* sec_helper.cc (sid_auth): Remove.

(well_known_this_org_sid): New well known sid.
	(SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define.
	(mandatory_medium_integrity_sid): New well known sid.
	(mandatory_high_integrity_sid): Ditto.
	(mandatory_system_integrity_sid): Ditto.
	(cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY.  Allow all
	authorities fitting in a UCHAR.
	* security.cc (get_token_group_sidlist): Always add the local
	group to the token.  Add comment.  Add "This Organization" group
	if available in incoming group list.
	(get_server_groups): Only add world and authenticated users groups
	if not already in list.
	(create_token): Add matching mandatory integrity SID to group list
	on systems supporting Mandatory Integrity Control.
	* security.h (well_known_this_org_sid): Define.
	(mandatory_medium_integrity_sid): Define.
	(mandatory_high_integrity_sid): Define.
	(mandatory_system_integrity_sid): Define.
	* wincap.h: Define has_mandatory_integrity_control throughout.
	* wincap.cc: Ditto.

winsup/cygwin/security.cc

@@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
   auth_pos = -1;
   if (my_grps)
     {
-      if (sid_in_token_groups (my_grps, well_known_local_sid))
+      /* In Vista the Local SID is missing in a token constructed by
+         subauthentication.  We add the group unconditionally now. */
+      /*if (sid_in_token_groups (my_grps, well_known_local_sid))*/
 	grp_list += well_known_local_sid;
       if (sid_in_token_groups (my_grps, well_known_dialup_sid))
 	grp_list += well_known_dialup_sid;
@@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
 	grp_list += well_known_interactive_sid;
       if (sid_in_token_groups (my_grps, well_known_service_sid))
 	grp_list += well_known_service_sid;
+      if (sid_in_token_groups (my_grps, well_known_this_org_sid))
+	grp_list += well_known_this_org_sid;
     }
   else
     {
@@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
       return true;
     }
 
-  grp_list += well_known_world_sid;
-  grp_list += well_known_authenticated_users_sid;
+  if (!grp_list.contains (well_known_world_sid))
+    grp_list += well_known_world_sid;
+  if (!grp_list.contains (well_known_authenticated_users_sid))
+    grp_list += well_known_authenticated_users_sid;
   extract_nt_dom_user (pw, domain, user);
   if (get_logon_server (domain, server, wserver, false)
       && !get_user_groups (wserver, grp_list, user, domain)
@@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
   else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw,
 				    my_tok_gsids, auth_luid, auth_pos))
     goto out;
+  if (wincap.has_mandatory_integrity_control ())
+    {
+      if (usersid == well_known_system_sid)
+	tmp_gsids += mandatory_system_integrity_sid;
+      else if (tmp_gsids.contains (well_known_admins_sid))
+	tmp_gsids += mandatory_high_integrity_sid;
+      else
+	tmp_gsids += mandatory_medium_integrity_sid;
+    }
 
   /* Primary group. */
   pgrp.PrimaryGroup = new_groups.pgsid;