[RFC] Globally creating a user and a group "root"

Morrison, John John.Morrison@uk.experian.com
Wed Nov 12 10:23:00 GMT 2003


Corinna Vinschen wrote:
> On Tue, Nov 11, 2003 at 01:22:50PM -0500, Pierre A. Humblet wrote:
>> At 05:58 PM 11/11/2003 +0100, you wrote:
>>> What about generating a root group with mkgroup -l by default?
>>> 
>>>  root:S-1-5-32-544:0:
>>> 
>>> The question is then, should it *also* generate an administrators
>>> entry 
>>> 
>>>  Administrators:S-1-5-32-544:544:
>>> 
>>> or should it generate the "root" entry *instead* of the
>>> administrators entry?
>> 
>> Obviously I am for maintaining compatibility with existing
>> installations (544 must work), some of which still have Everybody
>> with gid 0 (using 0 as mapping to S-1-5-32-544 is risky).
> 
> I think we should do the affected users a favor and remove the
> Everyone entry from /etc/passwd and /etc/group when we find one. 
> This should be done by a script in the base-files or base-passwd
> package as a regular job. 

Part of /etc/profile? or put it in /etc/profile.d/?

(either way I'm pro these :)

The only issue I think might cropup is permissions... another
would be that /etc/profile doesn't get overwritten.

>> Note that if a file has group S-1-5-32-544 and this is also the
>> primary group of a user, then stat() will report the file gid as the
>> gid of the user in the /etc/passwd file (due to caching). This could
>> be 544 (e.g. when running as SYSTEM with existing password files) or
>> 0 (with the new root user, with gid 0), independently of /etc/group.
> 
> But that doesn't hurt.  Either case, it's the same group.
> 
>> This indeterminacy might cause headaches during the transition
>> period, it's hard to foresee all ramifications.
> 
> I'm running my system for at least a year with two group entries,
> root:S-1-5-32-544:0: and admin:S-1-5-32-544:544: and I never saw any
> negative influence.  It's the same group from the Windows point of
> view so no problems from that side.  It's basically just another name
> and gid for the same user.
> 
>> This being said, exim shouldn't care as long as 544 maps to
>> S-1-5-32-544. It autodetects if it is privileged and, if so,
>> setgid(544) & setuid(18) to normalize its environment (that was done
>> with Windows 2003 in mind). 
> 
> I don't understand.  You were the one who figured out the 2003 problem
> with the SYSTEM account.  So, erm...
> 
>> However the current exim-config script will produce warnings if 544
>> appears after 0 (I will modify it to learn the Admins gid).
> 
> Yeah, that will be necessary for a couple of packages.  cron is a
> good candidate for problems ;-P 
> 
>> In summary, no problem (AFAICS) if 544 appears before 0. I need a
>> decent transition period before you reverse the order (affects only
>> new exim installs), and a long one before you get rid of 544
>> (affects existing installations).
> 
> IMHO we should not wait too long.  At one point we must do it anyway
> and it's easy to make the transition for the user: just upgrade Cygwin
> and the affected packages.  It's no step which actually destroys
> anything but it will help all 2003 users and also users of other
> systems since the new "root" account would circumvent any permission
> problems. If a new Windows requires new privileges to do the really
> interesting stuff, just add them to "root" and you're done.  Knock on
> wood... 
> 
> Anyway, I think we should add "root/0" to /etc/group so that it comes
> before the "administrators/544" entry right from the beginning.  What
> happens in an exim installation then?
> 
> Corinna
> 


==========================================================================
Information in this email and any attachments are confidential, and may
not be copied or used by anyone other than the addressee, nor disclosed
to any third party without our permission. There is no intention to
create any legally binding contract or other binding commitment through
the use of this electronic communication unless it is issued in accordance
with the Experian Limited standard terms and conditions of purchase or
other express written agreement between Experian Limited and the recipient
Experian Limited (registration number 653331)
Registered office: Talbot House, Talbot Street, Nottingham NG80 1TH



More information about the Cygwin-apps mailing list