On May  7 10:05, Chris J. Breisch wrote:
> Corinna Vinschen wrote:
> >I toyed around with the Microsoft Account a bit more.  And here's why
> >the primary group SID being identical to the user SID is not a good
> >idea:
> >
> >   Security checks.
> >
> >For instance:
> >
> >   $ echo $USER
> >   VMBERT8164+local_000
> >   $ screen
> >   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
> >
> >Huh?
> >
> >   $ ls -l /tmp/uscreens/
> >   total 0
> >   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000
> >
> >Uh Oh.
> >
> >This will be a problem with other security sensitive applications, too.
> >Sshd comes to mind.
> >
> Yes, it was when dealing with ssh that I discovered this issue, and
> was the reason I brought it up. Ssh wants many of its files to be
> only accessible by the owner, and not any group.
> 
> >So I guess we really should make sure the primary group SID is some
> >valid group, not the user's SID.
> >
> >"None" is not an option since it's not in the user token group list.
> >
> >"Users" seems to be the best choice at first sight.
> >
> That's what I've thought from the beginning.
> 
> >Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
> >That would be in line with the idea to have a user-specific primary
> >group.
> >
> I'm not sure how that helps or even would work. Are you talking
> about creating a group just for Cygwin purposes that wouldn't map to
> an actual group on the box?

No.  As I explained in my mail from yesterday

  http://cygwin.com/ml/cygwin/2014-05/msg00083.html

as soon as you login with your Microsoft account, your user token
contains a special SID which connects your local account with the 
Microsoft Account.  It's the account from Windows' whoami /groups
which is called "MicrosoftAccount\<your email>" and a SID starting
with S-1-11-*.  Using the latest Cygwin developer snapshots, you'll
see something along thse lines in `id' output:

  $ id
  uid=197613(VMBERT8164+local_000) gid=197613(VMBERT8164+local_000) groups=197613(VMBERT8164+local_000),401408(+Medium Mandatory Level),555(+Remote Desktop Users),545(+Users),14(+REMOTE INTERACTIVE LOGON),4(+INTERACTIVE),11(+Authenticated Users),15(+This Organization),68452(MicrosoftAccount+testuser@foobar.de),113(+Local account),4095(CurrentSession),66048(+LOCAL),262176(+Microsoft Account Authentication)

If we use this account as primary group, you would have both, a
unambiguous group gid and a user-specific group.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat