* sec_auth.cc (verify_token): Disable code which returns false if

	the token contains additional groups not requested by setgroups.
	Explain why.

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 9df84c2..7a5b1ca 100644 (file)
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
+       * sec_auth.cc (verify_token): Disable code which returns false if
+       the token contains additional groups not requested by setgroups.
+       Explain why.
+
 2008-07-08  Corinna Vinschen  <corinna@vinschen.de>
 
        * fhandler_socket.cc (fhandler_socket::bind): Don't run explicit

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 2e7dba4..f78b865 100644 (file)
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -714,9 +714,20 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
                  saw[pos] = true;
                else if (groups.pgsid == gsid)
                  sawpg = true;
+#if 0
+               /* With this `else', verify_token returns false if we find
+                  groups in the token, which are not in the group list set
+                  with setgroups().  That's rather dangerous.  What we're
+                  really interested in is that all groups in the setgroups()
+                  list are in the token.  A token created through ADVAPI 
+                  should be allowed to contain more groups than requested
+                  through setgroups(), esecially since Vista and the
+                  addition of integrity groups. So we disable this statement
+                  for now. */
                else if (gsid != well_known_world_sid
                         && gsid != usersid)
                  goto done;
+#endif
              }
          /* user.sgsids groups must be in the token */
          for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)