* sec_auth.cc (get_user_groups): Mark well-known groups as well-known.

(get_user_local_groups): Ditto.
	(verify_token): Drop useless label.
	* sec_helper.cc (cygsid::get_sid): Check for well-known SID if
	well_known isn't set.
	* security.h (well_known_sid_type): New inline function.

winsup/cygwin/sec_auth.cc

@@ -292,6 +292,8 @@ get_user_groups (WCHAR *logonserver, cygsidlist &grp_list,
       wcscpy (dgroup + len, buf[i].grui0_name);
       if (!LookupAccountNameW (NULL, dgroup, gsid, &glen, dom, &dlen, &use))
 	debug_printf ("LookupAccountName(%W), %E", dgroup);
+      else if (well_known_sid_type (use))
+	grp_list *= gsid;
       else if (legal_sid_type (use))
 	grp_list += gsid;
       else
@@ -339,10 +341,12 @@ get_user_local_groups (PWCHAR logonserver, PWCHAR domain,
       if (LookupAccountNameW (NULL, domlocal_grp, gsid, &glen,
 			      dom, &domlen, &use))
 	{
-	  if (!legal_sid_type (use))
+	  if (well_known_sid_type (use))
-	    debug_printf ("Rejecting local %W. use: %d", dg_ptr, use);
+	    grp_list *= gsid;
-	  else
+	  else if (legal_sid_type (use))
 	    grp_list += gsid;
+	  else
+	    debug_printf ("Rejecting local %W. use: %d", dg_ptr, use);
 	}
       else if (GetLastError () == ERROR_NONE_MAPPED)
 	{
@@ -762,14 +766,13 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 	    if (!saw[gidx]
 	    	&& !groups.sgsids.sids[gidx].is_well_known_sid ()
 		&& !sid_in_token_groups (my_grps, groups.sgsids.sids[gidx]))
-	      goto done;
+	      return false;
 	}
       /* The primary group must be in the token */
       ret = sawpg
 	|| sid_in_token_groups (my_grps, groups.pgsid)
 	|| groups.pgsid == usersid;
     }
-done:
   return ret;
 }
 

winsup/cygwin/sec_helper.cc

@@ -1,7 +1,7 @@
 /* sec_helper.cc: NT security helper functions
 
    Copyright 2000, 2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009,
-   2010 Red Hat, Inc.
+   2010, 2011 Red Hat, Inc.
 
    Written by Corinna Vinschen <corinna@vinschen.de>
 
@@ -150,7 +150,8 @@ PSID
 cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known)
 {
   DWORD i;
-  SID_IDENTIFIER_AUTHORITY sid_auth = {{0,0,0,0,0,0}};
+  SID_IDENTIFIER_AUTHORITY sid_auth = { SECURITY_NULL_SID_AUTHORITY };
+# define SECURITY_NT_AUTH 5
 
   if (s > 255 || cnt < 1 || cnt > 8)
     {
@@ -162,7 +163,17 @@ cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known)
   InitializeSid (psid, &sid_auth, cnt);
   for (i = 0; i < cnt; ++i)
     memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD));
-  well_known_sid = well_known;
+  /* If the well_known flag isn't set explicitely, we check the SID
+     for being a well-known SID ourselves. That's necessary because this
+     cygsid is created from a SID string, usually from /etc/passwd or
+     /etc/group.  The calling code just doesn't know if the SID is well-known
+     or not.  All SIDs are well-known SIDs, except those in the non-unique NT
+     authority range. */
+  if (well_known)
+    well_known_sid = well_known;
+  else
+    well_known_sid = (s != SECURITY_NT_AUTH
+		      || r[0] != SECURITY_NT_NON_UNIQUE_RID);
   return psid;
 }
 

winsup/cygwin/security.h

@@ -1,7 +1,7 @@
 /* security.h: security declarations
 
    Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
-   2010 Red Hat, Inc.
+   2010, 2011 Red Hat, Inc.
 
 This file is part of Cygwin.
 
@@ -339,6 +339,12 @@ extern cygpsid well_known_samba_unix_user_fake_sid;
 
 bool privilege_luid (const PWCHAR pname, LUID *luid);
 
+inline BOOL
+well_known_sid_type (SID_NAME_USE type)
+{
+  return type == SidTypeAlias || type == SidTypeWellKnownGroup;
+}
+
 inline BOOL
 legal_sid_type (SID_NAME_USE type)
 {