get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?)

Corinna Vinschen corinna-cygwin@cygwin.com
Thu Feb 13 16:09:00 GMT 2014


On Feb 13 10:43, Christopher Faylor wrote:
> On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote:
> >Yes, I think so too.  I have some preliminary code (actually, just
> >empty function shells right now) which are supposed to implement
> >full enumerating.
> >
> >However, system admins might not exactly approve.  I discussed this
> >with our Linux folks, and I learned that NSS backends like SSSD or
> >winbind default to NOT allowing enumerating, but giving the admin a
> >choice to enable it.
> >
> >So I think for our case a configuration option in /etc/nsswitch.conf
> >to limit the scope of the enumeration might be feasible.
> 
> Or, nscd.conf which has stuff like:
> 
>     enable-cache            passwd          yes
>     positive-time-to-live   passwd          600
>     negative-time-to-live   passwd          20
>     suggested-size          passwd          211
>     check-files             passwd          yes
>     persistent              passwd          yes
>     shared                  passwd          yes
>     max-db-size             passwd          33554432
>     auto-propagate          passwd          yes

I know that nsswitch.conf is not quite the right place for the
configuration variables, but I was reluctant to introduce YA file to
read at startup.  If nobody cares, we can also go with a limited
nscd.conf approach for the configuration variables.

> I understand why a sysadmin might not want you to be able to enumerate
> user names but that really isn't, IMO, a reason not to implement the
> functionality (not that you are proposing this).  You obviously can't
> assume that people won't exercise the capability if it is available.
> 
> Security through obscurity...?  Nah.

Nah.  But restricting the capability for pure networking reasons is on
order, IMHO.  Assuming that Cygwin has been setup by an admin and the
/etc files are not writable by the ordinary user, of course.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140213/6c7ac7df/attachment.sig>


More information about the Cygwin mailing list