diff mbox series

[v2,5/5] mingw: handle a file owned by the Administrators group correctly

Message ID fbfaff2ec21d76229eb4d86f6bfe4eab4de20c96.1659965270.git.gitgitgadget@gmail.com (mailing list archive)
State Accepted
Commit 3f7207e2ea967fd2b46d9e0ae85246e93b38ed58
Headers show
Series Some improvements to safe.directory on Windows | expand

Commit Message

Johannes Schindelin Aug. 8, 2022, 1:27 p.m. UTC 
From: Johannes Schindelin <johannes.schindelin@gmx.de>

When an Administrator creates a file or directory, the created
file/directory is owned not by the Administrator SID, but by the
_Administrators Group_ SID. The reason is that users with administrator
privileges usually run in unprivileged ("non-elevated") mode, and their
user SID does not change when running in elevated mode.

This is is relevant e.g. when running a GitHub workflow on a build
agent, which runs in elevated mode: cloning a Git repository in a script
step will cause the worktree to be owned by the Administrators Group
SID, for example.

Let's handle this case as following: if the current user is an
administrator, Git should consider a worktree owned by the
Administrators Group as if it were owned by said user.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 compat/mingw.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
diff mbox series

Patch

diff --git a/compat/mingw.c b/compat/mingw.c
index 22f960c7e34..7aa9318db72 100644
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@ -2728,6 +2728,7 @@  int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
 	else if (sid && IsValidSid(sid)) {
 		/* Now, verify that the SID matches the current user's */
 		static PSID current_user_sid;
+		BOOL is_member;
 
 		if (!current_user_sid)
 			current_user_sid = get_current_user_sid();
@@ -2736,6 +2737,15 @@  int is_path_owned_by_current_sid(const char *path, struct strbuf *report)
 		    IsValidSid(current_user_sid) &&
 		    EqualSid(sid, current_user_sid))
 			result = 1;
+		else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) &&
+			 CheckTokenMembership(NULL, sid, &is_member) &&
+			 is_member)
+			/*
+			 * If owned by the Administrators group, and the
+			 * current user is an administrator, we consider that
+			 * okay, too.
+			 */
+			result = 1;
 		else if (report &&
 			 IsWellKnownSid(sid, WinWorldSid) &&
 			 !acls_supported(path)) {