incompat in cygwin choice of using '+' as domain and user separator.

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

incompat in cygwin choice of using '+' as domain and user separator.

L A Walsh
Ran in to this trying to use tar to store acls and xattrs:

>  tar caf lawbins.tar scripts scripts- bin
tar: miner.js: Warning: Cannot acl_to_text: Invalid argument
tar: run-crons.sys: Warning: Cannot acl_to_text: Invalid argument
tar: smallprof.out: Warning: Cannot acl_to_text: Invalid argument
tar: tmon.out: Warning: Cannot acl_to_text: Invalid argument
tar: ubytes_to_utf8.new: Warning: Cannot acl_to_text: Invalid argument

examining one of these:

>  find bin -name tmon.out      
bin/tmon.out

>  lsacl bin/tmon.out
[u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain
Admins:rwx,m:rwx/] bin/tmon.out

I tried tar in an existing dir:

>  mkdir test
>  tar caf test.tar test
>  ll test
total 0
>  cd test
>  tar xaf ../test.tar
>  ll
total 0
drwxrwxr-x+ 1 0 Aug 22 15:26 test/
>  lsacl test
[u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
Admins:rwx,m:rwx,o:r-x/
u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
Admins:rwx,m:rwx,o:r-x] test

With the above and only standard separator chars, no problem

I'm guessing, but '+' is a reserved char that's not permitted in
acl_to_text...
Perhaps it might be good to not set the default to some non-default, since
the default(\) seems to work most places, including on linux, though
you do have to allow '\' in the list of allowed chars in /etc/login.defs

How do I change the default separator char from '+' back to '\'?
(by default, I mean the char that is used when the corresponding ID
isn't in /etc/passwd?

Thanks!






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

cyg Simple
On 8/22/2018 6:36 PM, L A Walsh wrote:

> Ran in to this trying to use tar to store acls and xattrs:
>
>>  tar caf lawbins.tar scripts scripts- bin
> tar: miner.js: Warning: Cannot acl_to_text: Invalid argument
> tar: run-crons.sys: Warning: Cannot acl_to_text: Invalid argument
> tar: smallprof.out: Warning: Cannot acl_to_text: Invalid argument
> tar: tmon.out: Warning: Cannot acl_to_text: Invalid argument
> tar: ubytes_to_utf8.new: Warning: Cannot acl_to_text: Invalid argument
>
> examining one of these:
>
>>  find bin -name tmon.out      
> bin/tmon.out
>
>>  lsacl bin/tmon.out
> [u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain
> Admins:rwx,m:rwx/] bin/tmon.out
>
> I tried tar in an existing dir:
>
>>  mkdir test
>>  tar caf test.tar test
>>  ll test
> total 0
>>  cd test
>>  tar xaf ../test.tar
>>  ll
> total 0
> drwxrwxr-x+ 1 0 Aug 22 15:26 test/
>>  lsacl test
> [u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
> Admins:rwx,m:rwx,o:r-x/
> u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
> Admins:rwx,m:rwx,o:r-x] test
>
> With the above and only standard separator chars, no problem
>
> I'm guessing, but '+' is a reserved char that's not permitted in
> acl_to_text...
You're misinterpreting the '+'.  It was used in place of ' ' (a space)
in "Unknown User" and "Unknown Group".  Now why isn't "Domain Admins"
also "Domain+Admins" is a question of pondering.

--
cyg Simple


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

0x7183A42BE56022D5.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
In reply to this post by L A Walsh
On Aug 22 15:36, L A Walsh wrote:

> Ran in to this trying to use tar to store acls and xattrs:
>
> >  tar caf lawbins.tar scripts scripts- bin
> tar: miner.js: Warning: Cannot acl_to_text: Invalid argument
> tar: run-crons.sys: Warning: Cannot acl_to_text: Invalid argument
> tar: smallprof.out: Warning: Cannot acl_to_text: Invalid argument
> tar: tmon.out: Warning: Cannot acl_to_text: Invalid argument
> tar: ubytes_to_utf8.new: Warning: Cannot acl_to_text: Invalid argument
>
> examining one of these:
>
> >  find bin -name tmon.out
> bin/tmon.out
>
> >  lsacl bin/tmon.out
> [u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain
> Admins:rwx,m:rwx/] bin/tmon.out
lsacl?  I don't know this tool.  The fact that it prints the unknown
accounts with '+' and the known account with '\' is weird.  This
shouldn't happen.  It should print all accounts with a '+'.  Please use
`getfacl' to examine the ACLs.

