Mail Archives: cygwin/2014/10/24/06:37:37
--EdRE1UL8d3mMOE6m
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Oct 24 17:35, Luke Kendall wrote:
> On 24/10/14 02:43, Corinna Vinschen wrote:
> > On Oct 22 20:57, Tom Schutter wrote:
> >> On Wed 2014-10-22 11:23, Corinna Vinschen wrote:
> >>> For your convenience I wrote new documentation. Since this is a TEST
> >>> prerelease, the new documentation is not part of the official docs ye=
t.
> >>> Rather have a look at
> >>>
> >>> https://cygwin.com/preliminary-ntsec.html
> >> "machine is no domain member" -> "machine is not a domain member"
> > Thanks, I applied this as patch.
> >
> >
> > Corinna
> >
>=20
> Obviously, all the URLs for the section called =E2=80=9CMapping Windows a=
ccounts to
> POSIX accounts=E2=80=9D will become correct when the file is renamed from
> preliminary-ntsec.html to ntsec.html. But in the section where you talk
> about the 'problem with the definition of a "correct" ACL which disallows
> mapping of certain POSIX permissions cleanly', previously the URL referen=
ced
> immediately after that text appeared as 'the section called "The POSIX
> permission mapping leak" ', but now it's yet another reference to 'the
> section called =E2=80=9CMapping Windows accounts to POSIX accounts=E2=80=
=9D'
>=20
> -- Is that a mistake?
Yes, it is. Thanks for catching. It should point to the chapter
"File permissions".
> Other suggestions/notes:
>=20
> 'One of them is that the idea to have always small files is flawed.'
> -->
> 'One of them is that the idea that these files will always be small, is
> flawed.'
>=20
> 'so we rely on some mechanism to convert SIDs to uid/gid values and vice
> versa'
> -->
> 'so we need a mechanism to convert SIDs to uid/gid values and vice versa'
>=20
> 'It allows [us] to generate uid/gid values '
>=20
> 'Read /etc/passwd and /etc/group files [if they exist], just as in the ol=
den
> days'
>=20
> 'If [the passwd or group] files are present, they will be scanned on dema=
nd'
>=20
> 'Logon SIDs: The own[huh? owner's? user's?] LogonSid is converted'
The logon SID of the current session. I rephrased this now to:
"Logon SIDs: The LogonSid of the current user's session is converted ..."
> 'if the AD administrators chose an unreasonable[unreasonably] small'
>=20
> 'which keeps an analogue value of the trustPosixOffset'
> -->
> 'which keeps an analog of the trustPosixOffset'
British vs. American English... ;)
> 'how do we uniquely differ[distinguish] between them by name?'
>=20
> 'very costly (read: slow) sea[r]ch operations'
>=20
> (By the way, if you want to belong to multiple groups, is the only way to=
do
> this via an /etc/group file?
You mean via the gr_mem field? That's not evaluated anymore. Group
membership is stored in SAM or AD.
> Also, it occurs to me that another way to
> store the unix home dir, etc., would be a 'partial passwd' file that omit=
ted
> the fields for the parts supplied easily by AD (SID, GID)? That's just an
> idle thought.)
But that means you have to read the files again. Thre's not much of an
advantage to having full passwd and group files then for the user, nor
for Cygwin itself. Plus, you have to implement two different reading
algos per file type.
> 'Cygwin process tree, which[ever?] first process'
Hmm. Sounds bad, right? What I'm trying to say is, if the first
process of a process tree found cygserver isn't started, it will not try
to ask cygserver again, and it will propagate the lack of cygserver to
the child processes, so they will neither try to contact cygserver. If
you have a catchy way to phrase this in less words, I'd be quite happy.
Btw.
In the document I'm talking of the "first process of a Cygwin process
tree" throughout. Is it clear at all what that means? For a Cygwin
Terminal session that would be the mintty process. If you have this:
Cygwin process 1 starts Cygwin process 2
Cygwin process 2 starts CMD.EXE
CMD.EXE starts Cygwin process 3
Cygwin process 3 starts Cygwin process 4
Then you have two Cygwin process trees with Cygwin process 1 and
Cygwin process 3 being the "first processes in a Cygwin process tree".
Is there a better way to phrase this in English? Would it make more
sense to use "parent" or "grandparent" for the first process? Or
any other expression?
> 'is not running a[t] the time'
>=20
> 'via an undocumented API[,] an applications[application] can fetch'
>=20
> 'When Cygwin stat's[stats, or: stat()s] files'
>=20
> 'If both[,] files and db are specified'
There is a comma already. Or am I looking into the wrong line?
> 'Cygwin will always try the files first, then the db. '
> -- is that because the db will always be more trustworthy than the files?
It's because it doesn't make sense the other way around. The DBs will
always have a valid reply for an existing account, thus there can't be
any fallback from db to files.
> BTW, the POSIX permission mapping leak used to have a section heading; it=
's
> now just unmarked, inside the File Permissions section. (I'm just pointi=
ng
> that out.)
That was deliberate. I was wondering if the lengthy description of a
bordercase in permission handling really deserved its own chapter and
came up with a "no".
> Hope this helps! You've obviously put a lot of thought and effort into a=
ll
> this: thanks.
This really helps a lot, thank you! I applied a patch in your name,
hope that's ok. I also uploaded this version to
https://cygwin.com/preliminary-ntsec.html
If you (or somebody else) have suggestions for the two problems outlined
above, I'd be really grateful.
Thanks,
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--EdRE1UL8d3mMOE6m
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUSivcAAoJEPU2Bp2uRE+ggXEQAJeXTVLqpIM0C/ReUlrMvi4P
kYMDriTm5mtBPC4x80F+tRaL5GAH5DdpGADudEO9noOoTz6Y1xpcg0UwGoqUhBob
VgW3ILdBT+u0kpGLXZ3asWjlfsJO1BDO6YFhOL1ngottMeVwxs7zWku9ZwthP/Ue
RFHji5OQI+n1xDHx4wK8jlaNeKnTaEAmU+N/6Wt9VBZHs+spjDkQI+7m6jQjPMmO
C/sTlTID3GHhfzyUWTz1pswWroksBq+kpTQYKxIRn2jjr3N8KMULuR9cV5docZ4n
RW40enAP2V+0dw9yBYBzbwT2atdno7vnf2teHPxJOTBRF2iitvDip3vFvmilSDGM
Iaa1I9+wjn9Cq/dIq04jSGbbGl/T7r62wWReDV4RM7jIksX+mjNGzcKGpaAfV23U
gsX0QBzz6IIjdUu649vUCZEQdpnqzK6APPKZqvLKE7GSNxlzqlbQKTfO55PIa/Yn
dhqLoclgQA4q1V73lwyEsuFoA84QFsQCXWEnRnpu3dn5oviUhSqsLvkZC4EXFey8
SsPibNprgfuevPqwpItzVTBWb/kr+ksCz08YXO8kTbFgtOuT/Zlb+Ek1dFjSnblr
/PFpyYwRO6FUjIj9AZ8SA9/I61pmFfnOgaTi0ahgfw0f749EOaGiH4nA/FBX9Ix0
5QUfjgy6YL1OJw/0LoTS
=rxBS
-----END PGP SIGNATURE-----
--EdRE1UL8d3mMOE6m--
- Raw text -