case sensitivity, "Match User" and "AllowUsers"

Sat Feb 20 05:47:24 EST 2010

> On Feb 19 02:41, Ben Lindstrom wrote:
> > On Feb 18, 2010, at 2:51 PM, Corinna Vinschen wrote:
> > > On Feb 18 12:30, Ben Lindstrom wrote:
> > >> Think about this for a moment.. if I do
> > >>
> > >> pw = getpwnam("MoUrInG");
> > >>
> > >> and I get back
> > >>
> > >> pw->pw_name = "mouring"
> > >>
> > >> Whose fault is it?  OpenSSH or the OS that it is running on?
> > >
> > > It's not Cygwin's fault.
> >
> > So you are saying that cygwin's getpw*() functions are written by
> > Microsoft thus are closed source and not implemented via glibc?  If
> 
> They are implemented as open source but not via glibc.
> 
> > that is the case then you may have an argument.   If you are using
> > getpw*() from glibc or an other cygwin maintained libraries then
> > you've lost the argument since it is then cygwin's issue.
> >
> > > Usernames on Windows *are* caseinsensitive.
> > > The password entry contains the name in one format, but you can write
> > > in in every case.  That's a property of the underlying system.
> >
> > You do your community a disservice by propagating this misfeature.
> 
> I don't think so.  A system using caseinsensitive usernames is as valid
> as a system using casesensitive usernames.  You might not like it, but
> opinion doesn't change the fact.  Cygwin has no choice in the matter if
> it wants to work smoothly on Windows.
> 
> Our passwd entries are usually generated from the Windows SAM or AD,
> whatever is used in the environment.  Admins often use case in usernames
> like, say, "Corinna", with uppercase c when entering the user in the
> database.  Sometimes, in bigger companies, it's even an automatic
> process generating usernames from the real user name.  That does not
> mean the user can't login using any other case, like simple lowercase,
> "corinna".  It's the same username using the same password, and both
> meaning the same user SID (Windows equivalent to uid/gid).
> 
> Ok, so the username "foo", "Foo", and "FOO", all mean the same user on
> Windows.  Why exactly then should it be wrong, if Cygwin returns the
> same passwd entry with the same uid for the user?  After all, it *is*
> the same user.  *Not* returning the passwd entry and claiming the user
> doesn't exist would be wrong.
> 
> Last but not least, POSIX-1.2008 only says this:
> 
>   The getpwnam() function shall search the user database for an entry
>   with a matching name.
> 
> Note the lack of a requirement that "matching" means "strcmp".
> 
> 
> Corinna
> 
I must say once again I don't think getpwnam is the core of the problem.  

>From what I can tell (again, may not be correct, I was hoping for enlightenment from someone reading this), "AllowUsers" looks at pw->pw_name and "Match User" looks at authctxt->user.  I have no idea why this is, but code that assumes two non-const values are equal seems way more wrong to me than either side of the getpwnam argument.