delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2014/11/11/01:39:28

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:message-id:date:from:mime-version:to:subject
:references:in-reply-to:content-type:content-transfer-encoding;
q=dns; s=default; b=B4KKnOPmPyu7iOhBHCSuax0ocgW9IO1OTconD7nxJQZ
6+a1+DQeYHLA+9VMZ3FI6AdEw72/aRgq985o0jKnpKagvT6vzw82d4NZYVrpLPRD
aDwYyxFjgkIodMwRw01Nnsq1cXBEa+ikhy64DH14TYpPtMkAZpOOSSjvwL2HrqXc
=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:message-id:date:from:mime-version:to:subject
:references:in-reply-to:content-type:content-transfer-encoding;
s=default; bh=ccBJ74RH3IbQCbkt01duJg/F7vE=; b=ajtEvzmPdlxQWkcHf
eiu9IyA3gVIKoC+M9nZAjdufc2zGTEJJnkk2NaL5wInjfDelUPPidnpwPkShlrPv
Pd4jB4FnMjhGuXsT/4wOvdVjFbBb9+CgWPgXpysawIf0aliy+1eD0U6njR1L30Tg
pRNJSOSnYbzCaya0HNpbkSHWsY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mailout04.t-online.de
Message-ID: <5461AF09.5010809@t-online.de>
Date: Tue, 11 Nov 2014 07:39:05 +0100
From: Christian Franke <Christian DOT Franke AT t-online DOT de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 1.7.33-0.6
References: <545BBF4B DOT 4020400 AT t-online DOT de> <20141106185019 DOT GK28195 AT calimero DOT vinschen DOT de> <545BD14A DOT 8080803 AT t-online DOT de> <20141106200635 DOT GP28195 AT calimero DOT vinschen DOT de> <20141106204222 DOT GQ28195 AT calimero DOT vinschen DOT de> <545C68BA DOT 3050007 AT t-online DOT de> <20141107101659 DOT GU28195 AT calimero DOT vinschen DOT de> <545D30DA DOT 9040507 AT t-online DOT de> <20141110105151 DOT GB2782 AT calimero DOT vinschen DOT de> <54611048 DOT 4000404 AT t-online DOT de> <20141110204500 DOT GB13071 AT calimero DOT vinschen DOT de>
In-Reply-To: <20141110204500.GB13071@calimero.vinschen.de>
X-IsSubscribed: yes 

Corinna Vinschen wrote:
> On Nov 10 20:21, Christian Franke wrote:
>> Corinna Vinschen wrote:
>>> On Nov  7 21:51, Christian Franke wrote:
>>>> Corinna Vinschen wrote:
>>>>>>> In theory there should be only one option -l [machine], which prints the
>>>>>>> local accounts of the current machine unprefixed (standalone machine) or
>>>>>>> prefixed (domain machine), and always prefixed for a foreign machine.
>>>>>>> The -L option can just go away.
>>>>>> I disgree.
>>>>>>
>>>>>> Why not keep the old behavior of -l/-L for user names of current machine for
>>>>>> those uses cases which rely on it?
>>>>> You are always free to change the passwd/group files manually:
>>>>>
>>>>>    $ mkpasswd -l | sed -e 's/^[^:]*+//' > /etc/passwd
>>>> Of course, and it is good that this is still possible. But this would
>>>> require that all existing scripts relying on old behavior need to be
>>>> changed.
>>>>
>>>> I still don't understand why this backward compatibility break of "mkpasswd
>>>> -l" was mandatory.
>>>>
>>>> Most *-config scripts using "mkpasswd -l -u USER" may need to be changed.
>>> Definitely.  The change is inevitable since most scripts using mkpasswd
>>> or mkgroup do so to create entries in /etc/passwd and /etc/group.  But
>>> this doesn't make sense anymore, or if so, only marginally so.
>> OK.
>>
>> What will be the behavior of the predecessor of e.g. the csih function
>> csih_create_unprivileged_user if called with USER without HOST prefix,
>> machine is inside of domain and the user does not exist:
>> - create local windows USER and require the config script to retrieve the
>> actual Cygwin HOST+USER name,
>> - fail and tell the calling config script to retry with HOST+USER instead
>> (if possible),
>> - create local windows USER and create a /etc/passwd entry to support a
>> non-prefixed Cygwin USER in this case,
>> - one of the above, selected by a new option.
> I'm not exactly sure yet.  I'm working on it, and I ripped apart the
> functions dealing with this problem by handling the cygwin username and
> the windows username separately.  But it's not yet finished.  In theory
> you have two cases.
>
> Either the account already exists, then the user should (probably
> (grain/salt)) specify the Cygwin username, which is either prefixed or
> not prefixed, dependent on the DB it will get taken from.  The script
> fetches the Windows domain and username from the U-... entry in pw_gecos
> then.
>
> Or the account doesn't exist, then the username is just a name.  The
> user account will be created in the local SAM and dependent on the state
> of the machine, AD member or not, will be prefixed or not as Cygwin
> account.
>
> Something like that.

Possibly a two step process:

csih_check_unprivileged_user --allow-prefix $USER

if [ "$csih_unpriv_cygwin_username" != "$USER ]; then
   # Cygwin username has prefix
    .... inform user, patch configuration file, ...
fu

csih_create_unprivileged_user [ $PASSWORD ]


>
>>>> Local scripts from Cygwin users which use "mkpasswd -l" may need to be
>>>> changed.
>>> They are not supposed to use mkpasswd anymore since they don't need it,
>>> only in very special circumstances.
>> Wouldn't it be better to let mkpasswd -l simply fail with an explanatory
>> error message instead of producing non-backward compatible results? Or at
>> least print a warning to stderr?
> But there still are cases in which using mkpasswd -l may be used.  If
> somebody explicitely chooses to use "passwd: files"-only, then the
> mkpasswd tool needs to generate accounts.
>
> Is there any compromise possible which lets mkpasswd generate the
> forward compatible accounts by default?  I made the change to mkpasswd
> and mkgroup I outlined last week, but I deliberately didn't check it in
> because I'm still hoping we find a compromise going forward.  I
> understand that in your scenario you will have to use /etc/passwd for a
> while longer.
>
> But...  how many scripts would you really have to change if mkpasswd
> generates prefixed names?

We could add 'sed' to /etc/passwd generating script, no problem.

The actual test scripts & tools from this use case pass local usernames 
from/to non-Cygwin programs and rely on the fact that Cygwin and Windows 
username match.

For the long term, have some cyguser, cyggroup tools (similar to 
cygpath) which convert the names would be helpful.


>    Alternatively, is setting some environment
> variable feasible for tweaking the output of mkpasswd backward
> compatible?

Of course, yes.

Or mkpasswd -l behavior depends on nsswitch.conf setting:

passwd only: Old behavior
passwd, db: New behavior, print warning
db only: fail

Christian


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019