X-Spam-Check-By:	sourceware.org
To:	cygwin AT cygwin DOT com
From:	"Mark A. Ziesemer" <mark_z AT charter DOT net>
Subject:	Re:
Date:	Mon, 22 Jan 2007 15:18:12 +0000 (UTC)
Lines:	43
Message-ID:	<loom.20070122T160919-481@post.gmane.org>
References:	<001a01c73dae$7dec4af0$6152a8c0 AT ziesemermark> <20070122093419 DOT GR27843 AT calimero DOT vinschen DOT de> <45B4B622 DOT 9040406 AT byu DOT net> <20070122132934 DOT GU27843 AT calimero DOT vinschen DOT de>
Mime-Version:	1.0
User-Agent:	Loom/3.14 (http://gmane.org/)
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > >> When "id" is called without a username, it calls the getgroups(...)
> > >> function
> > >> which appears to work as expected.  However, when a specific username is
> > >> passed, even the username of the current user, getugroups(...) is called,
> > >> and does _not_ appear to work as expected.
> > > 
> > > That's by design.  getgroups() has access to the user token of the
> > > current process and returns every group which is in this token.
> > > getgrent() is a function which enumerates /etc/groups.
> > 
> > So my translation of this would be that the bug is not in id, but in the
> > fact that your /etc/groups is out-of-date.  Use mkgroups to remedy the
> > situation.
> 
> A little bit more specific:  Use the mkgroup -u flag.  By default,
> mkgroup does not add the users to the gr_mem field since that's not
> necessary for correct operation of setuid(2).  By adding the users
> to the gr_mem field (the -u option), you probably get what you want.

Better, but could still use improvement, IMO...

The documentation isn't very strong here, so I'm sorry I didn't find this
earlier.  From http://cygwin.com/cygwin-ug-net/using-utils.html#mkgroup:
"The -u option causes mkgroup to enumerate the users for each group, placing
the group members in the gr_mem (last) field. Note that this can greatly
increase the time for mkgroup to run in a large domain. Having gr_mem fields
is helpful when a domain user logs in remotely while the local machine is
disconnected from the Domain Controller"

This implies that "-u" is not required for proper groups functionality, but
is maybe just used as a backup when the DC is unavailable.  (And in my case,
there is no domain.)

Also, this means that "mkgroup -ul >/etc/group" will have to be re-run every
time there is a change in group membership - not the best option.

Since Cygwin already lets the underlying OS take care of much of the
security (handling passwords, etc.), can't Cygwin just ask Windows for the
user's groups when needed, to?

--
Mark A. Ziesemer


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -