From 0eb122987126e368e834e50cf53b2f9fb12784c8 Mon Sep 17 00:00:00 2001 From: corinna Date: Wed, 9 Jul 2008 15:45:08 +0000 Subject: [PATCH] * sec_auth.cc (verify_token): Allow builtin groups missing in a token and it's still valid. Explain why. --- winsup/cygwin/ChangeLog | 5 +++++ winsup/cygwin/sec_auth.cc | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 61d367530d..f3c6bad29f 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,5 +1,10 @@ 2008-07-09 Corinna Vinschen + * sec_auth.cc (verify_token): Allow builtin groups missing in a token + and it's still valid. Explain why. + +2008-07-09 Corinna Vinschen + * autoload.cc (DsGetDcNameW): Replace DsGetDcNameA. * dcrt0.cc (child_info_spawn::handle_spawn): Drop artificial supplementary group list from calling setgroups in parent. diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index b2f1fe77d7..db76fcd796 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern) goto done; #endif } - /* user.sgsids groups must be in the token */ + /* user.sgsids groups must be in the token, except for builtin groups. + These can be different on domain member machines compared to + domain controllers, so these builtin groups may be validly missing + from a token created through password or lsaauth logon. */ for (int gidx = 0; gidx < groups.sgsids.count (); gidx++) - if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx])) + if (!saw[gidx] + && !groups.sgsids.sids[gidx].is_well_known_sid () + && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx])) goto done; } /* The primary group must be in the token */ -- 2.11.0