| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org E4AE03858D28 |
| Authentication-Results: | sourceware.org; |
| dmarc=pass (p=none dis=none) header.from=yandex.ru | |
| Authentication-Results: | sourceware.org; spf=pass smtp.mailfrom=yandex.ru |
| X-Yandex-Fwd: | 2 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; |
| t=1657140600; bh=V5ctGAjF4lYfm1xANyXD98tfwGPBuvrqqxdgkzmSNXo=; | |
| h=In-Reply-To:Subject:To:From:Message-ID:References:Date:Reply-To; | |
| b=UK8xtUO/kyIqkjaaHNTVN9r5+IKGzgFL84YdusZ02fpm2zXqwuSwhVOEOHMPJcfgo | |
| Var3Z1VCR48N9v4aZEUpQogoqbgF56HBfdXeEmQYpZvAx5pdGluLNnMzPdkZzrix1i | |
| CFBVSMzVW8hUnlh1UR/lkdDxU5u1yDSi3gfMew2k= | |
| Authentication-Results: | myt5-a43f74ee162a.qloud-c.yandex.net; |
| dkim=pass header.i=@yandex.ru | |
| Date: | Wed, 6 Jul 2022 23:45:13 +0300 |
| From: | Andrey Repin <anrdaemon AT yandex DOT ru> |
| X-Mailer: | The Bat! (v9.3.4) Professional |
| Message-ID: | <1282276604.20220706234513@yandex.ru> |
| To: | Corinna Vinschen <cygwin AT cygwin DOT com>, cygwin AT cygwin DOT com |
| Subject: | Re: The "TrustedInstaller" user can not be found by ID |
| In-Reply-To: | <YsXHGlVpP4DeIWnW@calimero.vinschen.de> |
| References: | <1558196978 DOT 20220706133209 AT yandex DOT ru> |
| <YsXHGlVpP4DeIWnW AT calimero DOT vinschen DOT de> | |
| MIME-Version: | 1.0 |
| X-Spam-Status: | No, score=0.1 required=5.0 tests=BAYES_00, BODY_8BITS, |
| DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, | |
| KAM_THEBAT, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_PASS, TXREP, | |
| T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 266KoKr9009970 |
Greetings, Corinna Vinschen! > On Jul 6 13:32, Andrey Repin wrote: >> Greetings, All! >> >> Been doing some housekeeping in my Cygwin installation at work, and wanted to >> change the owner of the files to something other than myself. >> TrustedInstaller seemed like a good neutral target, but it took me a little >> while to find out it is >> >> 1. …named "NT SERVICE+TrustedInstaller" actually (which is predictable >> somewhat); >> $ getent passwd | grep -i trust >> NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin >> >> 2. …can not be accessed by any other name (unlike "NT AUTHORITY\SYSTEM"); >> $ getent passwd System >> system:*:18:18:U-NT AUTHORITY\system,S-1-5-18:/home/system:/bin/bash >> $ getent passwd 18 >> система:*:18:18:U-NT AUTHORITY\система,S-1-5-18:/home/система:/bin/bash > This is by design. Only builtin stuff and the primary domain members > can be accessed name-only. "NT SERVICE" is not builtin, but rather a > kind of foreign domain identifier (but don't take this literally), so > you have to use the full name "NT SERVICE+TrustedInstaller". Note > that this is a restriction in the Windows function LookupAccountName, > as documented in the source: > https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=winsup/cygwin/uinfo.cc;hb=HEAD#l2032 That explains it, thank you. >> 3. …can not be accessed by ID! Which is rather surprising. >> $ getent passwd 328384 >> [2] <- user not found >> >> Is this some special case of some kind of Windows' kinks? > This is impossible with the current code. Cygwin tries to perform > bijective SID<->id mappings, if possible. "NT SERVICE" accounts are a > bit of a problem and TrustedInstaller is no exception in that the SIDs > don't follow the usual rules for BUILTIN / NT AUTHORITY / normal > accounts. They are also not exactly predictable, even though > TrustedInstaller always has the same SID on all systems. To handle > 328384 as TrustedInstaller, it needs actual special casing. We can add > that, but that would only allow the explicit mapping between "NT > SERVICE+TrustedInstaller" and uid/gid 328384. This would not cover > other NT SERVICE accounts. I was thinking cygserver could level such troubles. Since name resolution coming through it more or less, it could maintain the mappings of uid => SID of the accounts it had seen, and respond correctly if `db_enum` contains "cache". > Given that TrustedInstaller is only used by the OS at installation time, > I always looked at it as a kind of "read-only account". I'm really not > sure if it's worth special casing this account just to allow id->SID > mapping... -- With best regards, Andrey Repin Wednesday, July 6, 2022 22:35:01 Sorry for my terrible english... -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright 2019 by DJ Delorie | Updated Jul 2019 |