From: "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Johannes Schindelin <johannes.schindelin@gmx.de>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: [PATCH v2 5/5] mingw: handle a file owned by the Administrators group correctly
Date: Mon, 08 Aug 2022 13:27:50 +0000 [thread overview]
Message-ID: <fbfaff2ec21d76229eb4d86f6bfe4eab4de20c96.1659965270.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1286.v2.git.1659965270.gitgitgadget@gmail.com>
From: Johannes Schindelin <johannes.schindelin@gmx.de>
When an Administrator creates a file or directory, the created
file/directory is owned not by the Administrator SID, but by the
_Administrators Group_ SID. The reason is that users with administrator
privileges usually run in unprivileged ("non-elevated") mode, and their
user SID does not change when running in elevated mode.
This is is relevant e.g. when running a GitHub workflow on a build
agent, which runs in elevated mode: cloning a Git repository in a script
step will cause the worktree to be owned by the Administrators Group
SID, for example.
Let's handle this case as following: if the current user is an
administrator, Git should consider a worktree owned by the
Administrators Group as if it were owned by said user.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
compat/mingw.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/compat/mingw.c b/compat/mingw.c
index 22f960c7e34..7aa9318db72 100644
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@ -2728,6 +2728,7 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
else if (sid && IsValidSid(sid)) {
/* Now, verify that the SID matches the current user's */
static PSID current_user_sid;
+ BOOL is_member;
if (!current_user_sid)
current_user_sid = get_current_user_sid();
@@ -2736,6 +2737,15 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
IsValidSid(current_user_sid) &&
EqualSid(sid, current_user_sid))
result = 1;
+ else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) &&
+ CheckTokenMembership(NULL, sid, &is_member) &&
+ is_member)
+ /*
+ * If owned by the Administrators group, and the
+ * current user is an administrator, we consider that
+ * okay, too.
+ */
+ result = 1;
else if (report &&
IsWellKnownSid(sid, WinWorldSid) &&
!acls_supported(path)) {
--
gitgitgadget
next prev parent reply other threads:[~2022-08-08 13:28 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-13 8:17 [PATCH 0/3] Some improvements to safe.directory on Windows Johannes Schindelin via GitGitGadget
2022-07-13 8:17 ` [PATCH 1/3] Allow debugging unsafe directories' ownership Johannes Schindelin via GitGitGadget
2022-07-13 19:35 ` Junio C Hamano
2022-07-14 21:40 ` Junio C Hamano
2022-07-15 14:33 ` Johannes Schindelin
2022-08-08 13:29 ` Johannes Schindelin
2022-07-13 8:17 ` [PATCH 2/3] mingw: handle a file owned by the Administrators group correctly Johannes Schindelin via GitGitGadget
2022-07-13 8:17 ` [PATCH 3/3] mingw: be more informative when ownership check fails on FAT32 Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 0/5] Some improvements to safe.directory on Windows Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 1/5] setup: fix some formatting Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 2/5] Prepare for more detailed "dubious ownership" messages Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 3/5] mingw: provide details about unsafe directories' ownership Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` [PATCH v2 4/5] mingw: be more informative when ownership check fails on FAT32 Johannes Schindelin via GitGitGadget
2022-08-08 13:27 ` Johannes Schindelin via GitGitGadget [this message]
2022-08-08 16:38 ` [PATCH v2 0/5] Some improvements to safe.directory on Windows Junio C Hamano
2022-08-09 8:59 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbfaff2ec21d76229eb4d86f6bfe4eab4de20c96.1659965270.git.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=johannes.schindelin@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).