Mailing-List: contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
Sender: cygwin-developers-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin-developers AT sourceware DOT cygnus DOT com
Message-ID: <375EAE9D.909A96B3@vinschen.de>
Date: Wed, 09 Jun 1999 20:12:45 +0200
From: Corinna Vinschen <corinna AT vinschen DOT de>
X-Mailer: Mozilla 4.01 [en] (WinNT; I)
MIME-Version: 1.0
To: Egor Duda <deo AT logos-m DOT ru>
CC: cygwin-developers <cygwin-developers AT sourceware DOT cygnus DOT com>
Subject: Re: default /etc/passwd contents
X-Priority: 3 (Normal)
References: <375D805A DOT 90C9D21B AT vinschen DOT de> <17457 DOT 990609 AT logos-m DOT ru>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Egor Duda wrote:
> 
> Hi!
> 
> 9 Θώνό 1999 Corinna Vinschen corinna AT vinschen DOT de wrote:
> 
> >> You can't get gid, because gid is only meaningful, if it's read from
> >> /etc/passwd. Remember: Outside of domains, no primary group exists.
> >> You only get name and uid but it should be possible, to use the
> >> administrators group (gid 544) as primary group in any case.
> 
> Won't it give too much rights to this default user?

No, the rights of the user are not changed by this. It only has the
effect, that the group permissions that are set e.g. on files via chmod
are given to the admins group.

If you would use e.g. `Guests' group, it has the (negativ) effect,
that nearly everyone has rights on the files. This would be less
secure than using `administrators', assuming that admins are less
dangerous for system security ;-).

> CV> It then would be better, to insert /bin/sh as shell again in this entry,
> CV> because this would be compatible to the standard behaviour.
> 
> AFAIK, far more common practice is to assign /bin/nonexistent as a
> shell for most users, at least 80% of users on our unix hosts don't
> have a shell. or perhaps it should be controlled via environment
> variable CYGWIN_SHELL?

Anyway, the default entry wouldn't let users login via `telnetd' or
else, so the default shell is not of real interest. 
IMHO, we should avoid another DLL specific environment variables.
In this case, it wouldn't make sense, too.

> CV> This also would be a good choice for the default /etc/group entry.
> CV> Instead of using the dummy group `Everyone' which doesn't refer
> CV> to any meaningful group, I suggest using the `Administrators'
> CV> group (gid 544). We would get the groups native name with the call
> CV> `LookupAccountSid (NULL, get_admin_sid (), ...)'!
> 
> hmm. i think it will work under NT, however i think that we should give
> minimal rights to "dummy" user. Will it be so, if he will belong to
> "Administrators" group?

As aforementioned it wouldn't grant more rights to the user. It only
would give the group rights to the admins group.

But I'm thinking the `paranoid' way. If we are `relaxed' we may use
the `Users' group (GID 545) or `Power Users' group (GID 547), too.
And, once more, we must take their native names!

> Either way, under win95 there should be some default uid and gid.

Any funny number is ok :)

Regards,
Corinna