incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Aug 27 17:26:00 GMT 2018


On Aug 27 11:09, Corinna Vinschen wrote:
> On Aug 26 20:32, L A Walsh wrote:
> > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > ...
> > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > acl_to_text is the binary form, so it doesn't contain user or group
> > > names, only uids and gids.  The usernames are only generated in the
> > > output.
> > ---
> > 	Rats.  Of course, you're right.  	Then I nominate the problem being that it
> > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > can store in tar.
> 
> The problem with unknown SIDs is that there's no bijective
> transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> then... what?  How do you restore the information?  There's no SID for
> uid/gid -1.
> 
> > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > accounts on the linux-based PDC (samba 3.x).
> 
> What for?  This should work automatically and you would get rid of those
> dreaded backslashes in the account names.  Using passwd/group files also
> have a higher probability of account overlap with weird results.
> 
> Passwd and group files should only be used if you have very specific
> problems to solve (like offline usage or see below), otherwise just use
> the values you get from the account DBs.
> 
> > In this case, that user+group appear to correspond
> > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > The domain/system part appears to be from some previous
> > value for the machine's "sid"?  Not sure how to deliberately
> > reproduce that, but maybe you have a tool to create an
> > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > in /etc/passwd.
> > and something similar in /etc/group?

Actually, I just did that.  I added a user and a group to the files with
weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
different ACLs (created by Cygwin, created by native Windows) there are
different results.  The problem is that uid/gid -1 can be created as a
file ACL entry *and* at the same time have the meaning of "don't look
for the uid/gid" when checking the ACL for validity.  To make matters
worse, if you have multiple ACEs of unknown users, the resulting ACL is
*always* invalid.

Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
into a fix.

> If you want to keep the old, unknown accounts, just add them to
> your passwd and group files (one of those special problems).
> Alternatively remove them from all ACLs.

For the time being, use the above workaround.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20180827/4a6bbffe/attachment.sig>


More information about the Cygwin mailing list