X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Mon, 23 Mar 2009 15:59:58 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: [1.7] passwd: useless if used with a logged on domain user Message-ID: <20090323145958.GS9322@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20090321101004 DOT GU9322 AT calimero DOT vinschen DOT de> <20090322100907 DOT GA9322 AT calimero DOT vinschen DOT de> <20090322192205 DOT GH9322 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.19 (2009-02-20) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Mar 23 14:35, J?lio Costa wrote: > On Sun, Mar 22, 2009 at 19:22, Corinna Vinschen wrote: > > On Mar 22 17:34, J?lio Costa wrote: > >> ~ $ # Just typed Ctrl-C. Not in the mood right now :) > >> ~ $ # And now for the interesting part: > >> ~ $ ./my_passwd.exe -S SYSTEM > >> my_passwd: unknown user SYSTEM > > > > The SYSTEM user is not in the user database.  So that's an expected > > result. > > > > It is in mine: > ~ $ grep system /etc/passwd > system:*:18:544:,S-1-5-18:: Let me rephrase: "The SYSTEM user is not in the *Windows* user database." > I've come to some conclusions in this process. Here they are: > #1 li -> usri3_priv (line 552, 587 and 594) will only tell you if the > logged on user is (isn't) admin in his/her LOGON domain! But what is > needed here is to know if the logged on user is (isn't) admin in the > TARGET domain/server, where is the TARGET account! So you mean we should rather check if the user is in the Administrators group (S-1-5-32-544)? > #2 Just querying (-S) the account characteristics does not need Admin > priviledges, so the test in 552 should be done instead inside the > if AT 576; And should be a different test, from what is said in #1; > #3 Generally, commands in Windows without providing additional > information defaults to the local machine. So should passwd. > Currently, I'm forced to say '-d $HOSTNAME' to ensure that the target > user is really on the local machine. This is not coherent behaviour > because it depends or not on if the current logged on user cames from > a domain or is local. Currently the csih script breaks in his call to > passwd due to this. Which breaks sshd-host-config (and maybe others?) > I think the most coherent behaviour should be: 'if '-d' is not > supplied, the TARGET domain is always LOCAL; otherwise, follow > supplied domain'. It is precisely how NET USER and friends works, with > the '/DOMAIN' parameter, with the added tweak that you don't even have > to name the logon domain (although it could be done like this in > passwd also, i think...) That sounds about right. I agree. Except in the case I'm just calling `passwd' without a user name in which case I definitely want to change my own password. > But I'll keep trying to achieve a stable version. Unless, of course, > you think that this is not "the way"(tm) to do it... Using CheckTokenMembership isn't quite the way to go. If I understand you right that the idea is just checking if the token contains the well-known Administrators group, I'll check in something equivalent. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/