Greetings, Corinna Vinschen! > I toyed around with the Microsoft Account a bit more. And here's why > the primary group SID being identical to the user SID is not a good > idea:
> Security checks. > For instance: > $ echo $USER > VMBERT8164+local_000 > $ screen > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. > Huh? > $ ls -l /tmp/uscreens/ > total 0 > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:44 > S-VMBERT8164+local_000 > Uh Oh. I concur. But mostly because of blind check "if it's not 700, it's wrong". No, it's not wrong, you dumb piece of code, it's your check isn't right. > This will be a problem with other security sensitive applications, too. > Sshd comes to mind. > So I guess we really should make sure the primary group SID is some > valid group, not the user's SID. > "None" is not an option since it's not in the user token group list. > "Users" seems to be the best choice at first sight. For local SAM account. > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > That would be in line with the idea to have a user-specific primary > group. For M$ accounts, perhaps. > Thoughts? I'm with you on this one. P.S. When you said I can set up a primary group for my account in SAM database, what did you mean? The <cygwin/> magic or something more system-specific? -- WBR, Andrey Repin (anrdae...@yandex.ru) 07.05.2014, <17:49> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
