This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: /etc/group manual-edits-workaround still reqd in 1.7?


On Aug 12 14:26, Tom Rodman wrote:
> On Mon 7/28/08 10:18 +0200 Corinna Vinschen wrote:
> > On Jul 26 09:12, Tom Rodman wrote:
> > > I use cygwin in a large domain, from time to time my account is
> > > added or removed from domain groups without any warning (last
> > > time 'IT' added 'Domain Users' to some other domain group - so all
> > > domain users were impacted!).  When this happens my credentials in
> > > a password-authenticated ssh session, get clobbered & I have
> > > to manually edit /etc/group, per:
> > > 
> > >   http://cygwin.com/ml/cygwin/2005-07/msg01287.html
> > > 
> > > Does this issue "go away" under cygwin 1.7?
> > 
> > I don't know but it's supposed to be better.  I relaxed the rules which
> > result in a token created through password login being overridden with a
> > self-created token.  
> 
> Thanks Corinna/appreciate your help.  
> 
> When that self-created token is created (under 1.5.x) is that
> the point that cygwin looks for the user's group memberships
> as defined in /etc/group?

Yes.

> > You will still have to create a new /etc/group, though.
> 
> Creating it daily (w/cron) is no problem, but, I'm still not
> clear.. in 1.7 do we still have to (in addition) update /etc/group
> so that domain users (that actually use ssh) have their comma
> delimited usernames in the last field on the respective lines in
> /etc/group, for all the domain groups they belong to?

That's hopefully not necessary anymore.  In fact I even removed
the capability to add user names to groups from mkgroup in 1.7.

The problem is a function in Cygwin called "verify_token" which
checks whether the groups requested in a user context switch
(setgroups/setgid/setuid) match the groups in the currently stored
user token.  This test can fail if the user token contains groups which
are not requested, if these groups are not present in /etc/groups
either.  In 1.7, I relaxed the tests in verify_token so that the
user token may contain nuts^Wgroups not mentioned anywhere.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]