X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 13 Aug 2008 10:14:45 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: /etc/group manual-edits-workaround still reqd in 1.7?
Message-ID: <20080813081445.GX5129@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <200807261412 DOT m6QECLcA001404 AT tigris DOT pounder DOT sol DOT net> <20080728081831 DOT GF29031 AT calimero DOT vinschen DOT de> <200808121926 DOT m7CJQ1Er026029 AT tigris DOT pounder DOT sol DOT net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200808121926.m7CJQ1Er026029@tigris.pounder.sol.net>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Aug 12 14:26, Tom Rodman wrote:
> On Mon 7/28/08 10:18 +0200 Corinna Vinschen wrote:
> > On Jul 26 09:12, Tom Rodman wrote:
> > > I use cygwin in a large domain, from time to time my account is
> > > added or removed from domain groups without any warning (last
> > > time 'IT' added 'Domain Users' to some other domain group - so all
> > > domain users were impacted!).  When this happens my credentials in
> > > a password-authenticated ssh session, get clobbered & I have
> > > to manually edit /etc/group, per:
> > > 
> > >   http://cygwin.com/ml/cygwin/2005-07/msg01287.html
> > > 
> > > Does this issue "go away" under cygwin 1.7?
> > 
> > I don't know but it's supposed to be better.  I relaxed the rules which
> > result in a token created through password login being overridden with a
> > self-created token.  
> 
> Thanks Corinna/appreciate your help.  
> 
> When that self-created token is created (under 1.5.x) is that
> the point that cygwin looks for the user's group memberships
> as defined in /etc/group?

Yes.

> > You will still have to create a new /etc/group, though.
> 
> Creating it daily (w/cron) is no problem, but, I'm still not
> clear.. in 1.7 do we still have to (in addition) update /etc/group
> so that domain users (that actually use ssh) have their comma
> delimited usernames in the last field on the respective lines in
> /etc/group, for all the domain groups they belong to?

That's hopefully not necessary anymore.  In fact I even removed
the capability to add user names to groups from mkgroup in 1.7.

The problem is a function in Cygwin called "verify_token" which
checks whether the groups requested in a user context switch
(setgroups/setgid/setuid) match the groups in the currently stored
user token.  This test can fail if the user token contains groups which
are not requested, if these groups are not present in /etc/groups
either.  In 1.7, I relaxed the tests in verify_token so that the
user token may contain nuts^Wgroups not mentioned anywhere.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/