On May  7 17:53, Andrey Repin wrote:
> Greetings, Corinna Vinschen!
> 
> > I toyed around with the Microsoft Account a bit more.  And here's why
> > the primary group SID being identical to the user SID is not a good
> > idea:
> 
> >   Security checks.
> 
> > For instance:
> 
> >   $ echo $USER
> >   VMBERT8164+local_000
> >   $ screen
> >   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
> 
> > Huh?
> 
> >   $ ls -l /tmp/uscreens/
> >   total 0
> >   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000
> 
> > Uh Oh.
> 
> I concur.
> But mostly because of blind check "if it's not 700, it's wrong".
> No, it's not wrong, you dumb piece of code, it's your check isn't right.

No, the check is right from a POSIX POV.  How is a POSIX application
supposed to know that the group with gid 12345 is in fact the user
with the uid 12345?  That's not possible in a POSIX environment.

> > This will be a problem with other security sensitive applications, too.
> > Sshd comes to mind.
> 
> > So I guess we really should make sure the primary group SID is some
> > valid group, not the user's SID.
> 
> > "None" is not an option since it's not in the user token group list.
> 
> > "Users" seems to be the best choice at first sight.
> 
> For local SAM account.

...or "Domain Users" for AD accounts, probably.

> > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
> > That would be in line with the idea to have a user-specific primary
> > group.
> 
> For M$ accounts, perhaps.

Eh?  This thread *is* about Microsoft Accounts.  We don't have this
problem for normal accounts.

> When you said I can set up a primary group for my account in SAM database,
> what did you mean? The <cygwin/> magic or something more system-specific?

The <cygwin/> magic, yes.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat