X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=BdP/n1FVu4sajnTpAXOnfgsR24p4hh6XsY7/fS+qvencNjQVwm3sp
	bbYpEfnfLJEMU9BsNWBLV3mlPFgCLHaaEjY88YVFEt/lKEADmKoTF8LXRZW90pON
	emFIr6kHhy8/SqnJIDKXX/RQICKUuklVwo+NTn/1B7PpSxYKCBo+Aw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=wnWJm5jKNPMMjXcq7aIMWbjibBk=; b=docFIkqpcRRC+TTrDKFPcuKbi9bA
	E7g9l/8WdgEaJJU5JU4inS5DIM96OnLayZf+mg27ZkSCd1qgrimB5eFU0if1DhoG
	9OTccFPhqkzPS8dMpC7s8wunwQVtKqPoHu/HrsaTPjSHMkUJCpe8dixcFeDSPxEp
	r71YBB3ZvKU0Hsw=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-105.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=
X-HELO: mout.kundenserver.de
Date: Mon, 27 Aug 2018 19:26:29 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: incompat in cygwin choice of using '+' as domain and user separator.
Message-ID: <20180827172629.GB6350@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <5B7DE56E DOT 6060109 AT tlinx DOT org> <20180823081135 DOT GN3348 AT calimero DOT vinschen DOT de> <5B8370CA DOT 5080209 AT tlinx DOT org> <20180827090909 DOT GA4733 AT calimero DOT vinschen DOT de> <20180827104152 DOT GC4733 AT calimero DOT vinschen DOT de> <20180827105031 DOT GF4733 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4"
Content-Disposition: inline
In-Reply-To: <20180827105031.GF4733@calimero.vinschen.de>
User-Agent: Mutt/1.9.2 (2017-12-15)

--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Aug 27 12:50, Corinna Vinschen wrote:
> On Aug 27 12:41, Corinna Vinschen wrote:
> > On Aug 27 11:09, Corinna Vinschen wrote:
> > > On Aug 26 20:32, L A Walsh wrote:
> > > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > > > ...
> > > > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > > > acl_to_text is the binary form, so it doesn't contain user or gro=
up
> > > > > names, only uids and gids.  The usernames are only generated in t=
he
> > > > > output.
> > > > ---
> > > > 	Rats.  Of course, you're right.  	Then I nominate the problem bein=
g that it
> > > > can't convert from domain "Unknown"-user + "Unknown"-group to somet=
hing it
> > > > can store in tar.
> > >=20
> > > The problem with unknown SIDs is that there's no bijective
> > > transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> > > then... what?  How do you restore the information?  There's no SID for
> > > uid/gid -1.
> > >=20
> > > > As far as duplication, I have /etc/passwd+/etc/group files that mir=
ror my
> > > > accounts on the linux-based PDC (samba 3.x).
> > >=20
> > > What for?  This should work automatically and you would get rid of th=
ose
> > > dreaded backslashes in the account names.  Using passwd/group files a=
lso
> > > have a higher probability of account overlap with weird results.
> > >=20
> > > Passwd and group files should only be used if you have very specific
> > > problems to solve (like offline usage or see below), otherwise just u=
se
> > > the values you get from the account DBs.
> > >=20
> > > > In this case, that user+group appear to correspond
> > > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > > > The domain/system part appears to be from some previous
> > > > value for the machine's "sid"?  Not sure how to deliberately
> > > > reproduce that, but maybe you have a tool to create an
> > > > invalid acl entry for a user like: Unknown+User:*:4294967295:429496=
7295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > > > in /etc/passwd.
> > > > and something similar in /etc/group?
> >=20
> > Actually, I just did that.  I added a user and a group to the files with
> > weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
> > different ACLs (created by Cygwin, created by native Windows) there are
> > different results.  The problem is that uid/gid -1 can be created as a
> > file ACL entry *and* at the same time have the meaning of "don't look
> > for the uid/gid" when checking the ACL for validity.  To make matters
> > worse, if you have multiple ACEs of unknown users, the resulting ACL is
> > *always* invalid.
> >=20
> > Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
> > into a fix.
>=20
> The only sane way to handle unknown SIDs in file ACLs is to ignore them
> entirely.  The result will be that you never see them in getfacl, nor
> will they be stored by tar or rsync.  They are just not there from the
> Cygwin perspective.

I created a patch, uploaded developer snapshots to
https://cygwin.com/snapshots/ and released a new Cygwin test
release 2.11.0-0.4 with this change.  Please giver any of
them a try.


Thanks,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAluENEUACgkQ9TYGna5E
T6CTVRAAh5foh9EdPeY7ukYJv9gCl33gKeOacZNnXEiwEOuqmPK33MMARnC1GqVT
QIOkRURGUYt16U5hqZDGiVL4pMyfpU28ySeaisy6jtzBaIYSj6NpCiyhb/wfKmu5
Q5hbRZTs1KZijqMltemIMPqu/MHhG//PizPSkqOU+vlZStKpr+J8dTS0tIWeXZ9y
JAN4dXE2vcx/GPXsUWzMa+Jv8LpOjPP23nyrGH3Q6loiYs5K4M/A7yLL3k3GfQ/0
qSOskAbR1Er14PIGIAwdfZ6MjJnBhncRmAQ2wb+wOG2wClbNrpTOT7i3QS54RkrV
BYJAdGbcsSU39yzYFuIPrnb0KotxKl0lWYlOO9qjKrikGYDbWIJpUrWFvBbZ43n/
KUJreTalSg9o4EKbO76pILfeOOR6iEHUp0q+qoM3n8FEdsgBQcYSBSshmzqC8Opx
I330JGeLHQ0ZD27RmOhn+CnJ1h4T//Usiq2UQnemH04PA3eN+YDvOodCqJdrH/jJ
30oFghRjUNNHY6LHu86B0D31m1LB/DqWgscO8kJtopPE3uhqqSkeTB98Ld1SIeTA
wgCXXCSSn6i4ljgQ6skkgSWnjZLKf2svuCkjdI8NcS/5Oz5QaNGO1MATQFL5+9hX
Aj6D0zJez+GdxUhhfcUGBRj9PVjAQHTdhpnQ+eYWMHcKeCkf+1w=
=9Wej
-----END PGP SIGNATURE-----

--YiEDa0DAkWCtVeE4--