Mail Archives: cygwin/2014/05/07/10:05:25

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2014/05/07/10:05:25

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; q=dns; s=default; b=N7nPgSeH+AKcx4je

78q5hAmbj3Oe2H49cG/Sj8uvqLAFNXwV4zWGH8+jvDKHs8eNXHBjjk+baHZy4eyt

eifuURmaW6bdZG/J6eAXPIs3iX0nm2uv0vXyvEUqacv5PRmVrHqyMmftUeevKZqP

AaT5EZJ2buEszq0lbx0QHB9Nbgg=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:reply-to:message-id:to:subject

:in-reply-to:references:mime-version:content-type

:content-transfer-encoding; s=default; bh=q+ITxFPOjLPryhB2LUSPcT

nySJg=; b=fzkxYA4HDthwJTAh8zEUNlZP4qiSZqhTP8dGqs+use9l+wu2/u+fmv

0atv6wQasuxfAKl5tvw4/UEveSCOGnnYpGQd2j1M4L4fSn9cp0aozP221amPqsg1

sL643xTfRicVWyPLQbBzqFDG3ce2TbcisuIDmo3QyZEzZUzK0P+jw=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-3.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2

X-HELO: smtpback.ht-systems.ru

Date: Wed, 7 May 2014 17:53:08 +0400

From: Andrey Repin <anrdaemon AT yandex DOT ru>

Reply-To: cygwin AT cygwin DOT com

Message-ID: <109019802.20140507175308@yandex.ru>

To: Corinna Vinschen <cygwin AT cygwin DOT com>

Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)

In-Reply-To: <20140507115730.GE30918@calimero.vinschen.de>

References: <20140505144745 DOT GA6993 AT calimero DOT vinschen DOT de> <5367ACED DOT 40409 AT breisch DOT org> <20140505154230 DOT GB7694 AT calimero DOT vinschen DOT de> <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de>

MIME-Version: 1.0

X-IsSubscribed: yes

Greetings, Corinna Vinschen!

> I toyed around with the Microsoft Account a bit more.  And here's why
> the primary group SID being identical to the user SID is not a good
> idea:

>   Security checks.

> For instance:

>   $ echo $USER
>   VMBERT8164+local_000
>   $ screen
>   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.

> Huh?

>   $ ls -l /tmp/uscreens/
>   total 0
>   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000

> Uh Oh.

I concur.
But mostly because of blind check "if it's not 700, it's wrong".
No, it's not wrong, you dumb piece of code, it's your check isn't right.

> This will be a problem with other security sensitive applications, too.
> Sshd comes to mind.

> So I guess we really should make sure the primary group SID is some
> valid group, not the user's SID.

> "None" is not an option since it's not in the user token group list.

> "Users" seems to be the best choice at first sight.

For local SAM account.

> Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
> That would be in line with the idea to have a user-specific primary
> group.

For M$ accounts, perhaps.

> Thoughts?

I'm with you on this one.

P.S.
When you said I can set up a primary group for my account in SAM database,
what did you mean? The <cygwin/> magic or something more system-specific?


--
WBR,
Andrey Repin (anrdaemon AT yandex DOT ru) 07.05.2014, <17:49>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=N7nPgSeH+AKcx4je
	78q5hAmbj3Oe2H49cG/Sj8uvqLAFNXwV4zWGH8+jvDKHs8eNXHBjjk+baHZy4eyt
	eifuURmaW6bdZG/J6eAXPIs3iX0nm2uv0vXyvEUqacv5PRmVrHqyMmftUeevKZqP
	AaT5EZJ2buEszq0lbx0QHB9Nbgg=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=q+ITxFPOjLPryhB2LUSPcT
	nySJg=; b=fzkxYA4HDthwJTAh8zEUNlZP4qiSZqhTP8dGqs+use9l+wu2/u+fmv
	0atv6wQasuxfAKl5tvw4/UEveSCOGnnYpGQd2j1M4L4fSn9cp0aozP221amPqsg1
	sL643xTfRicVWyPLQbBzqFDG3ce2TbcisuIDmo3QyZEzZUzK0P+jw=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-3.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2
X-HELO:	smtpback.ht-systems.ru
Date:	Wed, 7 May 2014 17:53:08 +0400
From:	Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To:	cygwin AT cygwin DOT com
Message-ID:	<109019802.20140507175308@yandex.ru>
To:	Corinna Vinschen <cygwin AT cygwin DOT com>
Subject:	Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
In-Reply-To:	<20140507115730.GE30918@calimero.vinschen.de>
References:	<20140505144745 DOT GA6993 AT calimero DOT vinschen DOT de> <5367ACED DOT 40409 AT breisch DOT org> <20140505154230 DOT GB7694 AT calimero DOT vinschen DOT de> <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de>
MIME-Version:	1.0
X-IsSubscribed:	yes