public inbox for
help / color / mirror / Atom feed
From: Corinna Vinschen <>
Subject: [newlib-cygwin] Cygwin: uinfo: don't special case current user
Date: Fri,  2 Dec 2022 15:52:43 +0000 (GMT)	[thread overview]
Message-ID: <> (raw);h=a5bcfe616c7e8f78f464bf045595d8213244876a

commit a5bcfe616c7e8f78f464bf045595d8213244876a
Author:     Corinna Vinschen <>
AuthorDate: Fri Dec 2 16:49:47 2022 +0100
Commit:     Corinna Vinschen <>
CommitDate: Fri Dec 2 16:49:47 2022 +0100

    Cygwin: uinfo: don't special case current user
    fetch_account_from_windows shortcuts the current user in that
    it takes the user's domain SID and just adds the matching RID
    from the token's primary group to create a group SID.
    How wrong this is can be very simply reproduced:
    Assuming you run a native process, like cmd, with primary group
    set to the Administrators builtin group.  Run Cygwin's id(1) as
    child process.  id(1) will print a non-existent group as primary
    group and also add it to the group list.
    This can only be avoided by not special casing the current user
    and thus not creating a group SID from partial information.
    Fixes: 6cc7c925ce86 ("(pwdgrp::fetch_account_from_windows): Default primary group for the
    current user to primary group from user token.")
    Signed-off-by: Corinna Vinschen <>

 winsup/cygwin/ | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/winsup/cygwin/ b/winsup/cygwin/
index db475d710eb2..6df8c7bbbbe9 100644
--- a/winsup/cygwin/
+++ b/winsup/cygwin/
@@ -1855,7 +1855,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
   gid_t gid = ILLEGAL_GID;
   bool is_domain_account = true;
   PCWSTR domain = NULL;
-  bool is_current_user = false;
   char *shell = NULL;
   char *home = NULL;
   char *gecos = NULL;
@@ -2314,18 +2313,9 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	    uid = posix_offset + sid_sub_auth_rid (sid);
 	  if (!is_group () && acc_type == SidTypeUser)
-	      /* Default primary group.  If the sid is the current user, fetch
-		 the default group from the current user token, otherwise make
-		 the educated guess that the user is in group "Domain Users"
-		 or "None". */
-	      if (sid == cygheap->user.sid ())
-		{
-		  is_current_user = true;
-		  gid = posix_offset
-			+ sid_sub_auth_rid (cygheap->user.groups.pgsid);
-		}
-	      else
-		gid = posix_offset + DOMAIN_GROUP_RID_USERS;
+	      /* Default primary group.  Make the educated guess that the user
+		 is in group "Domain Users" or "None". */
+	      gid = posix_offset + DOMAIN_GROUP_RID_USERS;
 	  if (is_domain_account)
@@ -2336,11 +2326,9 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	      /* On AD machines, use LDAP to fetch domain account infos. */
 	      if (cygheap->dom.primary_dns_name ())
-		  /* For the current user we got correctly cased username and
-		     the primary group via process token.  For any other user
-		     we fetch it from AD and overwrite it. */
-		  if (!is_current_user
-		      && cldap->fetch_ad_account (sid, false, domain))
+		  /* Fetch primary group from AD and overwrite the one we
+		     just guessed above. */
+		  if (cldap->fetch_ad_account (sid, false, domain))
 		      if ((val = cldap->get_account_name ()))
 			wcscpy (name, val);

                 reply	other threads:[~2022-12-02 15:52 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).