>
> I tried tar in an existing dir:
>
> >  mkdir test
> >  tar caf test.tar test
> >  ll test
> total 0
> >  cd test
> >  tar xaf ../test.tar
> >  ll
> total 0
> drwxrwxr-x+ 1 0 Aug 22 15:26 test/
> >  lsacl test
> [u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain Admins:rwx,m:rwx,o:r-x/
> u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain Admins:rwx,m:rwx,o:r-x]
> test
>
> With the above and only standard separator chars, no problem
>
> I'm guessing, but '+' is a reserved char that's not permitted in
> acl_to_text...
No, that's a wrong assumption.  Think about it.  The ACL given to
acl_to_text is the binary form, so it doesn't contain user or group
names, only uids and gids.  The usernames are only generated in the
output.

EINVAL from acl_to_text means the incoming acl is invalid.  Either it's
so broken that acl_to_text crashes, or it'sa NULL pointer, or it has
less then MIN_ACL_ENTRIES (3) entry, or it has more than MAX_ACL_ENTRIES
(2730) entries, or it doesn't follow the required rules for POSIX ACLs.

I assume the latter is the case here.  *Why* this occurs, I can't
tell.  I'd need a simple, reproducible testcase for that.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
In reply to this post by cyg Simple
On Aug 22 22:54, cyg Simple wrote:

> On 8/22/2018 6:36 PM, L A Walsh wrote:
> > Ran in to this trying to use tar to store acls and xattrs:
> >
> >>  tar caf lawbins.tar scripts scripts- bin
> > tar: miner.js: Warning: Cannot acl_to_text: Invalid argument
> > tar: run-crons.sys: Warning: Cannot acl_to_text: Invalid argument
> > tar: smallprof.out: Warning: Cannot acl_to_text: Invalid argument
> > tar: tmon.out: Warning: Cannot acl_to_text: Invalid argument
> > tar: ubytes_to_utf8.new: Warning: Cannot acl_to_text: Invalid argument
> >
> > examining one of these:
> >
> >>  find bin -name tmon.out      
> > bin/tmon.out
> >
> >>  lsacl bin/tmon.out
> > [u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain
> > Admins:rwx,m:rwx/] bin/tmon.out
> >
> > I tried tar in an existing dir:
> >
> >>  mkdir test
> >>  tar caf test.tar test
> >>  ll test
> > total 0
> >>  cd test
> >>  tar xaf ../test.tar
> >>  ll
> > total 0
> > drwxrwxr-x+ 1 0 Aug 22 15:26 test/
> >>  lsacl test
> > [u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
> > Admins:rwx,m:rwx,o:r-x/
> > u::rwx,g::rwx,g:Bliss\lawgroup:rwx,g:Bliss\Domain
> > Admins:rwx,m:rwx,o:r-x] test
> >
> > With the above and only standard separator chars, no problem
> >
> > I'm guessing, but '+' is a reserved char that's not permitted in
> > acl_to_text...
>
> You're misinterpreting the '+'.  It was used in place of ' ' (a space)
> in "Unknown User" and "Unknown Group".  Now why isn't "Domain Admins"
> also "Domain+Admins" is a question of pondering.
No, you are misinterpreting the '+'.  It's in fact the domain+account
separator character in Cygwin, just as it was in Interix.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

L A Walsh
In reply to this post by Corinna Vinschen-2
On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
...
> No, that's a wrong assumption.  Think about it.  The ACL given to
> acl_to_text is the binary form, so it doesn't contain user or group
> names, only uids and gids.  The usernames are only generated in the
> output.
---
        Rats.  Of course, you're right.  
        Then I nominate the problem being that it can't convert
from domain "Unknown"-user + "Unknown"-group to something it can
store in tar.  I'll try to elaborate.  

lsacl is an output massager that mainly compacts output of
getfacl into a 1 line form as used by the linux chacl format
for environments where chacl was missing (like cygwin and some linux
machines).  It's a fairly trivial script (attached), feel free
to do whatever w/it.

As far as duplication, I have /etc/passwd+/etc/group files that
mirror my accounts on the linux-based PDC (samba 3.x).

so when lsacl puts out:
> lsacl miner.js
[u::rwx,g::rwx,o:r-x,u:Unknown+User:rwx,g:Unknown+Group:rwx,g:Administrators:rwx,g:Bliss\Domain Admins:rwx,m:rwx/] miner.js

then getfacl puts out:

> getfacl miner.js
# file: miner.js
# owner: Bliss\law
# group: Bliss\Domain Admins
user::rwx
group::rwx
other:r-x
user:Unknown+User:rwx
group:Unknown+Group:rwx
group:Administrators:rwx
group:Bliss\Domain Admins:rwx
mask:rwx

or numerically:

> getfacl -n miner.js
# file: miner.js
# owner: 5013
# group: 512
user::rwx
group::rwx
other:r-x
user:4294967295:rwx
group:4294967295:rwx
group:544:rwx
group:512:rwx
mask:rwx

In this case, that user+group appear to correspond
to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
The domain/system part appears to be from some previous
value for the machine's "sid"?  Not sure how to deliberately
reproduce that, but maybe you have a tool to create an
invalid acl entry for a user like:
Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
in /etc/passwd.
and something similar in /etc/group?


I can fairly easily work around it by just deleting the
invalid user/group from the GUI.

The icacls output on the file with some added line breaks
(from D:PAI to S:P was all 1 line).

miner.js
D:PAI(A;;0x1f01bf;;;S-1-5-21-33-77-33-5013)(A;;0x1201bf;;;DA)
(A;;0x1200a9;;;WD)(A;;0x1201ff;;;S-1-5-21-33-77-33-5013)
(A;;0x1201ff;;;SY)(A;;0x1201ff;;;BA)(A;;0x1200a9;;;WD)
(A;;FA;;;S-1-5-21-33-77-33-5013)
(A;;0x1201ff;;;S-1-5-21-3457732827-2369206082-2151550420-1001)
(A;;0x1201ff;;;DA)
(A;;0x1201ff;;;S-1-5-21-3457732827-2369206082-2151550420-1005)S:P

I can work around this for the small number of files that were weird, but it seems cygwin should "more gracefully" handle such things if it can(?).

I wonder if rsync has a similar problem...yup:

> rsync -aA miner.js ../testbin/  
rsync: set_acl: sys_acl_set_file(miner.js, ACL_TYPE_ACCESS): Invalid argument (22)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1196) [sender=3.1.2]





#!/bin/bash

## $Id: lsacl,v 1.5 2015-08-02 10:29:25-07 law Exp $
# Version 2 -- try to work with getfacl on cygwin
#


shopt -s expand_aliases
alias int=declare\ -i sub=function  string=declare

gfacl=$(type -P getfacl)

if ! type -f cygwin 2>/dev/null ; then
        _un_=$(type -P uname)
        if [[ $_un_ ]] ; then _os_=$($_un_ -o);
        elif [[ -e /proc/sys/kernel ]]; then _os_=Linux;
        else _os_=Cygwin;
        fi
        if [[ $_os_ =~ Cygwin ]]; then function cygwin () { return 0; }
        else function cygwin () { return 1; }
        fi
        unset _un_ _os_
        export -f cygwin
fi

