X-Recipient: archive-cygwin@delorie.com
X-SWARE-Spam-Status: No, hits=-3.9 required=5.0	tests=AWL,BAYES_00,KHOP_RCVD_UNTRUST,KHOP_THREADED,RCVD_IN_HOSTKARMA_W,RCVD_IN_HOSTKARMA_WL,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
X-IronPortListener: Outbound_SMTP
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAH9Ry1CcKEet/2dsb2JhbABFhji3SoEDFnOCHgEBAQMBEhERSgsCAQgNDQIGDhICAgIdExUCAQ0BAQQbGodrBgyfbIoHkwmBIoxRghQyYQONOYlshHGKO4JzgiI
From: "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" <lavr@ncbi.nlm.nih.gov>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: RE: Cygrunsrv and special Windows virtual accounts "NT SERVICE"
Date: Fri, 14 Dec 2012 16:23:13 +0000
Message-ID: <5F8AAC04F9616747BC4CC0E803D5907D053F86BD@MLBXv04.nih.gov>
References: <5F8AAC04F9616747BC4CC0E803D5907D053F8671@MLBXv04.nih.gov> <20121214160616.GI6237@calimero.vinschen.de>
In-Reply-To: <20121214160616.GI6237@calimero.vinschen.de>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-IsSubscribed: yes
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id qBEGNTWe015119

> http://cygwin.com/ml/cygwin/2012-12/msg00154.html

Thanks.

> I'm wondering if it's such a bright idea to use a NULL password based on
> a check for a certain domain.  That's practically guaranteed to break
> at one point again.

I don’t think Microsoft is going to drop "NT SERVICE\" in any near future
(they've just had the feature introduced!).  This is the only domain that
needs to be treated specially (for now).

> !pass || pass[0] == '\0'

MSDN says that password-less accounts must provide an empty string
(and it does not mention NULL).  More cumbersome logic can involve
checking for both the special domain and empty/NULL password (as above),
resulting in NULL lpPassword only when both checks have been met.

> what about something like `-w NULL'?

I would not vote for this.  This precludes that the string "NULL" cannot
be used as an otherwise regular password.

Anton Lavrentiev
Contractor NIH/NLM/NCBI