* sec_auth.cc (verify_token): Allow builtin groups missing in a token

	and it's still valid.  Explain why.

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 61d3675..f3c6bad 100644 (file)
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,10 @@
 2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
 
+       * sec_auth.cc (verify_token): Allow builtin groups missing in a token
+       and it's still valid.  Explain why.
+
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
        * autoload.cc (DsGetDcNameW): Replace DsGetDcNameA.
        * dcrt0.cc (child_info_spawn::handle_spawn): Drop artificial
        supplementary group list from calling setgroups in parent.

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index b2f1fe7..db76fcd 100644 (file)
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
                  goto done;
 #endif
              }
-         /* user.sgsids groups must be in the token */
+         /* user.sgsids groups must be in the token, except for builtin groups.
+            These can be different on domain member machines compared to
+            domain controllers, so these builtin groups may be validly missing
+            from a token created through password or lsaauth logon. */
          for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
-           if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+           if (!saw[gidx]
+               && !groups.sgsids.sids[gidx].is_well_known_sid ()
+               && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
              goto done;
        }
       /* The primary group must be in the token */