if cygwin 2>/dev/null ;then
        [[ $gfacl ]] || { printf "FATAL: Cannot find getfacl in path\n"; exit 1; }
        sub gfacl () { "$gfacl" "$@"; }
else ## linux version has broken semantics requiring "-p"
        sub gfacl () { "$gfacl" -p "$@" ; }
fi

export -f gfacl


sub facl2str {
        string fn=${1:?"Need pathname"}
        string s1='/^\#.*$/d; /^\s*$/d; s/\s*#.*$//; s/^(.)(ser|roup|ask|ther):/\1:/; y/\n/,/'
        string facl=$(gfacl -a "$fn"|sed -r "$s1"|tr "\n" ",")
        facl=${facl%,}
        string dacl=$(gfacl -d "$fn"|sed -r "s/^default://; $s1"|tr "\n" ",")
        dacl=${dacl%,}
        printf "[%s/%s]\n" "$facl" "$dacl"
}



int acllen=0 maxfnln=0
#for fn in "$@" ; do if ((maxfnln<${#fn})); then maxfnln=${#fn}; fi ; done

sub acl_str () {
        if cygwin ;then
                perm=$(facl2str "$fn")
        else
                qfn=$(printf "%q " "$fn")
                out="$(chacl -l "$fn")"
                perm="${out#$qfn}"
        fi
        printf "%s\n" "$perm"
}


for fn in "$@"; do
        int max=40
        perm=$(acl_str "$fn")
        int len=${#perm}
        if ((len>_acl_len_)); then acllen=len; fi
        if ((acllen>max)); then acllen=max; fi
        printf "%-${acllen}s %s\n" "$perm" "$fn"
done


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
On Aug 26 20:32, L A Walsh wrote:

> On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> ...
> > No, that's a wrong assumption.  Think about it.  The ACL given to
> > acl_to_text is the binary form, so it doesn't contain user or group
> > names, only uids and gids.  The usernames are only generated in the
> > output.
> ---
> Rats.  Of course, you're right.   Then I nominate the problem being that it
> can't convert from domain "Unknown"-user + "Unknown"-group to something it
> can store in tar.
The problem with unknown SIDs is that there's no bijective
transformation between SID <-> uid/gid.  You get the uid/gid -1 and
then... what?  How do you restore the information?  There's no SID for
uid/gid -1.

> As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> accounts on the linux-based PDC (samba 3.x).

What for?  This should work automatically and you would get rid of those
dreaded backslashes in the account names.  Using passwd/group files also
have a higher probability of account overlap with weird results.

Passwd and group files should only be used if you have very specific
problems to solve (like offline usage or see below), otherwise just use
the values you get from the account DBs.

> In this case, that user+group appear to correspond
> to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> The domain/system part appears to be from some previous
> value for the machine's "sid"?  Not sure how to deliberately
> reproduce that, but maybe you have a tool to create an
> invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> in /etc/passwd.
> and something similar in /etc/group?

If you want to keep the old, unknown accounts, just add them to
your passwd and group files (one of those special problems).
Alternatively remove them from all ACLs.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
On Aug 27 11:09, Corinna Vinschen wrote:

> On Aug 26 20:32, L A Walsh wrote:
> > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > ...
> > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > acl_to_text is the binary form, so it doesn't contain user or group
> > > names, only uids and gids.  The usernames are only generated in the
> > > output.
> > ---
> > Rats.  Of course, you're right.   Then I nominate the problem being that it
> > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > can store in tar.
>
> The problem with unknown SIDs is that there's no bijective
> transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> then... what?  How do you restore the information?  There's no SID for
> uid/gid -1.
>
> > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > accounts on the linux-based PDC (samba 3.x).
>
> What for?  This should work automatically and you would get rid of those
> dreaded backslashes in the account names.  Using passwd/group files also
> have a higher probability of account overlap with weird results.
>
> Passwd and group files should only be used if you have very specific
> problems to solve (like offline usage or see below), otherwise just use
> the values you get from the account DBs.
>
> > In this case, that user+group appear to correspond
> > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > The domain/system part appears to be from some previous
> > value for the machine's "sid"?  Not sure how to deliberately
> > reproduce that, but maybe you have a tool to create an
> > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > in /etc/passwd.
> > and something similar in /etc/group?
Actually, I just did that.  I added a user and a group to the files with
weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
different ACLs (created by Cygwin, created by native Windows) there are
different results.  The problem is that uid/gid -1 can be created as a
file ACL entry *and* at the same time have the meaning of "don't look
for the uid/gid" when checking the ACL for validity.  To make matters
worse, if you have multiple ACEs of unknown users, the resulting ACL is
*always* invalid.

Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
into a fix.

> If you want to keep the old, unknown accounts, just add them to
> your passwd and group files (one of those special problems).
> Alternatively remove them from all ACLs.

For the time being, use the above workaround.


Thanks,
Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
On Aug 27 12:41, Corinna Vinschen wrote:

> On Aug 27 11:09, Corinna Vinschen wrote:
> > On Aug 26 20:32, L A Walsh wrote:
> > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > > ...
> > > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > > acl_to_text is the binary form, so it doesn't contain user or group
> > > > names, only uids and gids.  The usernames are only generated in the
> > > > output.
> > > ---
> > > Rats.  Of course, you're right.   Then I nominate the problem being that it
> > > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > > can store in tar.
> >
> > The problem with unknown SIDs is that there's no bijective
> > transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> > then... what?  How do you restore the information?  There's no SID for
> > uid/gid -1.
> >
> > > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > > accounts on the linux-based PDC (samba 3.x).
> >
> > What for?  This should work automatically and you would get rid of those
> > dreaded backslashes in the account names.  Using passwd/group files also
> > have a higher probability of account overlap with weird results.
> >
> > Passwd and group files should only be used if you have very specific
> > problems to solve (like offline usage or see below), otherwise just use
> > the values you get from the account DBs.
> >
> > > In this case, that user+group appear to correspond
> > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > > The domain/system part appears to be from some previous
> > > value for the machine's "sid"?  Not sure how to deliberately
> > > reproduce that, but maybe you have a tool to create an
> > > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > > in /etc/passwd.
> > > and something similar in /etc/group?
>
> Actually, I just did that.  I added a user and a group to the files with
> weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
> different ACLs (created by Cygwin, created by native Windows) there are
> different results.  The problem is that uid/gid -1 can be created as a
> file ACL entry *and* at the same time have the meaning of "don't look
> for the uid/gid" when checking the ACL for validity.  To make matters
> worse, if you have multiple ACEs of unknown users, the resulting ACL is
> *always* invalid.
>
> Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
> into a fix.
The only sane way to handle unknown SIDs in file ACLs is to ignore them
entirely.  The result will be that you never see them in getfacl, nor
will they be stored by tar or rsync.  They are just not there from the
Cygwin perspective.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: incompat in cygwin choice of using '+' as domain and user separator.

Corinna Vinschen-2
On Aug 27 12:50, Corinna Vinschen wrote:

