:  Use the mkgroup -u flag.  By default,
> mkgroup does not add the users to the gr_mem field since that's not
> necessary for correct operation of setuid(2).  By adding the users
> to the gr_mem field (the -u option), you probably get what you want.

Better, but could still use improvement, IMO...

The documentation isn't very strong here, so I'm sorry I didn't find this
earlier.  From http://cygwin.com/cygwin-ug-net/using-utils.html#mkgroup:
"The -u option causes mkgroup to enumerate the users for each group, placing
the group members in the gr_mem (last) field. Note that this can greatly
increase the time for mkgroup to run in a large domain. Having gr_mem fields
is helpful when a domain user logs in remotely while the local machine is
disconnected from the Domain Controller"

This implies that "-u" is not required for proper groups functionality, but
is maybe just used as a backup when the DC is unavailable.  (And in my case,
there is no domain.)

Also, this means that "mkgroup -ul >/etc/group" will have to be re-run every
time there is a change in group membership - not the best option.

Since Cygwin already lets the underlying OS take care of much of the
security (handling passwords, etc.), can't Cygwin just ask Windows for the
user's groups when needed, to?

--
Mark A. Ziesemer

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?
  - From: Corinna Vinschen

References:
- "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?
  - From: Mark A. Ziesemer
- Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?
  - From: Corinna Vinschen
- Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?
  - From: Eric Blake
- Re: "id -Gn" w/ username doesn't return all associated groups. Issue with getgrent()?
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]