DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 53AAILvi3207269
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 53AAILvi3207269
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=oSN3+4PD
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F30963839433
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1744280299;
	bh=W2BsUWaz69Grhgfv1dOFfQbKwgsST8zQt4ISD1Nm/Gs=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=oSN3+4PDUuIGZYYpub9e/8eq3TKcEq9uRfz3RcI5tZ/DlWyrqr0+UYysLd9iVNUhU
	 mDjvPhq+TwMJbdLa5fnd2CmUtVRbt4c9B7pt3dB+m+I2XpV8X2bZWZD09+9uaA5LBG
	 g0gnh/3snP02aJzQF5l7HycMQJ65HlpA8Uj57/MU=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 95E31385ED4A
Date: Thu, 10 Apr 2025 12:17:13 +0200
To: =?utf-8?B?TGx1w61z?= Batlle i Rossell <viric AT viric DOT name>
Subject: Re: On dropping Capability SIDs
Message-ID: <Z_eaqRStWb2SiXEu@calimero.vinschen.de>
Mail-Followup-To: =?utf-8?B?TGx1w61z?= Batlle i Rossell <viric AT viric DOT name>,
 cygwin AT cygwin DOT com
References: <pbli6jecn5go2h7heebwivkwz6xf5h2stvq5fxna4u6pql6uht AT 7xpentpxjiak>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <pbli6jecn5go2h7heebwivkwz6xf5h2stvq5fxna4u6pql6uht@7xpentpxjiak>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>, cygwin AT cygwin DOT com
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 53AAILvi3207269

Hi Lluís,

On Apr 10 09:52, Lluís Batlle i Rossell via Cygwin wrote:
> Hello,
> 
> I saw this change to cygwin to ignore S-1-15-3-* SIDs:
> https://www.cygwin.com/cgit/newlib-cygwin/commit/?id=271f187b7b59a6645e24e9c36b60ba31f6527556
> 
> I think, though, that the current code doesn't completely skip
> resolving those never-resolving SIDs.
> 
> I'm annoyed by those SIDs because they slow down any 'stat()' syscall,
> specially with active directory. Here are strace microsecond times
> (500ms):
> 
> 387924  540348 [main] stat 1327 pwdgrp::fetch_account_from_windows:
> LookupAccountSid(S-1-15-3-65536-3323407561-2172269196-3486974656-4132058316-2250862433-3856296919-434318741-3760235072),
> Win32 error 1332
> 186045  726814 [main] stat 1327 pwdgrp::fetch_account_from_windows:
> LookupAccountSid(S-1-15-3-65536-3323407561-2172269196-3486974656-4132058316-2250862433-3856296919-434318741-3760235072),
> Win32 error 1332
> 
> That slows down a lot things like TAB-completion executing, depending on
> the latency of the AD connection.

Yeah, the numbers are really bad.  I can't reproduce these bad timings,
mine are in the vicinity of 5 ms, so I guess I just don't suffer from
the latency to AD.

> I think that the early part of fetch_account_from_windows should filter
> out S-1-15-3-* SIDs as well, instead of asking AD.

Sounds like the right thing to do.  Actually fetch_account_from_windows
performs a lot of its job only after calling one of the Lookup functions,
but we know that some of these SIDs never resolve.  In case of the
capability SIDs, some of them resolve (some of the well-known ones, see
https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557) but we
don't handle them at all and just ignore them.

I pushed a patch which skips not only Capability SIDs, but also AzureAD
SIDs, IIS APPPOOL SIDs and Samba-generated SIDs.
https://sourceware.org/cgit/newlib-cygwin/commit/?id=e04891d67ac7

Please give the next test release cygwin-3.7.0-0.52.ge04891d67ac7 a try.


Thanks,
Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple