2 files changed, 17 insertions, 0 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 9df84c2f5..7a5b1ca13 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,9 @@
+2008-07-09  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (verify_token): Disable code which returns false if
+	the token contains additional groups not requested by setgroups.
+	Explain why.
+
 2008-07-08  Corinna Vinschen  <corinna@vinschen.de>
 
 	* fhandler_socket.cc (fhandler_socket::bind): Don't run explicit
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 2e7dba434..f78b86539 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -714,9 +714,20 @@ verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern)
 		  saw[pos] = true;
 		else if (groups.pgsid == gsid)
 		  sawpg = true;
+#if 0
+		/* With this `else', verify_token returns false if we find
+		   groups in the token, which are not in the group list set
+		   with setgroups().  That's rather dangerous.  What we're
+		   really interested in is that all groups in the setgroups()
+		   list are in the token.  A token created through ADVAPI 
+		   should be allowed to contain more groups than requested
+		   through setgroups(), esecially since Vista and the
+		   addition of integrity groups. So we disable this statement
+		   for now. */
 		else if (gsid != well_known_world_sid
 			 && gsid != usersid)
 		  goto done;
+#endif
 	      }
 	  /* user.sgsids groups must be in the token */
 	  for (int gidx = 0; gidx < groups.sgsids.count (); gidx++)