X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-3.9 required=5.0	tests=AWL,BAYES_00,KHOP_RCVD_UNTRUST,KHOP_THREADED,RCVD_IN_HOSTKARMA_W,RCVD_IN_HOSTKARMA_WL,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
X-IronPortListener: Outbound_SMTP
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAH9Ry1CcKEet/2dsb2JhbABFhji3SoEDFnOCHgEBAQMBEhERSgsCAQgNDQIGDhICAgIdExUCAQ0BAQQbGodrBgyfbIoHkwmBIoxRghQyYQONOYlshHGKO4JzgiI
From: "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" <lavr AT ncbi DOT nlm DOT nih DOT gov>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: RE: Cygrunsrv and special Windows virtual accounts "NT SERVICE"
Date: Fri, 14 Dec 2012 16:23:13 +0000
Message-ID: <5F8AAC04F9616747BC4CC0E803D5907D053F86BD@MLBXv04.nih.gov>
References: <5F8AAC04F9616747BC4CC0E803D5907D053F8671 AT MLBXv04 DOT nih DOT gov> <20121214160616 DOT GI6237 AT calimero DOT vinschen DOT de>
In-Reply-To: <20121214160616.GI6237@calimero.vinschen.de>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id qBEGNTWe015119

> http://cygwin.com/ml/cygwin/2012-12/msg00154.html

Thanks.

> I'm wondering if it's such a bright idea to use a NULL password based on
> a check for a certain domain.  That's practically guaranteed to break
> at one point again.

I don’t think Microsoft is going to drop "NT SERVICE\" in any near future
(they've just had the feature introduced!).  This is the only domain that
needs to be treated specially (for now).

> !pass || pass[0] == '\0'

MSDN says that password-less accounts must provide an empty string
(and it does not mention NULL).  More cumbersome logic can involve
checking for both the special domain and empty/NULL password (as above),
resulting in NULL lpPassword only when both checks have been met.

> what about something like `-w NULL'?

I would not vote for this.  This precludes that the string "NULL" cannot
be used as an otherwise regular password.

Anton Lavrentiev
Contractor NIH/NLM/NCBI