Cygwin: s4uauth: convert token to primary token

Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token.  MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

1 files changed, 26 insertions, 0 deletions

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 316ae99d9..beff3278e 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1556,6 +1556,8 @@ msv1_0_auth:
   MSV1_0_S4U_LOGON *s4u_logon;
   USHORT user_len, domain_len;
 
+  /* Per MSDN MsV1_0S4ULogon is not implemented on Vista, but surprisingly
+     it works. */
   RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
   status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
   if (status != STATUS_SUCCESS)
@@ -1607,6 +1609,30 @@ out:
   if (profile)
     LsaFreeReturnBuffer (profile);
 
+  if (token)
+    {
+      /* Convert to primary token.  Strictly speaking this is only
+	 required on Vista/2008.  CreateProcessAsUser also takes
+	 impersonation tokens since Windows 7. */
+      HANDLE tmp_token;
+
+      if (DuplicateTokenEx (token, MAXIMUM_ALLOWED, &sec_none,
+			    SecurityImpersonation, TokenPrimary, &tmp_token))
+	{
+	  CloseHandle (token);
+	  token = tmp_token;
+	}
+      else
+	{
+	  __seterrno ();
+	  debug_printf ("DuplicateTokenEx %E");
+	  /* Make sure not to allow create_token. */
+	  status = STATUS_INVALID_HANDLE;
+	  CloseHandle (token);
+	  token = NULL;
+	}
+    }
+
   pop_self_privilege ();
   ret_status = status;
   return token;