X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.3 required=5.0 	tests=AWL,BAYES_00,J_CHICKENPOX_13,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <20090323145958.GS9322@calimero.vinschen.de>
References: <af075b00903201143q1ce21219g3643c0e67e8994ac AT mail DOT gmail DOT com>  	<20090321101004 DOT GU9322 AT calimero DOT vinschen DOT de> <20090322100907 DOT GA9322 AT calimero DOT vinschen DOT de>  	<af075b00903221034v180e635aka114fcde43f6cf00 AT mail DOT gmail DOT com>  	<20090322192205 DOT GH9322 AT calimero DOT vinschen DOT de> <af075b00903230735i9c228b1s2b0928b698427cd4 AT mail DOT gmail DOT com>  	<20090323145958 DOT GS9322 AT calimero DOT vinschen DOT de>
Date: Mon, 23 Mar 2009 15:33:23 +0000
Received: by 10.239.154.16 with SMTP id b16mr136393hbc.145.1237822418230; Mon,  	23 Mar 2009 08:33:38 -0700 (PDT)
Message-ID: <af075b00903230833u44399b81jb73bb597cfa4261b@mail.gmail.com>
Subject: Re: [1.7] passwd: useless if used with a logged on domain user
From: Julio Costa <costaju AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Mon, Mar 23, 2009 at 14:59, Corinna Vinschen wrote:
> On Mar 23 14:35, J?lio Costa wrote:
>> On Sun, Mar 22, 2009 at 19:22, Corinna Vinschen wrote:
>> > On Mar 22 17:34, J?lio Costa wrote:
>> >> ~ $ ./my_passwd.exe -S SYSTEM
>> >> my_passwd: unknown user SYSTEM
>> >
>> > The SYSTEM user is not in the user database. =C2=A0So that's an expect=
ed
>> > result.
>> >
>>
>> It is in mine:
>> ~ $ grep system /etc/passwd
>> system:*:18:544:,S-1-5-18::
>
> Let me rephrase:
>
> =C2=A0"The SYSTEM user is not in the *Windows* user database."
>

Ah, ok. So, this test was rubbish. Well, it's always good to test all
code paths, right? :)

>> I've come to some conclusions in this process. Here they are:
>> #1 li -> usri3_priv (line 552, 587 and 594) will only tell you if the
>> logged on user is (isn't) admin in his/her LOGON domain! But what is
>> needed here is to know if the logged on user is (isn't) admin in the
>> TARGET domain/server, where is the TARGET account!
>
> So you mean we should rather check if the user is in the Administrators
> group (S-1-5-32-544)?
>

Yes.
Because the info in usri3_priv is wrong if you have different logon
and target domains/servers, and you can't convince NetUserGetInfo to
give you (e.g.) the local view (that is, query NULL server) about a
domain user (that was the only way that could produce the right
usri3_priv value in my test case).

>> #2 Just querying (-S) the account characteristics does not need Admin
>> priviledges, so the test in 552 should be done instead inside the
>> if AT 576; And should be a different test, from what is said in #1;
>> #3 Generally, commands in Windows without providing additional
>> information defaults to the local machine. So should passwd.
>> Currently, I'm forced to say '-d $HOSTNAME' to ensure that the target
>> user is really on the local machine. This is not coherent behaviour
>> because it depends or not on if the current logged on user cames from
>> a domain or is local. Currently the csih script breaks in his call to
>> passwd due to this. Which breaks sshd-host-config (and maybe others?)
>> I think the most coherent behaviour should be: 'if '-d' is not
>> supplied, the TARGET domain is always LOCAL; otherwise, follow
>> supplied domain'. It is precisely how NET USER and friends works, with
>> the '/DOMAIN' parameter, with the added tweak that you don't even have
>> to name the logon domain (although it could be done like this in
>> passwd also, i think...)
>
> That sounds about right. =C2=A0I agree. =C2=A0Except in the case I'm just=
 calling
> `passwd' without a user name in which case I definitely want to change
> my own password.
>

Yes, of course. That is the primary/historical use of passwd, after all.

>> But I'll keep trying to achieve a stable version. Unless, of course,
>> you think that this is not "the way"(tm) to do it...
>
> Using CheckTokenMembership isn't quite the way to go. =C2=A0If I understa=
nd
> you right that the idea is just checking if the token contains the
> well-known Administrators group, I'll check in something equivalent.
>

Ok. I'll be waiting for the a new check-in, then.

Once again, many thanks for looking into this.

__________
Julio Costa

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/