X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=mduXkw2kXvFOokMhiaVsGmQvhLxkSUz5BWRK7XEj75P4JwSP/rI// V++qUdePzX4dH2rXcy3cV1LSgIAbyKhddxFAtzrkC67M7/WKOUswR160galJ2u1f Z30cE0dKNcaqZpm/juwsJFwU/ECwS3EzHKdk1aW8oQmFk273PB337M= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=QbBx8b9oR8FhkeOzHcN8zk8mB0M=; b=IiuAVmYW1p47UhPWa48+8mbM6k6b 1KXge1iYxRLGAHHWYGdScoeHZcE1L7pYkxeaQRstUGzkvLa8RpOLhaPx5kgzAW0C nLHx77jMiijaDHVQVsggzu/P+jfHvyjyBE+LS+pHM68ydB1eQ5q5wseA1JUMWgGC wNYoV3JRNAgTS/c= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-HELO: mho-01-ewr.mailhop.org X-Mail-Handler: Dyn Standard SMTP by Dyn X-Report-Abuse-To: abuse AT dyndns DOT com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX18SMIKkQ/3WLiTI0xVSmRQR Date: Thu, 13 Feb 2014 10:43:33 -0500 From: Christopher Faylor To: cygwin AT cygwin DOT com Subject: Re: get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?) Message-ID: <20140213154333.GA6304@ednor.casa.cgf.cx> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <52FAB14C DOT 8060800 AT tiscali DOT co DOT uk> <52FABAF5 DOT 2060701 AT etr-usa DOT com> <52FAD730 DOT 9090507 AT redhat DOT com> <20140212090804 DOT GM2821 AT calimero DOT vinschen DOT de> <52FB9E51 DOT 7030607 AT cornell DOT edu> <20140212195931 DOT GA2246 AT calimero DOT vinschen DOT de> <20140212213729 DOT GA5589 AT ednor DOT casa DOT cgf DOT cx> <20140213100025 DOT GB24159 AT calimero DOT vinschen DOT de> <20140213143541 DOT GC6750 AT ednor DOT casa DOT cgf DOT cx> <20140213144419 DOT GI2246 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140213144419.GI2246@calimero.vinschen.de> User-Agent: Mutt/1.5.20 (2009-06-14) On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote: >On Feb 13 09:35, Christopher Faylor wrote: >> On Thu, Feb 13, 2014 at 11:00:25AM +0100, Corinna Vinschen wrote: >> >On Feb 12 16:37, Christopher Faylor wrote: >> >> On Wed, Feb 12, 2014 at 08:59:31PM +0100, Corinna Vinschen wrote: >> >> >There's only one tiny problem. Whatever I think about the full >> >> >enumerate being right or wrong, I have this vague feeling that I'd like >> >> >to have this implemented fully at one point. My cat disapproves, but we >> >> >can't agree on everything, I guess. Another configuration option in >> >> >/etc/nsswitch.conf might comfort her. >> >> >> >> I don't know if this has been mentioned but would a cache help here, >> >> i.e., nscd? I think that's how Linux deals with this type of situation. >> > >> >Caching is wonderful for the usual requests for single entries from the >> >DB, and for this we have already two caches, the LSA cache and Cygwin's >> >own cache. But caching doesn't help at all when enumerating. >> > >> >There's also the problem to rely on an external program. >> >> But that's no different than Linux. I've never looked at the code but >> apparently libc has hooks for talking to nscd. We could do the same >> with cygserver. >> >> >If it turns out that the current implementation is too slow, I'm >> >prepared to add caching to cygserver to have a system-wide caching >> >server, but Cygwin shouldn't *require* that cygserver runs. And either >> >way, it still wouldn't help when enumerating all accounts. >> >> nscd does more than just keep information around in memory. As I said, >> it's how Linux deals with this situation. I know because I didn't install >> nscd when setting up a minimal Fedora 20 server at work and was met with >> awful lags and timeouts in services which tried to read from our nis. >> So Fedora doesn't require nscd but it sure does help. >> >> But, even after having set it up, I still have to remember not to do >> ls ~cg because it just takes forever. So, if it is possible to >> enumerate users then I think you just do it and let people learn the >> cost. > >Yes, I think so too. I have some preliminary code (actually, just >empty function shells right now) which are supposed to implement >full enumerating. > >However, system admins might not exactly approve. I discussed this >with our Linux folks, and I learned that NSS backends like SSSD or >winbind default to NOT allowing enumerating, but giving the admin a >choice to enable it. > >So I think for our case a configuration option in /etc/nsswitch.conf >to limit the scope of the enumeration might be feasible. Or, nscd.conf which has stuff like: enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes I understand why a sysadmin might not want you to be able to enumerate user names but that really isn't, IMO, a reason not to implement the functionality (not that you are proposing this). You obviously can't assume that people won't exercise the capability if it is available. Security through obscurity...? Nah. cgf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple