X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=PhcoeDcuxtkBuvRrweTThMSBm180MbG0ehLF3ki7hjAzXcHcDL99t
	TnCpfRsd7b73PnJoqdZWn+/TFDVhk/NE+kdFlucckO5eNXfILQ0wxcZknQlsELo5
	nmNFnNEMEg1/6En72I5X/omUjTjM+mQIsK2VhTpXPu9rtMwLVCM8rk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=T/7Hn0Puh1BYJqi9SNP6qwcBunU=; b=amV0rhCZDCfcnku1CjbiJo52dxv1
	jm2hThS1HJNmkXerXgcxunCAGU2mlGZWHZ0l0PSmXvgc1pDyEHAOVbFh7i4bEtxz
	0bnuBdqG2Zh+LyAxxCBVcNBiblXboWpQwqwvMaNjUwqkQJviV6r1Jw+SbE5KTix2
	cCiEd3jgw7yewn4=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Thu, 13 Feb 2014 17:05:30 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?)
Message-ID: <20140213160530.GK2246@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <52FABAF5 DOT 2060701 AT etr-usa DOT com> <52FAD730 DOT 9090507 AT redhat DOT com> <20140212090804 DOT GM2821 AT calimero DOT vinschen DOT de> <52FB9E51 DOT 7030607 AT cornell DOT edu> <20140212195931 DOT GA2246 AT calimero DOT vinschen DOT de> <20140212213729 DOT GA5589 AT ednor DOT casa DOT cgf DOT cx> <20140213100025 DOT GB24159 AT calimero DOT vinschen DOT de> <20140213143541 DOT GC6750 AT ednor DOT casa DOT cgf DOT cx> <20140213144419 DOT GI2246 AT calimero DOT vinschen DOT de> <20140213154333 DOT GA6304 AT ednor DOT casa DOT cgf DOT cx>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="3MHXEHrrXKLGx71o"
Content-Disposition: inline
In-Reply-To: <20140213154333.GA6304@ednor.casa.cgf.cx>
User-Agent: Mutt/1.5.21 (2010-09-15)

--3MHXEHrrXKLGx71o
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 13 10:43, Christopher Faylor wrote:
> On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote:
> >Yes, I think so too.  I have some preliminary code (actually, just
> >empty function shells right now) which are supposed to implement
> >full enumerating.
> >
> >However, system admins might not exactly approve.  I discussed this
> >with our Linux folks, and I learned that NSS backends like SSSD or
> >winbind default to NOT allowing enumerating, but giving the admin a
> >choice to enable it.
> >
> >So I think for our case a configuration option in /etc/nsswitch.conf
> >to limit the scope of the enumeration might be feasible.
>=20
> Or, nscd.conf which has stuff like:
>=20
>     enable-cache            passwd          yes
>     positive-time-to-live   passwd          600
>     negative-time-to-live   passwd          20
>     suggested-size          passwd          211
>     check-files             passwd          yes
>     persistent              passwd          yes
>     shared                  passwd          yes
>     max-db-size             passwd          33554432
>     auto-propagate          passwd          yes

I know that nsswitch.conf is not quite the right place for the
configuration variables, but I was reluctant to introduce YA file to
read at startup.  If nobody cares, we can also go with a limited
nscd.conf approach for the configuration variables.

> I understand why a sysadmin might not want you to be able to enumerate
> user names but that really isn't, IMO, a reason not to implement the
> functionality (not that you are proposing this).  You obviously can't
> assume that people won't exercise the capability if it is available.
>=20
> Security through obscurity...?  Nah.

Nah.  But restricting the capability for pure networking reasons is on
order, IMHO.  Assuming that Cygwin has been setup by an admin and the
/etc files are not writable by the ordinary user, of course.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--3MHXEHrrXKLGx71o
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS/O1KAAoJEPU2Bp2uRE+giTgP/0D5AzDC3ux7yGgm2iM0qpcv
B4s3jc79KvqLuJG3AfDkYxukOyaik1A0KvPx8p+b9OvzpdqwrQSeKQ9i8GiTvM3p
zcV6j12M2es01jthMJJI5tgW/SyhLO7fpCSwutt0f9r1h1oIbTcesPGYLK5NtGWr
2HD9Tkfn1fcbkg7pWVtkXdLo3F3EEtSqcV+p4Yj3Mbgxs/aN2NtfXTEwdHUbPjdB
gqtsVwTqi/YSnuwRL3Ve6fRl0h46+AiOAMC8y5uhhrdnlLu/tfn59oxfDuGzvkfq
hoaW625RAgJ8+Z7Fq7uJOH+/dh68nPX04jUCQ/TydSbhYuLdtiEmkNNSel3Pbhr7
MYeZIzQYW+HN1cRF4lq1lgyDbQLrM6PDsohoyQMwcGbJuhMGKAzsWNOvpQW+SMhm
H5A8xpkffw4Ef/x2+xFVcU5SzaZNqwogQMItFdZ8n86Msu0zhKY4zT9xUsAjM8V9
+Szo3c8YTCcJGa01pC/bFMToWg5yf99yNHGE0KfSSpt6vle0kiC7CuNPyJAnxvQB
qeUk+0l3sBCvi+ra+cKveaqyKSSfv9YBDzmHZyH6TvKccWh+fR/N6NDyLT78GknP
ZMSwcMtFBjORO7lQyBAU199KV7eT2tyUYTZE6HuDFPUjorU+q9PjxtTs8cSm1HOX
+hugZsOmbBLa4gDB1n+u
=Vw3s
-----END PGP SIGNATURE-----

--3MHXEHrrXKLGx71o--