From 282737189879ff76895ff0e4f03ae05b62bbdbfe Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Wed, 9 Jul 2008 08:10:25 +0000 Subject: [PATCH] * sec_auth.cc (verify_token): Disable code which returns false if the token contains additional groups not requested by setgroups. Explain why. --- winsup/cygwin/ChangeLog | 6 ++++++ winsup/cygwin/sec_auth.cc | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 9df84c2f5..7a5b1ca13 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,9 @@ +2008-07-09 Corinna Vinschen + + * sec_auth.cc (verify_token): Disable code which returns false if + the token contains additional groups not requested by setgroups. + Explain why. + 2008-07-08 Corinna Vinschen * fhandler_socket.cc (fhandler_socket::bind): Don't run explicit diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 2e7dba434..f78b86539 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -714,9 +714,20 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern) saw[pos] = true; else if (groups.pgsid == gsid) sawpg = true; +#if 0 + /* With this `else', verify_token returns false if we find + groups in the token, which are not in the group list set + with setgroups(). That's rather dangerous. What we're + really interested in is that all groups in the setgroups() + list are in the token. A token created through ADVAPI + should be allowed to contain more groups than requested + through setgroups(), esecially since Vista and the + addition of integrity groups. So we disable this statement + for now. */ else if (gsid != well_known_world_sid && gsid != usersid) goto done; +#endif } /* user.sgsids groups must be in the token */ for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)