From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
Date: Wed, 07 May 2014 11:57:00 -0000 [thread overview]
Message-ID: <20140507115730.GE30918@calimero.vinschen.de> (raw)
In-Reply-To: <53692867.4060305@breisch.org>
[-- Attachment #1: Type: text/plain, Size: 2975 bytes --]
On May 6 14:22, Chris J. Breisch wrote:
> Corinna Vinschen wrote:
> >On May 6 13:01, Chris J. Breisch wrote:
> >>Corinna Vinschen wrote:
> >>>Other than that, I'm open to discuss the necessity(?) to override
> >>>the primary group by default. But, in fact, I'm not sure this really
> >>>makes sense. Linux systems default to creating a user-specific group
> >>>account and using that as the user's primary group for years. The
> >>>Windows Account technique isn't quite as nice, but admittedly, it
> >>>does its job just as well.
> >>Yes, I've experienced that on Linux, but I don't recall having these
> >>file permission issues there. Perhaps I just never noticed though.
> >
> >No, it *is* different, On Linux you get a user account called "Chris"
> >and a group account called "Chris", and they are different because users
> >and groups are totally different beasts on POSIX systems. You can have
> >a user with uid 42 and a group with gid 42 and they are still different.
> >
> >On Windows, users and groups are identified not by uid/gid, but by
> >their SID. The SID is a unique value, but other than that, a SID can
> >be a user or a group and in lots of cases Windows doesn't care.
> >A group can be owner of a file and a user can be the group of the file,
> >it just doesn't matter to Windows.
> >
> >The permission "problem" you're seeing is a result of that. Your user
> >*and* your primary group are both your user's SID. Therefore the same
> >account is user and primary group at the same time. Therefore, if
> >the file is created, it gets created with an ACL with user and group
> >being the same account. Therefore the POSIX translation of the user
> >and group permissions on the file are always the same.
> >
> >Does this clear it up?
>
> Yes, that makes complete sense. Thank you again.
I toyed around with the Microsoft Account a bit more. And here's why
the primary group SID being identical to the user SID is not a good
idea:
Security checks.
For instance:
$ echo $USER
VMBERT8164+local_000
$ screen
Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
Huh?
$ ls -l /tmp/uscreens/
total 0
drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000
Uh Oh.
This will be a problem with other security sensitive applications, too.
Sshd comes to mind.
So I guess we really should make sure the primary group SID is some
valid group, not the user's SID.
"None" is not an option since it's not in the user token group list.
"Users" seems to be the best choice at first sight.
Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
That would be in line with the idea to have a user-specific primary
group.
Thoughts?
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2014-05-07 11:57 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 13:49 Problem with "None" Group on Non-Domain Members Chris J. Breisch
2014-05-05 13:59 ` Corinna Vinschen
2014-05-05 14:17 ` Chris J. Breisch
2014-05-05 14:47 ` Corinna Vinschen
2014-05-05 15:23 ` Chris J. Breisch
2014-05-05 15:42 ` Corinna Vinschen
2014-05-05 16:17 ` Chris J. Breisch
2014-05-05 16:57 ` Corinna Vinschen
2014-05-05 18:52 ` Robert Pendell
2014-05-06 13:02 ` Corinna Vinschen
2014-05-05 18:56 ` Chris J. Breisch
2014-05-05 19:44 ` Larry Hall (Cygwin)
2014-05-05 21:57 ` Chris J. Breisch
2014-05-05 22:07 ` Chris J. Breisch
2014-05-05 22:29 ` Larry Hall (Cygwin)
2014-05-05 22:39 ` Chris J. Breisch
2014-05-06 0:43 ` Larry Hall (Cygwin)
2014-05-06 12:23 ` Chris J. Breisch
2014-05-05 22:09 ` Larry Hall (Cygwin)
2014-05-06 12:52 ` Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) Corinna Vinschen
2014-05-06 12:55 ` Corinna Vinschen
2014-05-06 13:01 ` Corinna Vinschen
2014-05-07 12:26 ` vlado99
2014-05-07 12:43 ` Corinna Vinschen
2014-05-06 17:01 ` Chris J. Breisch
2014-05-06 17:16 ` Corinna Vinschen
2014-05-06 18:22 ` Chris J. Breisch
2014-05-07 11:57 ` Corinna Vinschen [this message]
2014-05-07 12:40 ` Corinna Vinschen
2014-05-07 14:09 ` Chris J. Breisch
2014-05-07 14:46 ` Corinna Vinschen
2014-05-08 20:09 ` Corinna Vinschen
2014-05-08 23:18 ` Robert Pendell
2014-05-09 0:12 ` Ken Brown
2014-05-09 1:34 ` Robert Pendell
2014-05-09 6:11 ` Achim Gratz
2014-05-09 7:42 ` Corinna Vinschen
2014-05-07 14:05 ` Chris J. Breisch
2014-05-07 14:35 ` Corinna Vinschen
2014-05-07 14:05 ` Andrey Repin
2014-05-07 14:20 ` Corinna Vinschen
2014-05-07 14:43 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140507115730.GE30918@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).