X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:cc
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=olEyC+TXfYZghgbx
	p1BQOoPWKTXgC3ZR0j02BlkP/nGGCdbssQs2ic/IOCQFTqoRRHOe3WmbyXl81XvX
	UZ1ntMCiO5BPsCJxvq5KIhd6qLAg61NHLAwoED6tezJMhbydseFc48hQaK0x8Uc/
	VR89Chkcv8LXIp8qfnPKcBrfEMk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:cc
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=ZYItFYAuFnbNjBGvNL0IjE
	ZZaqA=; b=BFTcrLslkc2QxMsQ0meRBDu8bMZtTNLYlwqBaTXME4UOpyyeAGtmGJ
	sB1KYOsnwGOa3vRYiforEUvAyPX0hKC6ejNHfBIzFJV45QPRIIeXpHNAWgEnGPc5
	6UvuzGTvUlUXd/5Ox3GPxgX/jnjBnDEdkvpsoq4La/doPVvknf2ow=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: EXE02-WPP.cisra.canon.com.au
Message-ID: <5449F343.7040304@cisra.canon.com.au>
Date: Fri, 24 Oct 2014 17:35:47 +1100
From: Luke Kendall <luke DOT kendall AT cisra DOT canon DOT com DOT au>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: <cygwin AT cygwin DOT com>
CC: audit <audit-mail-disclaimer AT cisra DOT canon DOT com DOT au>
Subject: Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 1.7.33-0.1
References: <announce DOT 20141022092323 DOT GH32374 AT calimero DOT vinschen DOT de> <20141023025725 DOT GA9370 AT pixel DOT schutter DOT home> <20141023154358 DOT GE20607 AT calimero DOT vinschen DOT de> <5449F281 DOT 3080701 AT cisra DOT canon DOT com DOT au>
In-Reply-To: <5449F281.3080701@cisra.canon.com.au>
Content-Type: text/plain; charset="utf-8"; format=flowed
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id s9O6a7BV001971

On 24/10/14 02:43, Corinna Vinschen wrote:
 > On Oct 22 20:57, Tom Schutter wrote:
 >> On Wed 2014-10-22 11:23, Corinna Vinschen wrote:
 >>> For your convenience I wrote new documentation.  Since this is a TEST
 >>> prerelease, the new documentation is not part of the official docs yet.
 >>> Rather have a look at
 >>>
 >>>   https://cygwin.com/preliminary-ntsec.html
 >> "machine is no domain member" -> "machine is not a domain member"
 > Thanks, I applied this as patch.
 >
 >
 > Corinna
 >

Obviously, all the URLs for the section called “Mapping Windows accounts 
to POSIX accounts” will become correct when the file is renamed from 
preliminary-ntsec.html to ntsec.html.  But in the section where you talk 
about the 'problem with the definition of a "correct" ACL which 
disallows mapping of certain POSIX permissions cleanly', previously the 
URL referenced immediately after that text appeared as 'the section 
called "The POSIX permission mapping leak" ', but now it's yet another 
reference to 'the section called “Mapping Windows accounts to POSIX 
accounts”'

-- Is that a mistake?

Other suggestions/notes:

'One of them is that the idea to have always small files is flawed.'
-->
'One of them is that the idea that these files will always be small, is 
flawed.'

'so we rely on some mechanism to convert SIDs to uid/gid values and vice 
versa'
-->
'so we need a mechanism to convert SIDs to uid/gid values and vice versa'

'It allows [us] to generate uid/gid values '

'Read /etc/passwd and /etc/group files [if they exist], just as in the 
olden days'

'If [the passwd or group] files are present, they will be scanned on demand'

'Logon SIDs: The own[huh?  owner's?  user's?] LogonSid is converted'

'if the AD administrators chose an unreasonable[unreasonably] small'

'which keeps an analogue value of the trustPosixOffset'
-->
'which keeps an analog of the trustPosixOffset'

'how do we uniquely differ[distinguish] between them by name?'

'very costly (read: slow) sea[r]ch operations'

(By the way, if you want to belong to multiple groups, is the only way 
to do this via an /etc/group file?  Also, it occurs to me that another 
way to store the unix home dir, etc., would be a 'partial passwd' file 
that omitted the fields for the parts supplied easily by AD (SID, GID)? 
  That's just an idle thought.)

'Cygwin process tree, which[ever?] first process'

'is not running a[t] the time'

'via an undocumented API[,] an applications[application] can fetch'

'When Cygwin stat's[stats, or: stat()s] files'

'If both[,] files and db are specified'
'Cygwin will always try the files first, then the db. '
-- is that because the db will always be more trustworthy than the files?

BTW, the POSIX permission mapping leak used to have a section heading; 
it's now just unmarked, inside the File Permissions section.  (I'm just 
pointing that out.)

Hope this helps!  You've obviously put a lot of thought and effort into 
all this: thanks.

luke


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple