This is the mail archive of the
mailing list for the Cygwin project.
Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
- From: "Chris J. Breisch" <chris dot ml at breisch dot org>
- To: cygwin at cygwin dot com
- Date: Wed, 07 May 2014 10:05:23 -0400
- Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members)
- Authentication-results: sourceware.org; auth=none
- References: <20140505144745 dot GA6993 at calimero dot vinschen dot de> <5367ACED dot 40409 at breisch dot org> <20140505154230 dot GB7694 at calimero dot vinschen dot de> <5367B990 dot 8050907 at breisch dot org> <20140505165723 dot GM30918 at calimero dot vinschen dot de> <5367DEE5 dot 5010407 at breisch dot org> <20140506125203 dot GO30918 at calimero dot vinschen dot de> <53691564 dot 1070200 at breisch dot org> <20140506171626 dot GZ30918 at calimero dot vinschen dot de> <53692867 dot 4060305 at breisch dot org> <20140507115730 dot GE30918 at calimero dot vinschen dot de>
Corinna Vinschen wrote:
Yes, it was when dealing with ssh that I discovered this issue, and was
the reason I brought it up. Ssh wants many of its files to be only
accessible by the owner, and not any group.
On May 6 14:22, Chris J. Breisch wrote:
Corinna Vinschen wrote:
On Windows, users and groups are identified not by uid/gid, but by
their SID. The SID is a unique value, but other than that, a SID can
be a user or a group and in lots of cases Windows doesn't care.
A group can be owner of a file and a user can be the group of the file,
it just doesn't matter to Windows.
The permission "problem" you're seeing is a result of that. Your user
*and* your primary group are both your user's SID. Therefore the same
account is user and primary group at the same time. Therefore, if
the file is created, it gets created with an ACL with user and group
being the same account. Therefore the POSIX translation of the user
and group permissions on the file are always the same.
Does this clear it up?
Yes, that makes complete sense. Thank you again.
I toyed around with the Microsoft Account a bit more. And here's why
the primary group SID being identical to the user SID is not a good
$ echo $USER
Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700.
$ ls -l /tmp/uscreens/
drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 S-VMBERT8164+local_000
This will be a problem with other security sensitive applications, too.
Sshd comes to mind.
So I guess we really should make sure the primary group SID is some
valid group, not the user's SID.
"None" is not an option since it's not in the user token group list.
"Users" seems to be the best choice at first sight.
That's what I've thought from the beginning.
I'm not sure how that helps or even would work. Are you talking about
creating a group just for Cygwin purposes that wouldn't map to an actual
group on the box? Seems like I need to get some more caffeine and go
back and reread your attached document from several messages ago.
Alternatively we could use the S-1-11-xxx SID of the Microsoft Account.
That would be in line with the idea to have a user-specific primary
Chris J. Breisch
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple