diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2008-07-09 12:10:25 +0400 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2008-07-09 12:10:25 +0400 |
commit | 282737189879ff76895ff0e4f03ae05b62bbdbfe (patch) | |
tree | a2f765056f07e7954bde7f53a6b7b03edd3682fb /winsup/cygwin/sec_auth.cc | |
parent | 17bfd1e08381387af74ddbae1676b83445dbaa0e (diff) |
* sec_auth.cc (verify_token): Disable code which returns false if
the token contains additional groups not requested by setgroups.
Explain why.
Diffstat (limited to 'winsup/cygwin/sec_auth.cc')
-rw-r--r-- | winsup/cygwin/sec_auth.cc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 2e7dba434..f78b86539 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -714,9 +714,20 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern) saw[pos] = true; else if (groups.pgsid == gsid) sawpg = true; +#if 0 + /* With this `else', verify_token returns false if we find + groups in the token, which are not in the group list set + with setgroups(). That's rather dangerous. What we're + really interested in is that all groups in the setgroups() + list are in the token. A token created through ADVAPI + should be allowed to contain more groups than requested + through setgroups(), esecially since Vista and the + addition of integrity groups. So we disable this statement + for now. */ else if (gsid != well_known_world_sid && gsid != usersid) goto done; +#endif } /* user.sgsids groups must be in the token */ for (int gidx = 0; gidx < groups.sgsids.count (); gidx++) |