This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)

On May  6 14:22, Chris J. Breisch wrote:
> Corinna Vinschen wrote:
> >On May  6 13:01, Chris J. Breisch wrote:
> >>Corinna Vinschen wrote:
> >>>Other than that, I'm open to discuss the necessity(?) to override
> >>>the primary group by default.  But, in fact, I'm not sure this really
> >>>makes sense.  Linux systems default to creating a user-specific group
> >>>account and using that as the user's primary group for years.  The
> >>>Windows Account technique isn't quite as nice, but admittedly, it
> >>>does its job just as well.
> >>Yes, I've experienced that on Linux, but I don't recall having these
> >>file permission issues there. Perhaps I just never noticed though.
> >
> >No, it *is* different,  On Linux you get a user account called "Chris"
> >and a group account called "Chris", and they are different because users
> >and groups are totally different beasts on POSIX systems.  You can have
> >a user with uid 42 and a group with gid 42 and they are still different.
> >
> >On Windows, users and groups are identified not by uid/gid, but by
> >their SID.  The SID is a unique value, but other than that, a SID can
> >be a user or a group and in lots of cases Windows doesn't care.
> >A group can be owner of a file and a user can be the group of the file,
> >it just doesn't matter to Windows.
> >
> >The permission "problem" you're seeing is a result of that.  Your user
> >*and* your primary group are both your user's SID.  Therefore the same
> >account is user and primary group at the same time.  Therefore, if
> >the file is created, it gets created with an ACL with user and group
> >being the same account.  Therefore the POSIX translation of the user
> >and group permissions on the file are always the same.
> >
> >Does this clear it up?
> Yes, that makes complete sense. Thank you again.

I toyed around with the Microsoft Account a bit more.  And here's why
the primary group SID being identical to the user SID is not a good

  Security checks.

For instance:

  $ echo $USER
  $ screen
  Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.


  $ ls -l /tmp/uscreens/
  total 0
  drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000

Uh Oh.

This will be a problem with other security sensitive applications, too.
Sshd comes to mind.

So I guess we really should make sure the primary group SID is some
valid group, not the user's SID.

"None" is not an option since it's not in the user token group list.

"Users" seems to be the best choice at first sight.

Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
That would be in line with the idea to have a user-specific primary



Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgp8ThBSp_QJD.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]