X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=N7nPgSeH+AKcx4je 78q5hAmbj3Oe2H49cG/Sj8uvqLAFNXwV4zWGH8+jvDKHs8eNXHBjjk+baHZy4eyt eifuURmaW6bdZG/J6eAXPIs3iX0nm2uv0vXyvEUqacv5PRmVrHqyMmftUeevKZqP AaT5EZJ2buEszq0lbx0QHB9Nbgg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=q+ITxFPOjLPryhB2LUSPcT nySJg=; b=fzkxYA4HDthwJTAh8zEUNlZP4qiSZqhTP8dGqs+use9l+wu2/u+fmv 0atv6wQasuxfAKl5tvw4/UEveSCOGnnYpGQd2j1M4L4fSn9cp0aozP221amPqsg1 sL643xTfRicVWyPLQbBzqFDG3ce2TbcisuIDmo3QyZEzZUzK0P+jw= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtpback.ht-systems.ru Date: Wed, 7 May 2014 17:53:08 +0400 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <109019802.20140507175308@yandex.ru> To: Corinna Vinschen Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) In-Reply-To: <20140507115730.GE30918@calimero.vinschen.de> References: <20140505144745.GA6993@calimero.vinschen.de> <5367ACED.40409@breisch.org> <20140505154230.GB7694@calimero.vinschen.de> <5367B990.8050907@breisch.org> <20140505165723.GM30918@calimero.vinschen.de> <5367DEE5.5010407@breisch.org> <20140506125203.GO30918@calimero.vinschen.de> <53691564.1070200@breisch.org> <20140506171626.GZ30918@calimero.vinschen.de> <53692867.4060305@breisch.org> <20140507115730.GE30918@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Corinna Vinschen! > I toyed around with the Microsoft Account a bit more. And here's why > the primary group SID being identical to the user SID is not a good > idea: > Security checks. > For instance: > $ echo $USER > VMBERT8164+local_000 > $ screen > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. > Huh? > $ ls -l /tmp/uscreens/ > total 0 > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000 > Uh Oh. I concur. But mostly because of blind check "if it's not 700, it's wrong". No, it's not wrong, you dumb piece of code, it's your check isn't right. > This will be a problem with other security sensitive applications, too. > Sshd comes to mind. > So I guess we really should make sure the primary group SID is some > valid group, not the user's SID. > "None" is not an option since it's not in the user token group list. > "Users" seems to be the best choice at first sight. For local SAM account. > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > That would be in line with the idea to have a user-specific primary > group. For M$ accounts, perhaps. > Thoughts? I'm with you on this one. P.S. When you said I can set up a primary group for my account in SAM database, what did you mean? The magic or something more system-specific? -- WBR, Andrey Repin (anrdaemon@yandex.ru) 07.05.2014, <17:49> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple