summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--winsup/cygwin/ChangeLog5
-rw-r--r--winsup/cygwin/sec_auth.cc9
2 files changed, 12 insertions, 2 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 61d367530..f3c6bad29 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,10 @@
2008-07-09 Corinna Vinschen <corinna@vinschen.de>
+ * sec_auth.cc (verify_token): Allow builtin groups missing in a token
+ and it's still valid. Explain why.
+
+2008-07-09 Corinna Vinschen <corinna@vinschen.de>
+
* autoload.cc (DsGetDcNameW): Replace DsGetDcNameA.
* dcrt0.cc (child_info_spawn::handle_spawn): Drop artificial
supplementary group list from calling setgroups in parent.
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index b2f1fe77d..db76fcd79 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
goto done;
#endif
}
- /* user.sgsids groups must be in the token */
+ /* user.sgsids groups must be in the token, except for builtin groups.
+ These can be different on domain member machines compared to
+ domain controllers, so these builtin groups may be validly missing
+ from a token created through password or lsaauth logon. */
for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
- if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+ if (!saw[gidx]
+ && !groups.sgsids.sids[gidx].is_well_known_sid ()
+ && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
goto done;
}
/* The primary group must be in the token */
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-01 02:18:53 +0000