From: "Chris J. Breisch" <chris.ml@breisch.org>
To: cygwin@cygwin.com
Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
Date: Wed, 07 May 2014 14:09:00 -0000 [thread overview]
Message-ID: <536A3E80.2060602@breisch.org> (raw)
In-Reply-To: <20140507124038.GG30918@calimero.vinschen.de>
Corinna Vinschen wrote:
> On May 7 13:57, Corinna Vinschen wrote:
>> I toyed around with the Microsoft Account a bit more. And here's why
>> the primary group SID being identical to the user SID is not a good
>> idea:
>>
>> Security checks.
>>
>> For instance:
>>
>> $ echo $USER
>> VMBERT8164+local_000
>> $ screen
>> Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
>>
>> Huh?
>>
>> $ ls -l /tmp/uscreens/
>> total 0
>> drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000
>>
>> Uh Oh.
>>
>> This will be a problem with other security sensitive applications, too.
>> Sshd comes to mind.
>>
>> So I guess we really should make sure the primary group SID is some
>> valid group, not the user's SID.
>>
>> "None" is not an option since it's not in the user token group list.
>>
>> "Users" seems to be the best choice at first sight.
>>
>> Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
>> That would be in line with the idea to have a user-specific primary
>> group.
>>
>> Thoughts?
>
> And here's a problem which I'm not sure how to solve at all:
>
> When calling the latest mkpasswd, the primary group of the local
> user account backing the Microsoft Account will *still* be "None".
>
> The reason is that the local account is just the same old account
> as usual. Its default primary group *is* "None".
>
> Only when logging in via the Micosoft Account email address, the
> user token will not reflect what's stored in the local SAM, but
> will have been changed by the OS as outlined in this thread.
>
> So, when a user decides to create a passwd file rather than using
> the SAM/DB code in Cygwin, the information generated by mkpasswd
> will not match the user token, and the primary group stored in
> /etc/passwd will not even be available at all in the user token.
>
> I have not the faintest idea how to workaround this schizophrenia.
>
>
> Corinna
>
Oh wow. It took me two reads of this to understand it. Caffeine is
finally kicking in, I guess. Unless you just want to hard code the
primary group that mkpasswd generates to "Users" for any account that it
would tend to want to set as "None". That would be some smelly code though.
--
Chris J. Breisch
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2014-05-07 14:09 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 13:49 Problem with "None" Group on Non-Domain Members Chris J. Breisch
2014-05-05 13:59 ` Corinna Vinschen
2014-05-05 14:17 ` Chris J. Breisch
2014-05-05 14:47 ` Corinna Vinschen
2014-05-05 15:23 ` Chris J. Breisch
2014-05-05 15:42 ` Corinna Vinschen
2014-05-05 16:17 ` Chris J. Breisch
2014-05-05 16:57 ` Corinna Vinschen
2014-05-05 18:52 ` Robert Pendell
2014-05-06 13:02 ` Corinna Vinschen
2014-05-05 18:56 ` Chris J. Breisch
2014-05-05 19:44 ` Larry Hall (Cygwin)
2014-05-05 21:57 ` Chris J. Breisch
2014-05-05 22:07 ` Chris J. Breisch
2014-05-05 22:29 ` Larry Hall (Cygwin)
2014-05-05 22:39 ` Chris J. Breisch
2014-05-06 0:43 ` Larry Hall (Cygwin)
2014-05-06 12:23 ` Chris J. Breisch
2014-05-05 22:09 ` Larry Hall (Cygwin)
2014-05-06 12:52 ` Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) Corinna Vinschen
2014-05-06 12:55 ` Corinna Vinschen
2014-05-06 13:01 ` Corinna Vinschen
2014-05-07 12:26 ` vlado99
2014-05-07 12:43 ` Corinna Vinschen
2014-05-06 17:01 ` Chris J. Breisch
2014-05-06 17:16 ` Corinna Vinschen
2014-05-06 18:22 ` Chris J. Breisch
2014-05-07 11:57 ` Corinna Vinschen
2014-05-07 12:40 ` Corinna Vinschen
2014-05-07 14:09 ` Chris J. Breisch [this message]
2014-05-07 14:46 ` Corinna Vinschen
2014-05-08 20:09 ` Corinna Vinschen
2014-05-08 23:18 ` Robert Pendell
2014-05-09 0:12 ` Ken Brown
2014-05-09 1:34 ` Robert Pendell
2014-05-09 6:11 ` Achim Gratz
2014-05-09 7:42 ` Corinna Vinschen
2014-05-07 14:05 ` Andrey Repin
2014-05-07 14:20 ` Corinna Vinschen
2014-05-07 14:43 ` Corinna Vinschen
2014-05-07 14:05 ` Chris J. Breisch
2014-05-07 14:35 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=536A3E80.2060602@breisch.org \
--to=chris.ml@breisch.org \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).