* sec_auth.cc (verify_token): Allow builtin groups missing in a token

and it's still valid. Explain why.
author: Corinna Vinschen <corinna@vinschen.de> 2008-07-09 19:45:08 +0400
committer: Corinna Vinschen <corinna@vinschen.de> 2008-07-09 19:45:08 +0400
commit: 9035519215c95286690c8e9c29bc9dc97583ab5c (patch)
tree: 02e20f6a45dbaff56caf946efbedd054e86e18a8 /winsup/cygwin/sec_auth.cc
parent: 375a780e06fb93dae504be3d3ea9df7efd0d5c1b (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index b2f1fe77d..db76fcd79 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -725,9 +725,14 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  goto done;
 #endif
 	      }
-	  /* user.sgsids groups must be in the token */
+	  /* user.sgsids groups must be in the token, except for builtin groups.
+	     These can be different on domain member machines compared to
+	     domain controllers, so these builtin groups may be validly missing
+	     from a token created through password or lsaauth logon. */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)
-	    if (!saw[gidx] && !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
+	    if (!saw[gidx]
+	    	&& !groups.sgsids.sids[gidx].is_well_known_sid ()
+		&& !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
 	      goto done;
 	}
       /* The primary group must be in the token */
author	Corinna Vinschen <corinna@vinschen.de>	2008-07-09 19:45:08 +0400
committer	Corinna Vinschen <corinna@vinschen.de>	2008-07-09 19:45:08 +0400
commit	9035519215c95286690c8e9c29bc9dc97583ab5c (patch)
tree	02e20f6a45dbaff56caf946efbedd054e86e18a8 /winsup/cygwin/sec_auth.cc
parent	375a780e06fb93dae504be3d3ea9df7efd0d5c1b (diff)