Re: [PATCH 1/7] server: Get the primary group from the token.
Vitaliy Margolen wrote:
list_add_tail( &token->groups, &group->entry ); + /* Use first owner capable group as an owner */ + if (!token->primary_group && group->owner) + token->primary_group = &group->sid; + } + /* we really need a primary group */ + if (!token->primary_group && group_count) + { + release_object( token ); + return NULL; }
According to documentation from Microsoft, "the primary group only needs to be set if POSIX compatibility is required." Also, the default security descriptor does not require a group - a NULL group is fine. -- Rob Shearman
Robert Shearman wrote:
Vitaliy Margolen wrote:
list_add_tail( &token->groups, &group->entry ); + /* Use first owner capable group as an owner */ + if (!token->primary_group && group->owner) + token->primary_group = &group->sid; + } + /* we really need a primary group */ + if (!token->primary_group && group_count) + { + release_object( token ); + return NULL; }
According to documentation from Microsoft, "the primary group only needs to be set if POSIX compatibility is required." Also, the default security descriptor does not require a group - a NULL group is fine.
However access check against token will fail without group being set. So I don't see why can't we require valid group in the security descriptor? Vitaliy.
participants (2)
-
Robert Shearman -
Vitaliy Margolen