| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=kmYaaN7OClEmVbFXrXg+MGH49lbiFCa7vkmbYSQiQ0gLiwhYmif6x | |
| 3U8HxJs211+owP1HHhMFcHYjcIeQwY4hSrKSbvjjecIuTjB0E8NlRMoehv4f5xFM | |
| HAnZvdsWClwhLXVy+N1U41BRBn61p1qJRUxws+3hYMh6pBlJIa9D8Y= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=QYy3RvHk8E9XYr2se9RW2SnxOMI=; b=GQj3pmcx7+pposTYBV+4uhXrwCKX | |
| 74ef9h+dFKz1b2Ye4fsb2GGgCgfiswlNB9d4pjJZZ60woehoLYgdZ+KptDzQeF+N | |
| +S4gq0JRTpgscaAUSuNHOhivR2XA2Eb20mi0udyeQCxweyz9+H50MOl0dnk192S0 | |
| raQDucioBJgWHHA= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-5.0 required=5.0 tests=AWL,BAYES_40 autolearn=ham version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Wed, 7 May 2014 16:20:12 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) |
| Message-ID: | <20140507142012.GJ30918@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <20140505154230 DOT GB7694 AT calimero DOT vinschen DOT de> <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de> <109019802 DOT 20140507175308 AT yandex DOT ru> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <109019802.20140507175308@yandex.ru> |
| User-Agent: | Mutt/1.5.21 (2010-09-15) |
--VuBTcNUPe5zwk2q6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On May 7 17:53, Andrey Repin wrote: > Greetings, Corinna Vinschen! >=20 > > I toyed around with the Microsoft Account a bit more. And here's why > > the primary group SID being identical to the user SID is not a good > > idea: >=20 > > Security checks. >=20 > > For instance: >=20 > > $ echo $USER > > VMBERT8164+local_000 > > $ screen > > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. >=20 > > Huh? >=20 > > $ ls -l /tmp/uscreens/ > > total 0 > > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:4= 4 S-VMBERT8164+local_000 >=20 > > Uh Oh. >=20 > I concur. > But mostly because of blind check "if it's not 700, it's wrong". > No, it's not wrong, you dumb piece of code, it's your check isn't right. No, the check is right from a POSIX POV. How is a POSIX application supposed to know that the group with gid 12345 is in fact the user with the uid 12345? That's not possible in a POSIX environment. > > This will be a problem with other security sensitive applications, too. > > Sshd comes to mind. >=20 > > So I guess we really should make sure the primary group SID is some > > valid group, not the user's SID. >=20 > > "None" is not an option since it's not in the user token group list. >=20 > > "Users" seems to be the best choice at first sight. >=20 > For local SAM account. ...or "Domain Users" for AD accounts, probably. > > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > > That would be in line with the idea to have a user-specific primary > > group. >=20 > For M$ accounts, perhaps. Eh? This thread *is* about Microsoft Accounts. We don't have this problem for normal accounts. > When you said I can set up a primary group for my account in SAM database, > what did you mean? The <cygwin/> magic or something more system-specific? The <cygwin/> magic, yes. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --VuBTcNUPe5zwk2q6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTakEcAAoJEPU2Bp2uRE+gSEoP/1H37ji/UhxmTEMy9n/FJBhu 4GttRcFpwg2hNE3WYiHOA9/18kwE3wELWZ0qwNR0bL8RVtotCLYSCuO2lkkGcb+A hxNapHcIxOIOe3ddPRDxKFXnu55ZEqYpIVJOQIEfCbE1vPxad3sOBgA+kPYaZfby e+b+ytNjJN+2lRAkOmgDt73k9RIRSDtmTvpOmHnYe2yA1T5jzwnVocRK3frZIK6k pDoClcN9KLupy8XzRCvZK4EypLFO41A7/lJ/J+rUNBA0TM50+fWhj/EBP62ZvcgV QSlEKSRXjgpDu57Qc8PLhY0SFAuHRErQvjVNvscUQNgeR8hCcAZ+iZC3nMg9Xmkf dmcwhiaDYyJXQ9c7PshfirN2Vqq0A4dCjBjmFaI167SfmuJeNsHLYVdILymTKoIV imn0e6x0UBk9H++uzOwF2vReHZ/V9tM/YeO4s0oFzV0OEfR1BvnruVi9pOIFHe/U MGFccPFDKG5T8oKWyIVm0hD4afzxMreIoTpQJ2QUMbEhM9OjKyWrKtemBvk03LYm DjZS/3/JVK+r34mu7YHaa1TvkxZ52L3qJiLWrHLCU42aSAptFEtE+9vqe5bjEEDD D/NBSM2bR0qEO2GRiCk+By0BEuxHIdk0aGMvUj/+++rZx2XsLXezLW2v4byPNypd DdbEdSdl48b/YdX+3LE5 =GvD6 -----END PGP SIGNATURE----- --VuBTcNUPe5zwk2q6--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |