Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 2.4.0-0.4

[Kacper Michajlow <kasper93 at gmail dot com>]

2015-11-29 13:59 GMT+01:00 Corinna Vinschen <corinna-cygwin@cygwin.com>:
> On Nov 29 02:16, Andrey Repin wrote:
>> Greetings, Kacper Michajlow!
>>
>> >> Please also attach the output of `id' and of `getfacl . test test/test'.
>>
>> > getfacl attached. `id` output is already in cygcheck.log
>>
>> > In getfacl output this line `default:group:1001 <unknown>:r-x` looks
>>
>> Uh-oh.
>> Do you, by any chance, have /etc/passwd file?
>> Or a user comment changing relevant information?
>
> I agree with Andrey here: Uh oh!
>
> The mkdir trace contains a suspicious snippet which is the reason
> the mkdir call doesn't manage to post-process the ACL:
>
>   [...] pwdgrp::fetch_account_from_windows: LookupAccountSidW (S-1-5-32-1001), Win32 error 1332
>   [...] /[...]/security.cc:337 status 0xC0000078 -> windows error 1337
>
> Status 0xC0000078 aka Win32 error 1337 means "invalid SID".  And the
> SID 1-5-32-1001 is in fact invalid.  The S-1-5-32 prefix denotes a builtin
> account, but the RID 1001 is invalid for a builtin group.  1001 is the
> RID of your user account, though, but that would be prefixed by the SID
> of your machine, which looks like S-1-5-21-XXXXXXXX-YYYYYYYY-ZZZZZZZZ.
> I don't see how this broken SID came into life, unless your /etc/passwd
> and/or /etc/group files are broken (hand edited perhaps?).

I guess I only changed shell to zsh in /etc/passwd, but no other
changes were made. So I have no idea how they could get corrupted
either.

> You're aware that you don't need the /etc/passwd and /etc/group files
> anymore, aren't you?  https://cygwin.com/cygwin-ug-net/ntsec.html

I never really thought about it until it worked. But yeah, this might
be good time to abandon those files.

>
> For testing I'd like you to do the following:
>
> - Edit /etc/nsswitch,conf and change the "passwd:" and "group:" lines
>   to omit checking the passwd and group files:
>
>     passwd: db
>     group: db
>
> - Exit all Cygwin processes and restart a shell.
>
> - Call `id' again and attach it to your reply.  The uids and gids of
>   your account and primary group should be different now.
>
> - Remove the test dir, call `mkdir -p test/test' and call icacls on test
>   and test/test.

$ icacls test
test NULL SID:(DENY)(Rc,S)
     DOMEK\Kacper:(F)
     DOMEK\Kacper:(RX)
     Wszyscy:(RX)
     NULL SID:(OI)(CI)(IO)(DENY)(Rc,S)
     TWORCA-WLASCICIEL:(OI)(CI)(IO)(F)
     GRUPA TWORCOW:(OI)(CI)(IO)(RX)
     Wszyscy:(OI)(CI)(IO)(RX)

$ icacls test/test
test/test NULL SID:(DENY)(Rc,S)
          DOMEK\Kacper:(F)
          DOMEK\Kacper:(RX)
          Wszyscy:(RX)
          NULL SID:(OI)(CI)(IO)(DENY)(Rc,S)
          TWORCA-WLASCICIEL:(OI)(CI)(IO)(F)
          GRUPA TWORCOW:(OI)(CI)(IO)(RX)
          Wszyscy:(OI)(CI)(IO)(RX)

BTW. icacls doesn't handle UTF-8 characters well. Just saying.

> - Try chmod 755 test/test again.

Works.

> - Also, would you mind to attach your /etc/passwd, /etc/group and
>   /etc/nsswitch.conf files to your reply?

/etc/nsswitch.conf has only commented out default values. Two others
are attached. To make this clear, I never edited those files except
zsh change so if they are corrupted in any way they must have been
produced like that. Though it probably was over the year ago when I
installed cygwin on this machine.

I personally am fine with abandoning /etc/passwd and /etc/group. This
is good enough solution for me. Though there might be other people
with the same issue.

-Kacper

Attachment: id.log
Description: Binary data

Attachment: group
Description: Binary data

Attachment: passwd
Description: Binary data

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple