This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [RFC] Globally creating a user and a group "root"


On Tue, Nov 11, 2003 at 01:22:50PM -0500, Pierre A. Humblet wrote:
> At 05:58 PM 11/11/2003 +0100, you wrote:
> >What about generating a root group with mkgroup -l by default?
> >
> >  root:S-1-5-32-544:0:
> >
> >The question is then, should it *also* generate an administrators entry
> >
> >  Administrators:S-1-5-32-544:544:
> >
> >or should it generate the "root" entry *instead* of the administrators
> >entry?
> 
> Obviously I am for maintaining compatibility with existing installations
> (544 must work), some of which still have Everybody with gid 0 (using 0
> as mapping to S-1-5-32-544 is risky).

I think we should do the affected users a favor and remove the Everyone
entry from /etc/passwd and /etc/group when we find one.  This should be
done by a script in the base-files or base-passwd package as a regular
job.

> Note that if a file has group S-1-5-32-544 and this is also the primary
> group of a user, then stat() will report the file gid as the gid of the
> user in the /etc/passwd file (due to caching). This could be 544
> (e.g. when running as SYSTEM with existing password files) or 0 (with
> the new root user, with gid 0), independently of /etc/group.

But that doesn't hurt.  Either case, it's the same group.

> This indeterminacy might cause headaches during the transition period,
> it's hard to foresee all ramifications.

I'm running my system for at least a year with two group entries,
root:S-1-5-32-544:0: and admin:S-1-5-32-544:544: and I never saw any
negative influence.  It's the same group from the Windows point of view
so no problems from that side.  It's basically just another name and gid
for the same user.

> This being said, exim shouldn't care as long as 544 maps to S-1-5-32-544.
> It autodetects if it is privileged and, if so, setgid(544) & setuid(18)
> to normalize its environment (that was done with Windows 2003 in mind).

I don't understand.  You were the one who figured out the 2003 problem
with the SYSTEM account.  So, erm...

> However the current exim-config script will produce warnings if 544 appears
> after 0 (I will modify it to learn the Admins gid).

Yeah, that will be necessary for a couple of packages.  cron is a good
candidate for problems ;-P

> In summary, no problem (AFAICS) if 544 appears before 0. I need a decent
> transition period before you reverse the order (affects only new
> exim installs), and a long one before you get rid of 544 (affects existing
> installations).  

IMHO we should not wait too long.  At one point we must do it anyway
and it's easy to make the transition for the user: just upgrade Cygwin
and the affected packages.  It's no step which actually destroys
anything but it will help all 2003 users and also users of other systems
since the new "root" account would circumvent any permission problems.
If a new Windows requires new privileges to do the really interesting
stuff, just add them to "root" and you're done.  Knock on wood...

Anyway, I think we should add "root/0" to /etc/group so that it comes
before the "administrators/544" entry right from the beginning.  What
happens in an exim installation then?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]