summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--winsup/cygwin/sec_auth.cc26
1 files changed, 26 insertions, 0 deletions
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 316ae99d9..beff3278e 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1556,6 +1556,8 @@ msv1_0_auth:
MSV1_0_S4U_LOGON *s4u_logon;
USHORT user_len, domain_len;
+ /* Per MSDN MsV1_0S4ULogon is not implemented on Vista, but surprisingly
+ it works. */
RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
if (status != STATUS_SUCCESS)
@@ -1607,6 +1609,30 @@ out:
if (profile)
LsaFreeReturnBuffer (profile);
+ if (token)
+ {
+ /* Convert to primary token. Strictly speaking this is only
+ required on Vista/2008. CreateProcessAsUser also takes
+ impersonation tokens since Windows 7. */
+ HANDLE tmp_token;
+
+ if (DuplicateTokenEx (token, MAXIMUM_ALLOWED, &sec_none,
+ SecurityImpersonation, TokenPrimary, &tmp_token))
+ {
+ CloseHandle (token);
+ token = tmp_token;
+ }
+ else
+ {
+ __seterrno ();
+ debug_printf ("DuplicateTokenEx %E");
+ /* Make sure not to allow create_token. */
+ status = STATUS_INVALID_HANDLE;
+ CloseHandle (token);
+ token = NULL;
+ }
+ }
+
pop_self_privilege ();
ret_status = status;
return token;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-17 14:35:19 +0000