> On Aug 27 12:41, Corinna Vinschen wrote:
> > On Aug 27 11:09, Corinna Vinschen wrote:
> > > On Aug 26 20:32, L A Walsh wrote:
> > > > On 8/23/2018 1:11 AM, Corinna Vinschen wrote:
> > > > ...
> > > > > No, that's a wrong assumption.  Think about it.  The ACL given to
> > > > > acl_to_text is the binary form, so it doesn't contain user or group
> > > > > names, only uids and gids.  The usernames are only generated in the
> > > > > output.
> > > > ---
> > > > Rats.  Of course, you're right.   Then I nominate the problem being that it
> > > > can't convert from domain "Unknown"-user + "Unknown"-group to something it
> > > > can store in tar.
> > >
> > > The problem with unknown SIDs is that there's no bijective
> > > transformation between SID <-> uid/gid.  You get the uid/gid -1 and
> > > then... what?  How do you restore the information?  There's no SID for
> > > uid/gid -1.
> > >
> > > > As far as duplication, I have /etc/passwd+/etc/group files that mirror my
> > > > accounts on the linux-based PDC (samba 3.x).
> > >
> > > What for?  This should work automatically and you would get rid of those
> > > dreaded backslashes in the account names.  Using passwd/group files also
> > > have a higher probability of account overlap with weird results.
> > >
> > > Passwd and group files should only be used if you have very specific
> > > problems to solve (like offline usage or see below), otherwise just use
> > > the values you get from the account DBs.
> > >
> > > > In this case, that user+group appear to correspond
> > > > to non-existent users. (S-1-5-21-oldsystem-ID-1001 + -1005).
> > > > The domain/system part appears to be from some previous
> > > > value for the machine's "sid"?  Not sure how to deliberately
> > > > reproduce that, but maybe you have a tool to create an
> > > > invalid acl entry for a user like: Unknown+User:*:4294967295:4294967295:S-1-5-21-3457732827-2369206082-2151550420-1001
> > > > in /etc/passwd.
> > > > and something similar in /etc/group?
> >
> > Actually, I just did that.  I added a user and a group to the files with
> > weird SIDs, then I switched /etc/nsswitch.conf to "db" only.  With
> > different ACLs (created by Cygwin, created by native Windows) there are
> > different results.  The problem is that uid/gid -1 can be created as a
> > file ACL entry *and* at the same time have the meaning of "don't look
> > for the uid/gid" when checking the ACL for validity.  To make matters
> > worse, if you have multiple ACEs of unknown users, the resulting ACL is
> > *always* invalid.
> >
> > Bottom line is, there are at least two bugs here in Cygwin.  I'm looking
> > into a fix.
>
> The only sane way to handle unknown SIDs in file ACLs is to ignore them
> entirely.  The result will be that you never see them in getfacl, nor
> will they be stored by tar or rsync.  They are just not there from the
> Cygwin perspective.
I created a patch, uploaded developer snapshots to
https://cygwin.com/snapshots/ and released a new Cygwin test
release 2.11.0-0.4 with this change.  Please giver any of
them a try.


Thanks,
Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: handling invalid user/groups (was incompat in cygwin choice of using '+' as domain and user separator.)

L A Walsh
On 8/27/2018 10:26 AM, Corinna Vinschen wrote:

On 8/27/2018 3:50 AM, Corinna Vinschen wrote:
> The only sane way to handle unknown SIDs in file ACLs is to ignore them
> entirely.  The result will be that you never see them in getfacl, nor
> will they be stored by tar or rsync.  They are just not there from the
> Cygwin perspective.
---
        Sounds fine to me...

> I created a patch, uploaded developer snapshots to
> https://cygwin.com/snapshots/ and released a new Cygwin test
> release 2.11.0-0.4 with this change.  Please giver any of
> them a try.

does the latest cygwin also have this patch as I wasn't able to
duplicate the error case with the newer cygwin (nor the patch
you posted earlier).  I.e. was trying to make sure I got the error
w/o patch, then goes away w/patch, but in this case, either I didn't
dup the error or it was in latest version.

Hoping it is the latter.

Cheers,
Linda

p.s. -- some "FYI" stuff about your email:
        when i respond to one of your emails, I get two (2)
        "To:" entries -- both to [hidden email].
        I think it might be because the emails from you contain
        two 'Mail-Followup-To:' lines -- see below**.

Also, I don't get your message included in a response
(because it is in a separate attachment.  Is that intentional?

**-(elided header stuff):
Received: (qmail 2620 invoked by alias); 27 Aug 2018 17:26:36 -0000
Mailing-List: contact cygwin-help-cygwin.com; run by ezmlm
Precedence: bulk
...
Sender: cygwin-owner-cygwin.com
Mail-Followup-To: cygwin-cygwin.com   <<<----
Delivered-To: mailing list cygwin-cygwin.com
Received: (qmail 2605 invoked by uid 89); 27 Aug 2018 17:26:35 -0000
Authentication-Results: sourceware.org; auth=none
...
From: Corinna Vinschen <corinna-cygwin-cygwin.com>
...
Reply-To: cygwin-cygwin.com
Mail-Followup-To: cygwin-cygwin.com   <<<---
----

Looks like 1 is added by the list, the other is maybe added by your
email client?






