timeout in LDAP access

[Corinna Vinschen]

Ping?

On Jul 18 21:18, Corinna Vinschen wrote:
> On Jul 17 08:33, Denis Excoffier wrote:
> > On 2014-07-16 15:51, Corinna Vinschen wrote:
> > > It occured to me that there's another way to do that.  The problem
> > > you're mentioning above could be alleviated if the first Cygwin process
> > > in a process tree fetches all POSIX offsets of all trusted domains right
> > > at the start, rather than fetching the POSIX offsets only on demand by
> > > whatever process needs it.  This would slow down the startup of the
> > > first process slightly (one LDAP request per trusted domain, but only
> > > asking your primary DC), but this would have two advantages:
> > > 
> > > - After fetching all POSIX offsets, we could filter out all POSIX
> > >  offsets which don't make sense.  These would be set using the fake
> > >  offset setting mechanism.  "No sense" would include offsets < 0x110000
> > >  or offsets > 0xff000000.  If the first process in the tree 
> > > 
> > > - The UID/GID values would be stable throughout the process tree.
> > > 
> > > - The UID/GID values would be stable systemwide when utilizing cygserver.
> > > 
> > > That's a bit of work, but Cygwin 1.7.31 will still come without this
> > > AD integration code anyway, so we still have time to turn everything
> > > upside down.
> > I buy this of course, but i’m still not convinced that we have to
> > workaround. After all, since i don’t care the other domains in my daily
> > work, i’m not affected at all. Most of the users will never be affected
> > i suppose. And if Cygwin happens to circumvent a null posixOffset by
> > providing its own, there will be even less chances for collisions and
> > for collisions being reported.
> > 
> > But we can consider the other way and for that i will use a comparison:
> > using special characters (like ‘\n’) gratuitously in the middle of filenames
> > is usually considered as a bad practice, but always possible by
> > doing ‘char *filename = "a\nb"; fopen(filename, "w")’. Now, once this
> > file is created, you can use ‘ls’ in the folder. Do you think ‘ls'
> > should respect user decision and display the raw \n in its output or
> > try to workaround by using some substitution character (like ‘?’) in order
> > not to wrap at unexpected locations? The answer is that ‘ls’ substitutes
> > by default, but also provides a full group of related options to change this
> > behavior (--quoting-style=WORD, --hide-control-chars).
> > 
> > Of course, adding options (eg in nsswitch.conf) to orientate the assignment
> > of posixOffsets to various substitutes would be useless. Even assigning
> > the null posixOffsets to non-null values, i’m not convinced of.
> 
> We really should do that to avoid collisions with system accounts, IMHO.
> 
> But maybe we should handle it as a border case of a border case, and
> reliably.  Rather than using the default fake mechanism, what if
> we use default offsets for the two cases:
> 
> Case 1: posix offset is < 0x100000  ==> Enforce posix 0ffset 0xfe80000
> Case 2: posix offset can't be fetched (this points to a local user
>         having no access to this kind of domain information)
> 	==> Enforce posix offset 0xfe000000.
> 
> This would result in potential collisions in very rare border cases,
> but it would result in reliable mappings throught all processes.
> And, the complexity would be quite small.

any feedback on this one?  Shall I create a snapshot with a matching
patch?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140728/0125d765/attachment.sig>