On Feb 13 10:43, Christopher Faylor wrote: > On Thu, Feb 13, 2014 at 03:44:19PM +0100, Corinna Vinschen wrote: > >Yes, I think so too. I have some preliminary code (actually, just > >empty function shells right now) which are supposed to implement > >full enumerating. > > > >However, system admins might not exactly approve. I discussed this > >with our Linux folks, and I learned that NSS backends like SSSD or > >winbind default to NOT allowing enumerating, but giving the admin a > >choice to enable it. > > > >So I think for our case a configuration option in /etc/nsswitch.conf > >to limit the scope of the enumeration might be feasible. > > Or, nscd.conf which has stuff like: > > enable-cache passwd yes > positive-time-to-live passwd 600 > negative-time-to-live passwd 20 > suggested-size passwd 211 > check-files passwd yes > persistent passwd yes > shared passwd yes > max-db-size passwd 33554432 > auto-propagate passwd yes
I know that nsswitch.conf is not quite the right place for the configuration variables, but I was reluctant to introduce YA file to read at startup. If nobody cares, we can also go with a limited nscd.conf approach for the configuration variables. > I understand why a sysadmin might not want you to be able to enumerate > user names but that really isn't, IMO, a reason not to implement the > functionality (not that you are proposing this). You obviously can't > assume that people won't exercise the capability if it is available. > > Security through obscurity...? Nah. Nah. But restricting the capability for pure networking reasons is on order, IMHO. Assuming that Cygwin has been setup by an admin and the /etc files are not writable by the ordinary user, of course. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpWTkVwtudZc.pgp
Description: PGP signature
