* autoload.cc (EqualPrefixSid): Define.

* security.cc (create_token): Drop grps_buf.  Use alloca instead.
	Only add the MIC SID to the TOKEN_GROUPS list for the NtCreateToken
	call.  If the subauthentication token exists, use its MIC SID.
	Set SID Attributes for the MIC SID to 0.

winsup/cygwin/ChangeLog

@@ -1,3 +1,11 @@
+2006-11-09  Corinna Vinschen  <corinna@vinschen.de>
+
+	* autoload.cc (EqualPrefixSid): Define.
+	* security.cc (create_token): Drop grps_buf.  Use alloca instead.
+	Only add the MIC SID to the TOKEN_GROUPS list for the NtCreateToken
+	call.  If the subauthentication token exists, use its MIC SID.
+	Set SID Attributes for the MIC SID to 0.
+
 2006-11-08  Corinna Vinschen  <corinna@vinschen.de>
 
 	* sec_helper.cc (sid_auth): Remove.

winsup/cygwin/autoload.cc

@@ -312,6 +312,7 @@ LoadDLLfuncEx (CryptReleaseContext, 8, advapi32, 1)
 LoadDLLfunc (DeregisterEventSource, 4, advapi32)
 LoadDLLfunc (DuplicateToken, 12, advapi32)
 LoadDLLfuncEx (DuplicateTokenEx, 24, advapi32, 1)
+LoadDLLfunc (EqualPrefixSid, 8, advapi32)
 LoadDLLfunc (EqualSid, 8, advapi32)
 LoadDLLfunc (FindFirstFreeAce, 8, advapi32)
 LoadDLLfunc (GetAce, 12, advapi32)

winsup/cygwin/security.cc

@@ -934,32 +934,58 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
   else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw,
 				    my_tok_gsids, auth_luid, auth_pos))
     goto out;
-  if (wincap.has_mandatory_integrity_control ())
-    {
-      if (usersid == well_known_system_sid)
-	tmp_gsids += mandatory_system_integrity_sid;
-      else if (tmp_gsids.contains (well_known_admins_sid))
-	tmp_gsids += mandatory_high_integrity_sid;
-      else
-	tmp_gsids += mandatory_medium_integrity_sid;
-    }
 
   /* Primary group. */
   pgrp.PrimaryGroup = new_groups.pgsid;
 
   /* Create a TOKEN_GROUPS list from the above retrieved list of sids. */
-  char grps_buf[sizeof (ULONG) + tmp_gsids.count * sizeof (SID_AND_ATTRIBUTES)];
-  new_tok_gsids = (PTOKEN_GROUPS) grps_buf;
+  new_tok_gsids = (PTOKEN_GROUPS)
+		  alloca (sizeof (ULONG) + (tmp_gsids.count  + 1 )
+					   * sizeof (SID_AND_ATTRIBUTES));
   new_tok_gsids->GroupCount = tmp_gsids.count;
   for (DWORD i = 0; i < new_tok_gsids->GroupCount; ++i)
     {
       new_tok_gsids->Groups[i].Sid = tmp_gsids.sids[i];
-      new_tok_gsids->Groups[i].Attributes = SE_GROUP_MANDATORY |
-	SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+      new_tok_gsids->Groups[i].Attributes = SE_GROUP_MANDATORY
+					    | SE_GROUP_ENABLED_BY_DEFAULT
+					    | SE_GROUP_ENABLED;
     }
   if (auth_pos >= 0)
     new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID;
 
+  /* On systems supporting Mandatory Integrity Control, add a MIC SID. */
+  if (wincap.has_mandatory_integrity_control ())
+    {
+      bool add_mic_sid = true;
+      new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = 0;
+
+      /* The subauth token usually contains a MIC SID.  Copy it into our
+	 group SID list. */
+      if (my_tok_gsids)
+	for (DWORD i = 0; i < my_tok_gsids->GroupCount; ++i)
+	  if (EqualPrefixSid (mandatory_medium_integrity_sid,
+			      my_tok_gsids->Groups[i].Sid))
+	    {
+	      new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+		= my_tok_gsids->Groups[i].Sid;
+	      add_mic_sid = false;
+	      break;
+	    }
+      /* If no MIC SID was available add a matching one for the account type. */
+      if (add_mic_sid)
+        {
+	  if (usersid == well_known_system_sid)
+	    new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+	      = mandatory_system_integrity_sid;
+	  else if (tmp_gsids.contains (well_known_admins_sid))
+	    new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+	      = mandatory_high_integrity_sid;
+	  else
+	    new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+	      = mandatory_medium_integrity_sid;
+	}
+    }
+
   /* Retrieve list of privileges of that user. */
   if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids)))
     goto out;