This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)

Corinna Vinschen wrote:
On May  6 14:22, Chris J. Breisch wrote:
Corinna Vinschen wrote:
On Windows, users and groups are identified not by uid/gid, but by
their SID.  The SID is a unique value, but other than that, a SID can
be a user or a group and in lots of cases Windows doesn't care.
A group can be owner of a file and a user can be the group of the file,
it just doesn't matter to Windows.

The permission "problem" you're seeing is a result of that.  Your user
*and* your primary group are both your user's SID.  Therefore the same
account is user and primary group at the same time.  Therefore, if
the file is created, it gets created with an ACL with user and group
being the same account.  Therefore the POSIX translation of the user
and group permissions on the file are always the same.

Does this clear it up?
Yes, that makes complete sense. Thank you again.

I toyed around with the Microsoft Account a bit more.  And here's why
the primary group SID being identical to the user SID is not a good

   Security checks.

For instance:

   $ echo $USER
   $ screen
   Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.


   $ ls -l /tmp/uscreens/
   total 0
   drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May  7 12:44 S-VMBERT8164+local_000

Uh Oh.

This will be a problem with other security sensitive applications, too.
Sshd comes to mind.

Yes, it was when dealing with ssh that I discovered this issue, and was the reason I brought it up. Ssh wants many of its files to be only accessible by the owner, and not any group.

So I guess we really should make sure the primary group SID is some
valid group, not the user's SID.

"None" is not an option since it's not in the user token group list.

"Users" seems to be the best choice at first sight.
That's what I've thought from the beginning.

Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
That would be in line with the idea to have a user-specific primary

I'm not sure how that helps or even would work. Are you talking about creating a group just for Cygwin purposes that wouldn't map to an actual group on the box? Seems like I need to get some more caffeine and go back and reread your attached document from several messages ago.



Chris J. Breisch

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]