On May  7 16:20, Corinna Vinschen wrote:
> On May  7 17:53, Andrey Repin wrote:
> > Greetings, Corinna Vinschen!
> > 
> > > I toyed around with the Microsoft Account a bit more.  And here's why
> > > the primary group SID being identical to the user SID is not a good
> > > idea:
> > 
> > >   Security checks.
> > 
> > > For instance:
> > 
> > >   $ echo $USER
> > >   VMBERT8164+local_000
> > >   $ screen
> > >   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
> > 
> > > Huh?
> > 
> > >   $ ls -l /tmp/uscreens/
> > >   total 0
> > >   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000
> > 
> > > Uh Oh.
> > 
> > I concur.
> > But mostly because of blind check "if it's not 700, it's wrong".
> > No, it's not wrong, you dumb piece of code, it's your check isn't right.
> 
> No, the check is right from a POSIX POV.  How is a POSIX application
> supposed to know that the group with gid 12345 is in fact the user
> with the uid 12345?  That's not possible in a POSIX environment.
> 
> > > This will be a problem with other security sensitive applications, too.
> > > Sshd comes to mind.
> > 
> > > So I guess we really should make sure the primary group SID is some
> > > valid group, not the user's SID.
> > 
> > > "None" is not an option since it's not in the user token group list.
> > 
> > > "Users" seems to be the best choice at first sight.
> > 
> > For local SAM account.
> 
> ...or "Domain Users" for AD accounts, probably.

AFAICS, domain accounts don't matter.  You can connect your domain
account to a Microsoft Account, but its token will reflect the
domain settings exactly.  So, AFAICS, only local accounts are affected
at all.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat