From: "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Johannes Schindelin <johannes.schindelin@gmx.de>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: [PATCH v2 5/5] mingw: handle a file owned by the Administrators group correctly
Date: Mon, 08 Aug 2022 13:27:50 +0000 [thread overview]
Message-ID: <fbfaff2ec21d76229eb4d86f6bfe4eab4de20c96.1659965270.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1286.v2.git.1659965270.gitgitgadget@gmail.com>
From: Johannes Schindelin <johannes.schindelin@gmx.de>
When an Administrator creates a file or directory, the created
file/directory is owned not by the Administrator SID, but by the
_Administrators Group_ SID. The reason is that users with administrator
privileges usually run in unprivileged ("non-elevated") mode, and their
user SID does not change when running in elevated mode.
This is is relevant e.g. when running a GitHub workflow on a build
agent, which runs in elevated mode: cloning a Git repository in a script
step will cause the worktree to be owned by the Administrators Group
SID, for example.
Let's handle this case as following: if the current user is an
administrator, Git should consider a worktree owned by the
Administrators Group as if it were owned by said user.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
compat/mingw.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/compat/mingw.c b/compat/mingw.c
index 22f960c7e34..7aa9318db72 100644
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@ -2728,6 +2728,7 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
else if (sid && IsValidSid(sid)) {
/* Now, verify that the SID matches the current user's */
static PSID current_user_sid;
+ BOOL is_member;
if (!current_user_sid)
current_user_sid = get_current_user_sid();
@@ -2736,6 +2737,15 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
IsValidSid(current_user_sid) &&
EqualSid(sid, current_user_sid))
result = 1;
+ else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) &&
+ CheckTokenMembership(NULL, sid, &is_member) &&
+ is_member)
+ /*
+ * If owned by the Administrators group, and the
+ * current user is an administrator, we consider that
+ * okay, too.
+ */
+ result = 1;
else if (report &&
IsWellKnownSid(sid, WinWorldSid) &&
!acls_supported(path)) {
--
gitgitgadget
next prev parent reply other threads:[~2022-08-08 13:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-13 8:17 [PATCH 0/3] Some improvements to safe.directory on Windows Johannes Schindelin via GitGitGadget
2022-07-13 8:17 ` [PATCH 1/3] Allow debugging unsafe directories' ownership Johannes Schindelin via GitGitGadget
2022-07-13 19:35 ` Junio C Hamano
2022-07-14 21:40 ` Junio C Hamano
2022-07-15 14:33 ` Johannes Schindelin
2022-08-08 13:29 ` Johannes Schindelin
2022-07-13 8:17 ` [PATCH 2/3] mingw: handle a file owned by the Administrators group correctly Johannes Schindelin via GitGitGadget
2022-07-13 8:17 ` [PATCH 3/3] mingw: be more informative when ownership check fails on FAT32 Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 0/5] Some improvements to safe.directory on Windows Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 1/5] setup: fix some formatting Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 2/5] Prepare for more detailed "dubious ownership" messages Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 3/5] mingw: provide details about unsafe directories' ownership Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 4/5] mingw: be more informative when ownership check fails on FAT32 Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` Johannes Schindelin via GitGitGadget [this message]
2022-08-08 16:38 ` [PATCH v2 0/5] Some improvements to safe.directory on Windows Junio C Hamano
2022-08-09 8:59 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbfaff2ec21d76229eb4d86f6bfe4eab4de20c96.1659965270.git.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=johannes.schindelin@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.