This is the mail archive of the cygwin mailing list for the Cygwin project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] | |
On Mar 11 15:07, Achim Gratz wrote: > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > You don't have to move them away. Just set nsswitch.conf. > > Did that and using the snapshot DLL from 2014-03-05 on top of a full > snapshot install from 2014-03-10. The ACL is this: > > # file: x86 > # owner: gratz > # group: Domain Users > user::--- > group::--- > group:admin-cygwinupload:rwx > group:user-cygwinupload:rwx > mask:rwx > other:--- > default:user::--- > default:group::--- > default:group:admin-cygwinupload:rwx > default:group:user-cygwinupload:rwx > default:mask:rwx > default:other:--- > > With the original passwd and group file in place and nsswitch.conf set to > either "files" or "files db" the test fails. With just "files" getfacl > doesn't show the group ACL at all, How does it look with any non-AD integrated Cygwin? > while with "files db" I see the ACL for > both the admin and the user group (both are not in the group file). Setting > to just "db" the ACL is shown as before and the test from Perl now succeeds! Ok. > In fact any combination that includes "files" fails. Hmm. So you're saying that the groups in question are not in /etc/groups, but it works with the non-AD Cygwin but not with the AD-Cygwin? A group which is not in /etc/groups is, in theory, just not in the ACL with the old Cygwin. What's not in Cygwin anymore is the mapping of a non-existing account to the uid/gid -1, what would have been printed as "????????" in ls output. This automatism would have collided with the DB stuff, but maybe I have to re-introduce it if only "files" is used. This could explain what happens in the "files"-only case... ...but that doesn't explain what happens with "files db". The uid/gid values may differ from the DB values, but only if the account actually exists in the file. And then the values in the files would have precedent over the db values. I'm really wondering what perl is checking there. > So, after some head > scratching I changed the uid and gid in the passwd and group files to match > the new mapping scheme and lo and behold the test is now working. The > getfacl command starts to show the group ACL when I add them to the group > file (with the correct gid mapping), but the test still fails with "files" > only. With the correct group entries and "files db", the test also works. Erm... > So, Perl somehow uses the gid/uid mapping and relies on those to be working, Whatever it's doing there. That doesn't make sense, unless it calls getgrent maybe?!? > while bash uses a code path that doesn't and probably just uses the uid/gid > directly. Much easier. bash just calls access(2). > I guess I could make the "files" only case work by adding some > more groups (no time for checking what that might be at the moment), again > changing the mapping (will mkpasswd do this at some point?). Do you still > need traces or does get you a test case that works in your environment? Yes, please. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
Attachment:
pgpukoLm81KXb.pgp
Description: PGP signature
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |