| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=lfDCsPGbKXv4laaVh/V98XOUqPC6NmRLPPfBVb20R/cSqn13OgsoE | |
| +qDtLzRB6YB7VUcmo5d7Icfg8W5l8q6rRo1XSS05lEX7Qdu5x6desxM+phTED3TV | |
| 0OKhKQ6+4yj6k1HyQxF+QnthHwYH3FexXd7TaJ09t4z65ahQBWlzRc= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=xChlsNIrTH6vRITpdZdj0K0SVPo=; b=qAwNtRrad369gp+co5U6aiW93sJn | |
| jT+tfCi1FvUcNyizgi6obmlIXN4nCOEMQclYtPiAokl5sZrSwDs9cBca1vJ9688a | |
| ezqT2BRsxBKxPTV/9vytdfDNokhQ/rZtxOUm+onwUQi72N+Dd3haxVLXt3RzWCvN | |
| Ww2PutcOasjO0wQ= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Wed, 7 May 2014 16:43:50 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) |
| Message-ID: | <20140507144350.GL30918@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <5367B990 DOT 8050907 AT breisch DOT org> <20140505165723 DOT GM30918 AT calimero DOT vinschen DOT de> <5367DEE5 DOT 5010407 AT breisch DOT org> <20140506125203 DOT GO30918 AT calimero DOT vinschen DOT de> <53691564 DOT 1070200 AT breisch DOT org> <20140506171626 DOT GZ30918 AT calimero DOT vinschen DOT de> <53692867 DOT 4060305 AT breisch DOT org> <20140507115730 DOT GE30918 AT calimero DOT vinschen DOT de> <109019802 DOT 20140507175308 AT yandex DOT ru> <20140507142012 DOT GJ30918 AT calimero DOT vinschen DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20140507142012.GJ30918@calimero.vinschen.de> |
| User-Agent: | Mutt/1.5.21 (2010-09-15) |
--YWfczjhUm04al3kG Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On May 7 16:20, Corinna Vinschen wrote: > On May 7 17:53, Andrey Repin wrote: > > Greetings, Corinna Vinschen! > >=20 > > > I toyed around with the Microsoft Account a bit more. And here's why > > > the primary group SID being identical to the user SID is not a good > > > idea: > >=20 > > > Security checks. > >=20 > > > For instance: > >=20 > > > $ echo $USER > > > VMBERT8164+local_000 > > > $ screen > > > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. > >=20 > > > Huh? > >=20 > > > $ ls -l /tmp/uscreens/ > > > total 0 > > > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12= :44 S-VMBERT8164+local_000 > >=20 > > > Uh Oh. > >=20 > > I concur. > > But mostly because of blind check "if it's not 700, it's wrong". > > No, it's not wrong, you dumb piece of code, it's your check isn't right. >=20 > No, the check is right from a POSIX POV. How is a POSIX application > supposed to know that the group with gid 12345 is in fact the user > with the uid 12345? That's not possible in a POSIX environment. >=20 > > > This will be a problem with other security sensitive applications, to= o. > > > Sshd comes to mind. > >=20 > > > So I guess we really should make sure the primary group SID is some > > > valid group, not the user's SID. > >=20 > > > "None" is not an option since it's not in the user token group list. > >=20 > > > "Users" seems to be the best choice at first sight. > >=20 > > For local SAM account. >=20 > ...or "Domain Users" for AD accounts, probably. AFAICS, domain accounts don't matter. You can connect your domain account to a Microsoft Account, but its token will reflect the domain settings exactly. So, AFAICS, only local accounts are affected at all. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --YWfczjhUm04al3kG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTakamAAoJEPU2Bp2uRE+gXxgQAIJC/3Kn9xW2H/IRZrh3o4Jv Wnu6FWoqGg/3g1hW+IyCPBA8o4EDkgsHrdW60N2b4BZGeI6Xc9EQVqSwGChQDgDh t1AWMzZQpe8toRU4LwiRuKUOzVuVEyO+jKx7p8a1ci8bVznvkPFwsEQf3iz74txT OoF1sXfy17LovXV8FwQ5eaiD4hGD9VkOtPY+wRb3xPi8hKdFznui6z9ET/AoUgzU 5mjIMN00B3f/OPfv3jxk69LXI3b9HjlYGVj85COoJrssviaxQSFi/PadEcHzQnKL 99Ei33BnpU4OU/HEnxNhLquLUw78FATZpsgeu6jbp5y69CrwljXw7mXsiZhFzy0P Lkb4ivVzwJbDXRZJC4KOO34nloG3En+XaUypsk9SWpNhMGQLASiV+f7xqVmVpRk0 gt/sTHhruQfqwKItZi6Sz/oUD6uZc2st4kEs1xKsoiT84GwclajXVQru4B4re5ip SkcmEwC7ZGugU7n6cxHhna1gYUxsbEFb554Kv852dSiRCiQahPFzyLF4h9D1CduF a+xShbD2iHg8ZHrK12Rg+Z0AGKmsLir74KzJcKSDq4Na3I/7RvV0fydTQCm0W3xp toRRtG+5h5WsUQjjbvDoTHXSfC7edwinG6INh2MCyZJdwedMqxfV4rFuVa6BmD6d pvdYDaAYsoC+PJVBGBKC =pYNa -----END PGP SIGNATURE----- --YWfczjhUm04al3kG--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |