* sec_auth.cc (verify_token): Allow builtin groups missing in a token

and it's still valid. Explain why.
2008-07-09 15:45:08 +00:00 · 2008-07-09 15:45:08 +00:00 · 9035519215
parent 375a780e06
commit 9035519215
2 changed files with 12 additions and 2 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,8 @@
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (verify_token): Allow builtin groups missing in a token
+	and it's still valid.  Explain why.
+
 2008-07-09  Corinna Vinschen  <corinna@vinschen.de>

 	* autoload.cc (DsGetDcNameW): Replace DsGetDcNameA.
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  goto done;
 #endif
 	      }
-	  /* user.sgsids groups must be in the token */
+	  /* user.sgsids groups must be in the token, except for builtin groups.
+	     These can be different on domain member machines compared to
+	     domain controllers, so these builtin groups may be validly missing
+	     from a token created through password or lsaauth logon. */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
-	    if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+	    if (!saw[gidx]
+	    	&& !groups.sgsids.sids[gidx].is_well_known_sid ()
+		&& !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
 	      goto done;
 	}
      /* The primary group must be in the token */