* sec_auth.cc (verify_token): Disable code which returns false if

the token contains additional groups not requested by setgroups. Explain why.
2008-07-09 08:10:25 +00:00 · 2008-07-09 08:10:25 +00:00 · 2827371898
parent 17bfd1e083
commit 2827371898
2 changed files with 17 additions and 0 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,9 @@
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (verify_token): Disable code which returns false if
+	the token contains additional groups not requested by setgroups.
+	Explain why.
+
 2008-07-08  Corinna Vinschen  <corinna@vinschen.de>

 	* fhandler_socket.cc (fhandler_socket::bind): Don't run explicit
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@ -714,9 +714,20 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  saw[pos] = true;
 		else if (groups.pgsid == gsid)
 		  sawpg = true;
+#if 0
+		/* With this `else', verify_token returns false if we find
+		   groups in the token, which are not in the group list set
+		   with setgroups().  That's rather dangerous.  What we're
+		   really interested in is that all groups in the setgroups()
+		   list are in the token.  A token created through ADVAPI 
+		   should be allowed to contain more groups than requested
+		   through setgroups(), esecially since Vista and the
+		   addition of integrity groups. So we disable this statement
+		   for now. */
 		else if (gsid != well_known_world_sid
 			 && gsid != usersid)
 		  goto done;
+#endif
 	      }
 	  /* user.sgsids groups must be in the token */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)