get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?)
Corinna Vinschen
corinna-cygwin@cygwin.com
Thu Feb 13 16:09:00 GMT 2014
On Feb 13 10:43, Christopher Faylor wrote:
> On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote:
> >Yes, I think so too. I have some preliminary code (actually, just
> >empty function shells right now) which are supposed to implement
> >full enumerating.
> >
> >However, system admins might not exactly approve. I discussed this
> >with our Linux folks, and I learned that NSS backends like SSSD or
> >winbind default to NOT allowing enumerating, but giving the admin a
> >choice to enable it.
> >
> >So I think for our case a configuration option in /etc/nsswitch.conf
> >to limit the scope of the enumeration might be feasible.
>
> Or, nscd.conf which has stuff like:
>
> enable-cache passwd yes
> positive-time-to-live passwd 600
> negative-time-to-live passwd 20
> suggested-size passwd 211
> check-files passwd yes
> persistent passwd yes
> shared passwd yes
> max-db-size passwd 33554432
> auto-propagate passwd yes
I know that nsswitch.conf is not quite the right place for the
configuration variables, but I was reluctant to introduce YA file to
read at startup. If nobody cares, we can also go with a limited
nscd.conf approach for the configuration variables.
> I understand why a sysadmin might not want you to be able to enumerate
> user names but that really isn't, IMO, a reason not to implement the
> functionality (not that you are proposing this). You obviously can't
> assume that people won't exercise the capability if it is available.
>
> Security through obscurity...? Nah.
Nah. But restricting the capability for pure networking reasons is on
order, IMHO. Assuming that Cygwin has been setup by an admin and the
/etc files are not writable by the ordinary user, of course.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140213/6c7ac7df/attachment.sig>
More information about the Cygwin
mailing list