From 2fd2ddf3f5bacc7cccc9ac2d32b8024125808b6e Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Wed, 8 Nov 2006 11:38:05 +0000
Subject: 	* sec_helper.cc (sid_auth): Remove. 
 (well_known_this_org_sid): New well known sid. 
 (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define. 
 (mandatory_medium_integrity_sid): New well known sid. 
 (mandatory_high_integrity_sid): Ditto. 
 (mandatory_system_integrity_sid): Ditto. 	(cygsid::get_sid): Use local
 SID_IDENTIFIER_AUTHORITY.  Allow all 	authorities fitting in a UCHAR. 
 * security.cc (get_token_group_sidlist): Always add the local 	group to the
 token.  Add comment.  Add "This Organization" group 	if available in
 incoming group list. 	(get_server_groups): Only add world and authenticated
 users groups 	if not already in list. 	(create_token): Add matching
 mandatory integrity SID to group list 	on systems supporting Mandatory
 Integrity Control. 	* security.h (well_known_this_org_sid): Define. 
 (mandatory_medium_integrity_sid): Define. 
 (mandatory_high_integrity_sid): Define. 
 (mandatory_system_integrity_sid): Define. 	* wincap.h: Define
 has_mandatory_integrity_control throughout. 	* wincap.cc: Ditto.

---
 winsup/cygwin/security.cc | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'winsup/cygwin/security.cc')

diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index f3a9f87a3..4ecede8a3 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
   auth_pos = -1;
   if (my_grps)
     {
-      if (sid_in_token_groups (my_grps, well_known_local_sid))
+      /* In Vista the Local SID is missing in a token constructed by
+         subauthentication.  We add the group unconditionally now. */
+      /*if (sid_in_token_groups (my_grps, well_known_local_sid))*/
 	grp_list += well_known_local_sid;
       if (sid_in_token_groups (my_grps, well_known_dialup_sid))
 	grp_list += well_known_dialup_sid;
@@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
 	grp_list += well_known_interactive_sid;
       if (sid_in_token_groups (my_grps, well_known_service_sid))
 	grp_list += well_known_service_sid;
+      if (sid_in_token_groups (my_grps, well_known_this_org_sid))
+	grp_list += well_known_this_org_sid;
     }
   else
     {
@@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
       return true;
     }
 
-  grp_list += well_known_world_sid;
-  grp_list += well_known_authenticated_users_sid;
+  if (!grp_list.contains (well_known_world_sid))
+    grp_list += well_known_world_sid;
+  if (!grp_list.contains (well_known_authenticated_users_sid))
+    grp_list += well_known_authenticated_users_sid;
   extract_nt_dom_user (pw, domain, user);
   if (get_logon_server (domain, server, wserver, false)
       && !get_user_groups (wserver, grp_list, user, domain)
@@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
   else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw,
 				    my_tok_gsids, auth_luid, auth_pos))
     goto out;
+  if (wincap.has_mandatory_integrity_control ())
+    {
+      if (usersid == well_known_system_sid)
+	tmp_gsids += mandatory_system_integrity_sid;
+      else if (tmp_gsids.contains (well_known_admins_sid))
+	tmp_gsids += mandatory_high_integrity_sid;
+      else
+	tmp_gsids += mandatory_medium_integrity_sid;
+    }
 
   /* Primary group. */
   pgrp.PrimaryGroup = new_groups.pgsid;
-- 
cgit v1.2.3