Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ?

Dan Shelton dan.f.shelton@gmail.com
Mon Mar 11 01:28:05 GMT 2024


On Wed, 6 Mar 2024 at 14:01, Corinna Vinschen via Cygwin
<cygwin@cygwin.com> wrote:
>
> On Mar  5 23:38, Dan Shelton via Cygwin wrote:
> > On Sat, 24 Feb 2024 at 14:11, Corinna Vinschen via Cygwin
> > <cygwin@cygwin.com> wrote:
> > >
> > > On Feb 23 22:15, Dan Shelton via Cygwin wrote:
> > > > HOWEVER, there is another Cygwin bug:
> > > > "getent group mywingrp1" does not list any group members, even after
> > > > "net localgroup mywingrp1 mywinuser44 /add", which is a POSIX
> > > > violation.
> > >
> > > Not a bug.  Two problems:
> > >
> > > - Getting members of a group can be an extremly costly operation
> > >   in a domain or, worse, a domain forest, or even worse, if the
> > >   domain or domain forest is remote.
> > >
> > > - Alonmg the same lines, getting members of a group can be extremly
> > >   costly in big orgs with thousands of users.  Nobody want's to clutter
> > >   up space with the list of members in the "Domain Users" group.
> > >
> > > - Permissions to enumerate members of a group are restricted.
> > >   By default only admins and group members are allow to enumerate
> > >   members and this can be restricted further by domain admins.
> > >
> > > Therefore we dropped even trying to populate gr_mem, considering
> > > that even in its original form on Unix systems, it's used only
> > > to add supplementary groups.  To do this right on Windows is even
> > > more costly than blindly enumerating.
> > >
> > > It's not a bug, it's a feature :)
> >
> > Could you add an option to getent so that the full lookup can be
> > requested via command line, pls?
>
> That's not possible.  getent just calls getpwent/getgrent.

What about environment variables? NSSWITCH_PATH=/etc/nsswitch.conf
would be the default, and then let scripts customise it

>
> > Always editing /etc/nsswitch.conf
> > forth and back is not a elegant solution, aside from race conditions
> > with other users on a system
>
> So, here we go again.
>
> - What exactly are you trying to accomplish by enumerating the accounts?
>   Maybe you won't actually need it for your task at hand.

We're trying to do several things, including but not limited to:
- Finding which local groups exist. Part of our customer software
expects that certain groups exist. Unfortunately the group names vary
between installations, and sometimes names are prefixed with site
names. Trying to do all permutations with just getent passwd
$iteration means too many combinations (>= 4000000). So just
enumerating all local groups with getent group would be the way to go.
- get the uid and gid used by Cygwin, so the scripts can use  them
later for tar/pax and other scripts

Dan
-- 
Dan Shelton - Cluster Specialist Win/Lin/Bsd


More information about the Cygwin mailing list