X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E4AE03858D28
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=yandex.ru
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=yandex.ru
X-Yandex-Fwd: 2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1657140600; bh=V5ctGAjF4lYfm1xANyXD98tfwGPBuvrqqxdgkzmSNXo=;
 h=In-Reply-To:Subject:To:From:Message-ID:References:Date:Reply-To;
 b=UK8xtUO/kyIqkjaaHNTVN9r5+IKGzgFL84YdusZ02fpm2zXqwuSwhVOEOHMPJcfgo
 Var3Z1VCR48N9v4aZEUpQogoqbgF56HBfdXeEmQYpZvAx5pdGluLNnMzPdkZzrix1i
 CFBVSMzVW8hUnlh1UR/lkdDxU5u1yDSi3gfMew2k=
Authentication-Results: myt5-a43f74ee162a.qloud-c.yandex.net;
 dkim=pass header.i=@yandex.ru
Date: Wed, 6 Jul 2022 23:45:13 +0300
From: Andrey Repin <anrdaemon AT yandex DOT ru>
X-Mailer: The Bat! (v9.3.4) Professional
Message-ID: <1282276604.20220706234513@yandex.ru>
To: Corinna Vinschen <cygwin AT cygwin DOT com>, cygwin AT cygwin DOT com
Subject: Re: The "TrustedInstaller" user can not be found by ID
In-Reply-To: <YsXHGlVpP4DeIWnW@calimero.vinschen.de>
References: <1558196978 DOT 20220706133209 AT yandex DOT ru>
 <YsXHGlVpP4DeIWnW AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_00, BODY_8BITS,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM,
 KAM_THEBAT, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 266KoKr9009970

Greetings, Corinna Vinschen!

> On Jul  6 13:32, Andrey Repin wrote:
>> Greetings, All!
>> 
>> Been doing some housekeeping in my Cygwin installation at work, and wanted to
>> change the owner of the files to something other than myself.
>> TrustedInstaller seemed like a good neutral target, but it took me a little
>> while to find out it is
>> 
>> 1. …named "NT SERVICE+TrustedInstaller" actually (which is predictable
>> somewhat);
>> $ getent passwd | grep -i trust
>> NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin
>>
>> 2. …can not be accessed by any other name (unlike "NT AUTHORITY\SYSTEM");
>> $ getent passwd System
>> system:*:18:18:U-NT AUTHORITY\system,S-1-5-18:/home/system:/bin/bash
>> $ getent passwd 18
>> система:*:18:18:U-NT AUTHORITY\система,S-1-5-18:/home/система:/bin/bash

> This is by design.  Only builtin stuff and the primary domain members
> can be accessed name-only.  "NT SERVICE" is not builtin, but rather a
> kind of foreign domain identifier (but don't take this literally), so
> you have to use the full name "NT SERVICE+TrustedInstaller".  Note
> that this is a restriction in the Windows function LookupAccountName,
> as documented in the source:

> https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=winsup/cygwin/uinfo.cc;hb=HEAD#l2032

That explains it, thank you.

>> 3. …can not be accessed by ID! Which is rather surprising.
>> $ getent passwd 328384
>> [2] <- user not found
>> 
>> Is this some special case of some kind of Windows' kinks?

> This is impossible with the current code.  Cygwin tries to perform
> bijective SID<->id mappings, if possible.  "NT SERVICE" accounts are a
> bit of a problem and TrustedInstaller is no exception in that the SIDs
> don't follow the usual rules for BUILTIN / NT AUTHORITY / normal
> accounts.  They are also not exactly predictable, even though
> TrustedInstaller always has the same SID on all systems. To handle
> 328384 as TrustedInstaller, it needs actual special casing.  We can add
> that, but that would only allow the explicit mapping between "NT
> SERVICE+TrustedInstaller" and uid/gid 328384.  This would not cover
> other NT SERVICE accounts.

I was thinking cygserver could level such troubles.
Since name resolution coming through it more or less, it could maintain the
mappings of uid => SID of the accounts it had seen, and respond correctly if
`db_enum` contains "cache".

> Given that TrustedInstaller is only used by the OS at installation time,
> I always looked at it as a kind of "read-only account".  I'm really not
> sure if it's worth special casing this account just to allow id->SID
> mapping...


-- 
With best regards,
Andrey Repin
Wednesday, July 6, 2022 22:35:01

Sorry for my terrible english...

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple