X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=BdP/n1FVu4sajnTpAXOnfgsR24p4hh6XsY7/fS+qvencNjQVwm3sp bbYpEfnfLJEMU9BsNWBLV3mlPFgCLHaaEjY88YVFEt/lKEADmKoTF8LXRZW90pON emFIr6kHhy8/SqnJIDKXX/RQICKUuklVwo+NTn/1B7PpSxYKCBo+Aw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=wnWJm5jKNPMMjXcq7aIMWbjibBk=; b=docFIkqpcRRC+TTrDKFPcuKbi9bA E7g9l/8WdgEaJJU5JU4inS5DIM96OnLayZf+mg27ZkSCd1qgrimB5eFU0if1DhoG 9OTccFPhqkzPS8dMpC7s8wunwQVtKqPoHu/HrsaTPjSHMkUJCpe8dixcFeDSPxEp r71YBB3ZvKU0Hsw= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-105.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy= X-HELO: mout.kundenserver.de Date: Mon, 27 Aug 2018 19:26:29 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: incompat in cygwin choice of using '+' as domain and user separator. Message-ID: <20180827172629.GB6350@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <5B7DE56E DOT 6060109 AT tlinx DOT org> <20180823081135 DOT GN3348 AT calimero DOT vinschen DOT de> <5B8370CA DOT 5080209 AT tlinx DOT org> <20180827090909 DOT GA4733 AT calimero DOT vinschen DOT de> <20180827104152 DOT GC4733 AT calimero DOT vinschen DOT de> <20180827105031 DOT GF4733 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline In-Reply-To: <20180827105031.GF4733@calimero.vinschen.de> User-Agent: Mutt/1.9.2 (2017-12-15) --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Aug 27 12:50, Corinna Vinschen wrote: > On Aug 27 12:41, Corinna Vinschen wrote: > > On Aug 27 11:09, Corinna Vinschen wrote: > > > On Aug 26 20:32, L A Walsh wrote: > > > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote: > > > > ... > > > > > No, that's a wrong assumption. Think about it. The ACL given to > > > > > acl_to_text is the binary form, so it doesn't contain user or gro= up > > > > > names, only uids and gids. The usernames are only generated in t= he > > > > > output. > > > > --- > > > > Rats. Of course, you're right. Then I nominate the problem bein= g that it > > > > can't convert from domain "Unknown"-user + "Unknown"-group to somet= hing it > > > > can store in tar. > > >=20 > > > The problem with unknown SIDs is that there's no bijective > > > transformation between SID <-> uid/gid. You get the uid/gid -1 and > > > then... what? How do you restore the information? There's no SID for > > > uid/gid -1. > > >=20 > > > > As far as duplication, I have /etc/passwd+/etc/group files that mir= ror my > > > > accounts on the linux-based PDC (samba 3.x). > > >=20 > > > What for? This should work automatically and you would get rid of th= ose > > > dreaded backslashes in the account names. Using passwd/group files a= lso > > > have a higher probability of account overlap with weird results. > > >=20 > > > Passwd and group files should only be used if you have very specific > > > problems to solve (like offline usage or see below), otherwise just u= se > > > the values you get from the account DBs. > > >=20 > > > > In this case, that user+group appear to correspond > > > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005). > > > > The domain/system part appears to be from some previous > > > > value for the machine's "sid"? Not sure how to deliberately > > > > reproduce that, but maybe you have a tool to create an > > > > invalid acl entry for a user like: Unknown+User:*:4294967295:429496= 7295:S-1-5-21-3457732827-2369206082-2151550420-1001 > > > > in /etc/passwd. > > > > and something similar in /etc/group? > >=20 > > Actually, I just did that. I added a user and a group to the files with > > weird SIDs, then I switched /etc/nsswitch.conf to "db" only. With > > different ACLs (created by Cygwin, created by native Windows) there are > > different results. The problem is that uid/gid -1 can be created as a > > file ACL entry *and* at the same time have the meaning of "don't look > > for the uid/gid" when checking the ACL for validity. To make matters > > worse, if you have multiple ACEs of unknown users, the resulting ACL is > > *always* invalid. > >=20 > > Bottom line is, there are at least two bugs here in Cygwin. I'm looking > > into a fix. >=20 > The only sane way to handle unknown SIDs in file ACLs is to ignore them > entirely. The result will be that you never see them in getfacl, nor > will they be stored by tar or rsync. They are just not there from the > Cygwin perspective. I created a patch, uploaded developer snapshots to https://cygwin.com/snapshots/ and released a new Cygwin test release 2.11.0-0.4 with this change. Please giver any of them a try. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAluENEUACgkQ9TYGna5E T6CTVRAAh5foh9EdPeY7ukYJv9gCl33gKeOacZNnXEiwEOuqmPK33MMARnC1GqVT QIOkRURGUYt16U5hqZDGiVL4pMyfpU28ySeaisy6jtzBaIYSj6NpCiyhb/wfKmu5 Q5hbRZTs1KZijqMltemIMPqu/MHhG//PizPSkqOU+vlZStKpr+J8dTS0tIWeXZ9y JAN4dXE2vcx/GPXsUWzMa+Jv8LpOjPP23nyrGH3Q6loiYs5K4M/A7yLL3k3GfQ/0 qSOskAbR1Er14PIGIAwdfZ6MjJnBhncRmAQ2wb+wOG2wClbNrpTOT7i3QS54RkrV BYJAdGbcsSU39yzYFuIPrnb0KotxKl0lWYlOO9qjKrikGYDbWIJpUrWFvBbZ43n/ KUJreTalSg9o4EKbO76pILfeOOR6iEHUp0q+qoM3n8FEdsgBQcYSBSshmzqC8Opx I330JGeLHQ0ZD27RmOhn+CnJ1h4T//Usiq2UQnemH04PA3eN+YDvOodCqJdrH/jJ 30oFghRjUNNHY6LHu86B0D31m1LB/DqWgscO8kJtopPE3uhqqSkeTB98Ld1SIeTA wgCXXCSSn6i4ljgQ6skkgSWnjZLKf2svuCkjdI8NcS/5Oz5QaNGO1MATQFL5+9hX Aj6D0zJez+GdxUhhfcUGBRj9PVjAQHTdhpnQ+eYWMHcKeCkf+1w= =9Wej -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--