X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=yk4c4A9+oJEYTWsHV2Pz0HPrLv0SVWhgWMKbufp2tCIa6b0QPCySt LvFVTeZjYNqV+/3Z+FIMYzvQ+6eajlFc9kFvJV6Nsgh7K86U415/qpzveHk9bCIC qyjGaaZyN2xwbgjVq7oovZDcvFwpMkQBkJvvCDuPws6vu55IVPwVwI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=/KFWeV64oK9RO6UZzDz3RsvD5z0=; b=vm+3LcWKMdW1BBJgg84F1f77sVoi t9BoJt+HqB4Js6PvAipEMagdw5+x6r5ugKaUq/lTejDN56cOOHeC9Z2EW9EDLUNS YcvAqY01nt5Rbzj96Qlnh2QhSyPSTdQ+hVgG91/ZRO6l6dVg4E02fIvR8cBDbLVi xBvujwyMECKyeX0= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-105.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy= X-HELO: mout.kundenserver.de Date: Mon, 27 Aug 2018 12:50:31 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: incompat in cygwin choice of using '+' as domain and user separator. Message-ID: <20180827105031.GF4733@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <5B7DE56E DOT 6060109 AT tlinx DOT org> <20180823081135 DOT GN3348 AT calimero DOT vinschen DOT de> <5B8370CA DOT 5080209 AT tlinx DOT org> <20180827090909 DOT GA4733 AT calimero DOT vinschen DOT de> <20180827104152 DOT GC4733 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qp4W5+cUSnZs0RIF" Content-Disposition: inline In-Reply-To: <20180827104152.GC4733@calimero.vinschen.de> User-Agent: Mutt/1.9.2 (2017-12-15) --qp4W5+cUSnZs0RIF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Aug 27 12:41, Corinna Vinschen wrote: > On Aug 27 11:09, Corinna Vinschen wrote: > > On Aug 26 20:32, L A Walsh wrote: > > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote: > > > ... > > > > No, that's a wrong assumption. Think about it. The ACL given to > > > > acl_to_text is the binary form, so it doesn't contain user or group > > > > names, only uids and gids. The usernames are only generated in the > > > > output. > > > --- > > > Rats. Of course, you're right. Then I nominate the problem being = that it > > > can't convert from domain "Unknown"-user + "Unknown"-group to somethi= ng it > > > can store in tar. > >=20 > > The problem with unknown SIDs is that there's no bijective > > transformation between SID <-> uid/gid. You get the uid/gid -1 and > > then... what? How do you restore the information? There's no SID for > > uid/gid -1. > >=20 > > > As far as duplication, I have /etc/passwd+/etc/group files that mirro= r my > > > accounts on the linux-based PDC (samba 3.x). > >=20 > > What for? This should work automatically and you would get rid of those > > dreaded backslashes in the account names. Using passwd/group files also > > have a higher probability of account overlap with weird results. > >=20 > > Passwd and group files should only be used if you have very specific > > problems to solve (like offline usage or see below), otherwise just use > > the values you get from the account DBs. > >=20 > > > In this case, that user+group appear to correspond > > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005). > > > The domain/system part appears to be from some previous > > > value for the machine's "sid"? Not sure how to deliberately > > > reproduce that, but maybe you have a tool to create an > > > invalid acl entry for a user like: Unknown+User:*:4294967295:42949672= 95:S-1-5-21-3457732827-2369206082-2151550420-1001 > > > in /etc/passwd. > > > and something similar in /etc/group? >=20 > Actually, I just did that. I added a user and a group to the files with > weird SIDs, then I switched /etc/nsswitch.conf to "db" only. With > different ACLs (created by Cygwin, created by native Windows) there are > different results. The problem is that uid/gid -1 can be created as a > file ACL entry *and* at the same time have the meaning of "don't look > for the uid/gid" when checking the ACL for validity. To make matters > worse, if you have multiple ACEs of unknown users, the resulting ACL is > *always* invalid. >=20 > Bottom line is, there are at least two bugs here in Cygwin. I'm looking > into a fix. The only sane way to handle unknown SIDs in file ACLs is to ignore them entirely. The result will be that you never see them in getfacl, nor will they be stored by tar or rsync. They are just not there from the Cygwin perspective. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --qp4W5+cUSnZs0RIF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAluD13YACgkQ9TYGna5E T6B6bg/+Jws32yzzOtmKGJ5FqFUb4OIIrC7vovdHg+4xxgdwAySOmGHHe9e1ORZJ wwfXHYZ9+hx/QNiowC12bacqUqhSAbOLsqshdTIsQWuMRqGeK4CnFth1odFfV09q bqcESG69gezoYdZaXc+FIdljqO1zVSV0fsvGD3dI/tQAnGbkYW3OhY116NQ+oAFB whWz4WHQjgHUPBJmpukZ9OQiTlWJV2h0UnN6yzsB5XgZx9+H7gtbjpiWGH2lYNCL OBJY+FxL6CNxG5C3FgCwmjgUHxKMyOzYAZ8TRMUZiPCPkNxQbT3/cCHyOaG/nE0Z z4iqKy4I1qymTq7JI4BYqxOgqSwD7/752eVOYhKvz3+DWr/p/IaLJ7iZ/b1RLA8B FpIQritptkl3AMM27lr68rNeD/bsE//ThZ8yET/WYXQFQYn+peB4mrjAwVcmAjcM CdfuPh/W+R066TIQicU26QYgEJfFnvkC+DkieUSqJ6Mj4/MDDsi2ZsFzfiQCErPm V1wTXeJKeVYh/OKnXRPHzsgONv2xOFjPp4w9zTiE2i6YN03uN8jEMvLJitCD/vev Cl82E8dPY6ewfAzgXiFEDeHaKPxrAoIMM+qMfqjH2lmJ429zEnfHMOUpzgsUYoYY 91BlGZbsjwmDIjmbGdPJQpd2JQnbmL9CmcxoypKA33gMGClnoJ0= =lct/ -----END PGP SIGNATURE----- --qp4W5+cUSnZs0RIF--