477c477,478 < PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos) --- > PTOKEN_GROUPS my_grps, LUID auth_luid, int &auth_pos, > BOOL * special_pgrp) 533a535 > /* special_pgrp true if pgrpsid is not null and not in normal groups */ 535c537,541 < get_user_primary_group (wserver, user, usersid, pgrpsid); --- > { > * special_pgrp = FALSE; > get_user_primary_group (wserver, user, usersid, pgrpsid); > } > else * special_pgrp = TRUE; 539,540d544 < if (!grp_list.contains (pgrpsid)) < grp_list += pgrpsid; 546a551,553 > if (!grp_list.contains (pgrpsid)) > grp_list += pgrpsid; > else * special_pgrp = FALSE; 664,668c671,672 < #define token_acl_size (sizeof (ACL) + \ < 2 * (sizeof (ACCESS_ALLOWED_ACE) + MAX_SID_LEN)) < < static BOOL < get_dacl (PACL acl, cygsid usersid, cygsidlist &grp_list) --- > BOOL > verify_token (HANDLE token, cygsid &usersid, cygsid &pgrpsid, BOOL * pint) 670,695c674,718 < if (!InitializeAcl(acl, token_acl_size, ACL_REVISION)) < { < __seterrno (); < return FALSE; < } < if (grp_list.contains (well_known_admins_sid)) < { < if (!AddAccessAllowedAce(acl, ACL_REVISION, GENERIC_ALL, < well_known_admins_sid)) < { < __seterrno (); < return FALSE; < } < } < else if (!AddAccessAllowedAce(acl, ACL_REVISION, GENERIC_ALL, usersid)) < { < __seterrno (); < return FALSE; < } < if (!AddAccessAllowedAce(acl, ACL_REVISION, GENERIC_ALL, < well_known_system_sid)) < { < __seterrno (); < return FALSE; < } < return TRUE; --- > BOOL ret = FALSE; > DWORD size; > cygsid tok_usersid = NO_SID; > * pint = FALSE; > /* Verify usersid */ > if (!GetTokenInformation (token, TokenUser, > &tok_usersid, sizeof tok_usersid, &size)) > debug_printf ("GetTokenInformation(): %E"); > if (usersid != tok_usersid) return FALSE; > > /* If token is internal and the sd group is not well_known_null_sid, > it must match pgrpsid */ > TOKEN_SOURCE ts; > if (!GetTokenInformation (cygheap->user.token, TokenSource, > &ts, sizeof ts, &size)) > debug_printf ("GetTokenInformation(): %E"); > else if (!memcmp (ts.SourceName, "Cygwin.1", 8)) { > char sd_buf[MAX_SID_LEN + sizeof (SECURITY_DESCRIPTOR)]; > PSID gsid = NO_SID; > * pint = TRUE; > if (!GetKernelObjectSecurity(token, > GROUP_SECURITY_INFORMATION, > (PSECURITY_DESCRIPTOR) sd_buf, > sizeof sd_buf, > &size)) > debug_printf ("GetKernelObjectSecurity(): %E"); > else if (!GetSecurityDescriptorGroup((PSECURITY_DESCRIPTOR) sd_buf, > &gsid, (BOOL *) &size)) > debug_printf ("GetSecurityDescriptorGroup(): %E"); > if (well_known_null_sid != gsid) return pgrpsid == gsid; > } > > /* See if the pgrpsid is in the token groups */ > PTOKEN_GROUPS my_grps = NULL; > if (!GetTokenInformation (token, TokenGroups, NULL, 0, &size) && > GetLastError () != ERROR_INSUFFICIENT_BUFFER) > debug_printf ("GetTokenInformation(token, TokenGroups): %E\n"); > else if (!(my_grps = (PTOKEN_GROUPS) malloc (size))) > debug_printf ("malloc (my_grps) failed."); > else if (!GetTokenInformation (token, TokenGroups, my_grps, > size, &size)) > debug_printf ("GetTokenInformation(my_token, TokenGroups): %E\n"); > else ret = sid_in_token_groups (my_grps, pgrpsid); > if (my_grps) free (my_grps); > return ret; 711a735,736 > PSECURITY_ATTRIBUTES psa; > BOOL special_pgrp; 721c746 < char acl_buf[token_acl_size]; --- > char acl_buf[MAX_DACL_LEN(5)]; 787c812 < my_grps, auth_luid, auth_pos)) --- > my_grps, auth_luid, auth_pos, &special_pgrp)) 812c837,838 < if (!get_dacl ((PACL) acl_buf, usersid, grpsids)) --- > if (!sec_acl((PACL) acl_buf, FALSE, > grpsids.contains (well_known_admins_sid)?well_known_admins_sid:usersid)) 827a854,860 > /* Set sd and primary group */ > psa = sec_user (sa_buf, usersid); > if (!SetSecurityDescriptorGroup ( > (PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor, > special_pgrp?pgrpsid:well_known_null_sid, FALSE)) > debug_printf ("SetSecurityDescriptorGroup %E"); > 829c862 < if (!DuplicateTokenEx (token, MAXIMUM_ALLOWED, sec_user (sa_buf, usersid), --- > if (!DuplicateTokenEx (token, MAXIMUM_ALLOWED, psa,