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: handling invalid user/groups (was incompat in cygwin choice of using '+' as domain and user separator.)

Corinna Vinschen-2
On Sep  4 13:08, L A Walsh wrote:

> On 8/27/2018 10:26 AM, Corinna Vinschen wrote:
>
> On 8/27/2018 3:50 AM, Corinna Vinschen wrote:
> > The only sane way to handle unknown SIDs in file ACLs is to ignore them
> > entirely.  The result will be that you never see them in getfacl, nor
> > will they be stored by tar or rsync.  They are just not there from the
> > Cygwin perspective.
> ---
> Sounds fine to me...
>
> > I created a patch, uploaded developer snapshots to
> > https://cygwin.com/snapshots/ and released a new Cygwin test
> > release 2.11.0-0.4 with this change.  Please giver any of
> > them a try.
>
> does the latest cygwin also have this patch
No, I deliberately removed it from the released version to tease you.

> p.s. -- some "FYI" stuff about your email:
>        when i respond to one of your emails, I get two (2)        "To:"
> entries -- both to [hidden email].
> I think it might be because the emails from you contain
> two 'Mail-Followup-To:' lines -- see below**.

I only add a reply-to.  I have no idea where the followup to's are
generated.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: handling invalid user/groups (was incompat in cygwin choice of using '+' as domain and user separator.)

Andrey Repin
In reply to this post by L A Walsh
Greetings, L A Walsh!

> p.s. -- some "FYI" stuff about your email:
>         when i respond to one of your emails, I get two (2)
>         "To:" entries -- both to [hidden email].
>         I think it might be because the emails from you contain
>         two 'Mail-Followup-To:' lines -- see below**.

They are added by list software.
Your email client is expected to sort it out and only include unique
addresses.
Even if not, the first MTA you submit your message to should do that.

> Also, I don't get your message included in a response
> (because it is in a separate attachment.  Is that intentional?

No, it's your weird mail agent failing to parse a signed email.


--
With best regards,
Andrey Repin
Wednesday, September 5, 2018 14:26:34

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Odd email symptoms (was Re: handling invalid user/groups)

L A Walsh
Thanks for your reply, it's not so much a problem for me,
just that when I have some email problem, I often need someone else
to point it out to me, as from my perspective, everything is working
fine!  :-)


On 9/5/2018 4:30 AM, Andrey Repin wrote:

> Greetings, L A Walsh!
>
>> p.s. -- some "FYI" stuff about your email:
>>         when i respond to one of your emails, I get two (2)
>>         "To:" entries -- both to [hidden email].
>>         I think it might be because the emails from you contain
>>         two 'Mail-Followup-To:' lines -- see below**.
>
> They are added by list software.
> Your email client is expected to sort it out and only include unique
> addresses.
----
        It does for most things, but not for 'Mail-Followup-To'.
Never seen it on anyone else's email...



> Even if not, the first MTA you submit your message to should do that.
---
        Really?... so sendmail should strip off duplicate addresses.
I wasn't aware of that.  I'll have to try it.




>
>> Also, I don't get your message included in a response
>> (because it is in a separate attachment.  Is that intentional?
>
> No, it's your weird mail agent failing to parse a signed email.
----
I see others who sign their email, but hers is the only one that
comes through in an attachment.

So wondering why her email in particular comes through that way.

My "weird" Thunderbird mail agent...hmmmm...it may be old, but
first time I've heard Tbird called weird.

-linda




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: handling invalid user/groups (was incompat in cygwin choice of using '+' as domain and user separator.)

L A Walsh
In reply to this post by Corinna Vinschen-2


On 9/5/2018 1:03 AM, Corinna Vinschen wrote:
> No, I deliberately removed it from the released version to tease you.

Meanie!!!

:-)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple