From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19335 invoked by alias); 7 May 2014 14:05:08 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 19325 invoked by uid 89); 7 May 2014 14:05:07 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.3 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtpback.ht-systems.ru Received: from smtpback.ht-systems.ru (HELO smtpback.ht-systems.ru) (78.110.50.181) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA encrypted) ESMTPS; Wed, 07 May 2014 14:05:06 +0000 Received: from [91.76.98.252] (helo=darkdragon.lan) by smtp.ht-systems.ru with esmtpa (Exim 4.80.1) (envelope-from ) id 1Wi2Sy-0002Bm-Ne for cygwin@cygwin.com; Wed, 07 May 2014 18:05:00 +0400 Received: from [192.168.1.10] (HELO daemon2) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Wed, 07 May 2014 13:53:08 -0000 Date: Wed, 07 May 2014 14:05:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <109019802.20140507175308@yandex.ru> To: Corinna Vinschen Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) In-Reply-To: <20140507115730.GE30918@calimero.vinschen.de> References: <20140505144745.GA6993@calimero.vinschen.de> <5367ACED.40409@breisch.org> <20140505154230.GB7694@calimero.vinschen.de> <5367B990.8050907@breisch.org> <20140505165723.GM30918@calimero.vinschen.de> <5367DEE5.5010407@breisch.org> <20140506125203.GO30918@calimero.vinschen.de> <53691564.1070200@breisch.org> <20140506171626.GZ30918@calimero.vinschen.de> <53692867.4060305@breisch.org> <20140507115730.GE30918@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2014-05/txt/msg00125.txt.bz2 Greetings, Corinna Vinschen! > I toyed around with the Microsoft Account a bit more. And here's why > the primary group SID being identical to the user SID is not a good > idea: > Security checks. > For instance: > $ echo $USER > VMBERT8164+local_000 > $ screen > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. > Huh? > $ ls -l /tmp/uscreens/ > total 0 > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000 > Uh Oh. I concur. But mostly because of blind check "if it's not 700, it's wrong". No, it's not wrong, you dumb piece of code, it's your check isn't right. > This will be a problem with other security sensitive applications, too. > Sshd comes to mind. > So I guess we really should make sure the primary group SID is some > valid group, not the user's SID. > "None" is not an option since it's not in the user token group list. > "Users" seems to be the best choice at first sight. For local SAM account. > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > That would be in line with the idea to have a user-specific primary > group. For M$ accounts, perhaps. > Thoughts? I'm with you on this one. P.S. When you said I can set up a primary group for my account in SAM database, what did you mean? The magic or something more system-specific? -- WBR, Andrey Repin (anrdaemon@yandex.ru) 07.05.2014, <17:49> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple