From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 460 invoked by alias); 7 May 2014 12:40:43 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 330 invoked by uid 89); 7 May 2014 12:40:42 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 07 May 2014 12:40:41 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 6D2288E09EA; Wed, 7 May 2014 14:40:38 +0200 (CEST) Date: Wed, 07 May 2014 12:40:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) Message-ID: <20140507124038.GG30918@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <5367ACED.40409@breisch.org> <20140505154230.GB7694@calimero.vinschen.de> <5367B990.8050907@breisch.org> <20140505165723.GM30918@calimero.vinschen.de> <5367DEE5.5010407@breisch.org> <20140506125203.GO30918@calimero.vinschen.de> <53691564.1070200@breisch.org> <20140506171626.GZ30918@calimero.vinschen.de> <53692867.4060305@breisch.org> <20140507115730.GE30918@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G/vVCphCGw+yuveY" Content-Disposition: inline In-Reply-To: <20140507115730.GE30918@calimero.vinschen.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-SW-Source: 2014-05/txt/msg00121.txt.bz2 --G/vVCphCGw+yuveY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2048 On May 7 13:57, Corinna Vinschen wrote: > I toyed around with the Microsoft Account a bit more. And here's why > the primary group SID being identical to the user SID is not a good > idea: >=20 > Security checks. >=20 > For instance: >=20 > $ echo $USER > VMBERT8164+local_000 > $ screen > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. >=20 > Huh? >=20 > $ ls -l /tmp/uscreens/ > total 0 > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 = S-VMBERT8164+local_000 >=20 > Uh Oh. >=20 > This will be a problem with other security sensitive applications, too. > Sshd comes to mind. >=20 > So I guess we really should make sure the primary group SID is some > valid group, not the user's SID. >=20 > "None" is not an option since it's not in the user token group list. >=20 > "Users" seems to be the best choice at first sight. >=20 > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > That would be in line with the idea to have a user-specific primary > group. >=20 > Thoughts? And here's a problem which I'm not sure how to solve at all: When calling the latest mkpasswd, the primary group of the local user account backing the Microsoft Account will *still* be "None". The reason is that the local account is just the same old account as usual. Its default primary group *is* "None". Only when logging in via the Micosoft Account email address, the user token will not reflect what's stored in the local SAM, but will have been changed by the OS as outlined in this thread. So, when a user decides to create a passwd file rather than using the SAM/DB code in Cygwin, the information generated by mkpasswd will not match the user token, and the primary group stored in /etc/passwd will not even be available at all in the user token. I have not the faintest idea how to workaround this schizophrenia. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --G/vVCphCGw+yuveY Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTainGAAoJEPU2Bp2uRE+giHYQAJKVaFV2Z7Hy0mj/YMEUelKP /J7+NNP7wGxWsGMiL8sDQtkOIZVRVERrnAwgMy1H5X3BBnaaTxBpPbywy0SeoWUH rGDF3i/IEEw2I/49u8SSpeJCPWrt9P1PFdiK2PANINtTtgy9mun18nTdKhSU7nYp OxjzZ8oXkc51NNkYqvYOiFzD2rYbA2M4CkkHggorG5SkbipKft9KecatpQFcmbwc aeSB+Jg+7F/nJUnU7AmgmplhR6ixZtlGvipc8bqOavrDs1UQmVsrVu7c1CQzfoHV dSEum/q2k/mees/ICrflPGhp5CJgXmDZJ19zC9KFipSFUFzOybgQlJ/H2PM/yduc bkoju4J5zNT2u2WvzDjQmRNAG6tW0ZS0lluVuDFwaSZFbVIhBj0dFUCTHyBCbLQ3 jdAJjAhB0+r2/QCFu6ebz12CjEft2vyv3htk+AzqO3//Bjx/HVCBqNBbDrCaj1pq qf7Ja+rBzLXN48D05z585H/894LuZMZomIJWdiuys0M4vOeVNdqIY0noVNCYj16Q 4/wJhEnzLhwQV3zwgGSg/mcPscbOMYOl1Q0hM8zcEAWnqPLoQZEqVCAcCKAUH1TW pIDlBO0A7uBoYI9ukqcDSMQQg1VAwI+M7sHy2LIvM/uWKEZPopPxwaxWsV4prcBN HzsbnpPxDQ0f6v+eK9Pt =8TBb -----END PGP SIGNATURE----- --G/vVCphCGw+yuveY--