On May 7 17:53, Andrey Repin wrote:
> Greetings, Corinna Vinschen!
>
> > I toyed around with the Microsoft Account a bit more. And here's why
> > the primary group SID being identical to the user SID is not a good
> > idea:
>
> > Security checks.
>
> > For instance:
>
> > $ echo $USER
> > VMBERT8164+local_000
> > $ screen
> > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
>
> > Huh?
>
> > $ ls -l /tmp/uscreens/
> > total 0
> > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000
>
> > Uh Oh.
>
> I concur.
> But mostly because of blind check "if it's not 700, it's wrong".
> No, it's not wrong, you dumb piece of code, it's your check isn't right.
No, the check is right from a POSIX POV. How is a POSIX application
supposed to know that the group with gid 12345 is in fact the user
with the uid 12345? That's not possible in a POSIX environment.
> > This will be a problem with other security sensitive applications, too.
> > Sshd comes to mind.
>
> > So I guess we really should make sure the primary group SID is some
> > valid group, not the user's SID.
>
> > "None" is not an option since it's not in the user token group list.
>
> > "Users" seems to be the best choice at first sight.
>
> For local SAM account.
...or "Domain Users" for AD accounts, probably.
> > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
> > That would be in line with the idea to have a user-specific primary
> > group.
>
> For M$ accounts, perhaps.
Eh? This thread *is* about Microsoft Accounts. We don't have this
problem for normal accounts.
> When you said I can set up a primary group for my account in SAM database,
> what did you mean? The magic or something more system-specific?
The magic, yes.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat