This is the mail archive of the cygwin@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ntsec: What am I doing wrong?


"Charles S. Wilson" wrote:
> mkpasswd -l -g > passwd
> mkgroup -l > group
> 
> I'm using NT, so in the "My Computer"->Properties->Environment pane, I
> set CYGWIN=binmode tty ntea ntsec
> [...]
> Now, I start bash, and do an 'ls -l'
> total 17
> -rw-rw-rw-   1 user     group         871 May 19  1999 bashrc
> [...]
> -rw-rw-rw-   1 user     group        9828 Dec  1  1998 termcap
> 
> 'id' reports:
> uid=0(user) gid=0(group)

Hi Charles,

do you work on a FAT partition? FAT isn't able to handle NT security
settings. On FAT all entries are simulated to be owned by the current
user.

If you use NTFS, you should make your sample real: Send the output
of `mkpasswd -l' `mkgroup -l' and `ls -ln' of an NTFS dir.

In the latest snapshots `ntsec' has additional features which are
not visible on the first glance. You are able to use them if you
call `mkpasswd' and `mkgroup' from the snapshots. Both tools now
additionally write the SIDs into the passwd and group file.
Unfortunately, I still haven't updated the ntsec documentation
(documentation is WORK ;-)) so I post the brief description which
I have given in the developers mailing list. Hope, this helps.
Additional questions will be gladly answered (please send them
to the list).

============ SNIP ==============
Hi!

I have patched ntsec so, that SIDs are used, that were previously
saved in /etc/passwd and /etc/group. This has following advantages:

- Correct working ntsec in domain environments.

- Non-login accounts (users _and_ groups) may get another name in
  /etc/passwd and /etc/group files than their NT account name.
  The new name is transparently used by applications (so chown,
  chgrp, ls -l, etc. use them now),
  e.g.:
        root::500:513:...
  instead of
        administrator::500:513:...

  No problem if running in console window,
  BUT: If you need the account to login via telnet, ssh or similar
  the login name _must_ be the NT user name.

- Cygwin UIDs and GIDs are now not necessarily the RID part of the
  NT SID:
  e.g.:
        root::0:513:...
  instead of
        administrator::500:513:...
        
- As with U*X systems, UIDs and GIDs numbering scheme now don't
  influence each other, so it's possible to have same Id's for a
  user and a group,
  e.g.:
        /etc/passwd:
        root::0:0:...           # former 'administrator::500:544:...'

        /etc/group:
        root::0:                # former 'administrators::544:'

Disadvantages, if you like to use the new features:
- /etc/passwd: The pw_gecos field has to contain a SID as the last
  element of the comma separated list.
- /etc/group: The gr_passwd (former unused) has to contain a SID.

If no SIDs are found in /etc/passwd and /etc/group, ntsec acts like
the previous version.

The SIDs are saved in standard WinNT notation (S-1-5-32-...)
the utilities mkpasswd and mkgroup are patched, to support the new
format:

- mkpasswd and mkgroup generate SIDs by default. This behaviour may
  be switched off by the new commandline option `-s' or `--no-sids'.

Moreover, mkpasswd generates the home dir path with the function
cygwin_conv_to_posix_path(), so mount points are used now. This
behaviour may be changed to `/cygdrive/<Driveletter>' by using the
commandline option `-m' or `--no-mount'.
============ SNAP ==============

Regards,
Corinna


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]