From 6506454fb38c7684d53126b3455ff2a663932b16 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Wed, 14 May 2014 11:27:47 +0000 Subject: * sec_auth.cc (get_server_groups): Call get_logon_server only for non-builtin accounts. * uinfo.cc (pwdgrp::fetch_account_from_windows): Check incoming account name for validity in terms of the current name prefixing rules and refuse invalid names. --- winsup/cygwin/sec_auth.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'winsup/cygwin/sec_auth.cc') diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index fb9e371fb..709874337 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -465,7 +465,11 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) __seterrno (); return false; } - if (get_logon_server (domain, server, DS_IS_FLAT_NAME)) + /* If the SID does NOT start with S-1-5-21, the domain is some builtin + domain. The search for a logon server is moot. */ + if (sid_id_auth (usersid) == 5 /* SECURITY_NT_AUTHORITY */ + && sid_sub_auth (usersid, 0) == SECURITY_NT_NON_UNIQUE + && get_logon_server (domain, server, DS_IS_FLAT_NAME)) get_user_groups (server, grp_list, user, domain); get_user_local_groups (server, domain, grp_list, user); return true; -- cgit v1.2.3