Mail Archives: cygwin/2014/05/07/10:35:20

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2014/05/07/10:35:20

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; q=dns; s=

default; b=GeQ8OZH0vNLeEtaBfCCuYkBgvW60ljKADp2PjUYgnkOegsrLXBUqB

IH1gn5CRoKcyoudlcM0TsGNscFgjLtZZ3TmQiIrdIHvv2tEAMFLXP5ZCTC1q4YiM

mHE8J2FaQ0HmcC0HHUwH8SE2l06uoby88BTxvUi8+wvC9l1zefToqU=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; s=default;

bh=Drpwj/AfWvPHL0qv3i5jnaNdrO4=; b=xu2edUZ1IPi5KfhOIui6r/LYBDx9

DWuZqESThwNLeNLvHgAdZYGR3cQ/nyDfFnhX2AHolHbz/3+Auom0zd6hG3lqFmA5

X2Lbb1b7Gv74znxxGHW7hbxOIeJrQDEjSGygBBeIGiQG9D9//hvEDHY+dNV8cgfO

TLY1lEzM6XccHVw=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-4.6 required=5.0 tests=AWL,BAYES_50 autolearn=ham version=3.3.2

X-HELO: calimero.vinschen.de

Date: Wed, 7 May 2014 16:34:57 +0200

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)

Message-ID: <20140507143457.GK30918@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <20140505154230 DOT GB7694 AT calimero DOT vinschen DOT de> <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de> <536A3DA3 DOT 8060508 AT breisch DOT org>

MIME-Version: 1.0

In-Reply-To: <536A3DA3.8060508@breisch.org>

User-Agent: Mutt/1.5.21 (2010-09-15)

--x9NlMAausKqHAFUv
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On May  7 10:05, Chris J. Breisch wrote:
> Corinna Vinschen wrote:
> >I toyed around with the Microsoft Account a bit more.  And here's why
> >the primary group SID being identical to the user SID is not a good
> >idea:
> >
> >   Security checks.
> >
> >For instance:
> >
> >   $ echo $USER
> >   VMBERT8164+local_000
> >   $ screen
> >   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
> >
> >Huh?
> >
> >   $ ls -l /tmp/uscreens/
> >   total 0
> >   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:4=
4 S-VMBERT8164+local_000
> >
> >Uh Oh.
> >
> >This will be a problem with other security sensitive applications, too.
> >Sshd comes to mind.
> >
> Yes, it was when dealing with ssh that I discovered this issue, and
> was the reason I brought it up. Ssh wants many of its files to be
> only accessible by the owner, and not any group.
>=20
> >So I guess we really should make sure the primary group SID is some
> >valid group, not the user's SID.
> >
> >"None" is not an option since it's not in the user token group list.
> >
> >"Users" seems to be the best choice at first sight.
> >
> That's what I've thought from the beginning.
>=20
> >Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
> >That would be in line with the idea to have a user-specific primary
> >group.
> >
> I'm not sure how that helps or even would work. Are you talking
> about creating a group just for Cygwin purposes that wouldn't map to
> an actual group on the box?

No.  As I explained in my mail from yesterday

  http://cygwin.com/ml/cygwin/2014-05/msg00083.html

as soon as you login with your Microsoft account, your user token
contains a special SID which connects your local account with the=20
Microsoft Account.  It's the account from Windows' whoami /groups
which is called "MicrosoftAccount\<your email>" and a SID starting
with S-1-11-*.  Using the latest Cygwin developer snapshots, you'll
see something along thse lines in `id' output:

  $ id
  uid=3D197613(VMBERT8164+local_000) gid=3D197613(VMBERT8164+local_000) gro=
ups=3D197613(VMBERT8164+local_000),401408(+Medium Mandatory Level),555(+Rem=
ote Desktop Users),545(+Users),14(+REMOTE INTERACTIVE LOGON),4(+INTERACTIVE=
),11(+Authenticated Users),15(+This Organization),68452(MicrosoftAccount+te=
stuser AT foobar DOT de),113(+Local account),4095(CurrentSession),66048(+LOCAL),26=
2176(+Microsoft Account Authentication)

If we use this account as primary group, you would have both, a
unambiguous group gid and a user-specific group.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--x9NlMAausKqHAFUv
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTakSRAAoJEPU2Bp2uRE+gkhIQAJqgEwseabgmqJbF8NJh3IMm
px+nf3+Hecw66OMVBKUbg/3Hh4K3KRWNvupVmqrlECF8G2Q99WdH4ZKnVXfjndZF
+ChYZjFB+AiDUAEvlQhkFZ66KNluIX5/R/IW601w5Of1jTCk1+Urnhbi+PT7jrrd
k3XnMYjk1AY+0e2IuiO07NirGeUCTd1fZbDu15ACk12u1WtyiK/8KkenC95cOLAz
3TapTiQqAtymfGtEKYi5cW/Nv085WNCcXt2yFVUWflG4mwrHIysmXMWuhFydFr5U
affu6uHZtMcJ2j3nPR9ao2EuPiJKI9ubxjcyeJUvdpLIikSQkch4oITekVv6ShxA
znmj8p9PiAIQxNKY7M5QFdP9vU6kpjPZ2EOp2MoXXOBZI9Y6cqlGjMevBfVh4DSb
SW48QHKREuejPeTBqifZq/aUwqfANU0XaNjZJ4gTXNN2dyaRtVWWl4lYle07oxKx
4cYSAuqFDkUARbZCeQy72SI7gjwEfDM07LpK9fIDb28N3SyubTcX1RPj3awWpZ+R
nSLKmVg6BPTOlVm6SvyrZV2U21tms0UVDtzAqjqj+XRg+YMHuAeNZ4sxbWm2WXoJ
XGg1lEN18YLMLJzbtnrUW5QPnJMxzvMiG7wc9Uo/aZ3F3ngI+5pu4t4M3I4+utu5
9DPdEtiGnFaq3joYypDD
=qq0I
-----END PGP SIGNATURE-----

--x9NlMAausKqHAFUv--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=GeQ8OZH0vNLeEtaBfCCuYkBgvW60ljKADp2PjUYgnkOegsrLXBUqB
	IH1gn5CRoKcyoudlcM0TsGNscFgjLtZZ3TmQiIrdIHvv2tEAMFLXP5ZCTC1q4YiM
	mHE8J2FaQ0HmcC0HHUwH8SE2l06uoby88BTxvUi8+wvC9l1zefToqU=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=Drpwj/AfWvPHL0qv3i5jnaNdrO4=; b=xu2edUZ1IPi5KfhOIui6r/LYBDx9
	DWuZqESThwNLeNLvHgAdZYGR3cQ/nyDfFnhX2AHolHbz/3+Auom0zd6hG3lqFmA5
	X2Lbb1b7Gv74znxxGHW7hbxOIeJrQDEjSGygBBeIGiQG9D9//hvEDHY+dNV8cgfO
	TLY1lEzM6XccHVw=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-4.6 required=5.0 tests=AWL,BAYES_50 autolearn=ham version=3.3.2
X-HELO:	calimero.vinschen.de
Date:	Wed, 7 May 2014 16:34:57 +0200
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
Message-ID:	<20140507143457.GK30918@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<20140505154230 DOT GB7694 AT calimero DOT vinschen DOT de> <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de> <536A3DA3 DOT 8060508 AT breisch DOT org>
MIME-Version:	1.0
In-Reply-To:	<536A3DA3.8060508@breisch.org>
User-Agent:	Mutt/1.5.21 (2010-09-15)