From 5cc69969878d1a251021a4f62907aeea05cad01f Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Tue, 20 Feb 2024 17:25:23 +0100
Subject: [PATCH] Cygwin: passwd/group: drop Capability SIDs

Capability SIDs (S-1-15-3-...) have been introduced with
Windows 10 1909.  They don't resolve with LookupAccountSid.
We don't need them and they don't map gracefully into out
POSIX account namespace.  Also, add code to make sure to
filter them out *iff* they become resolvable at one point.

While at it, slightly reorder code for non-resolving SIDs
by authority values.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
 winsup/cygwin/uinfo.cc | 47 ++++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 21d729d5d..acbc945e4 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 		  + (sid_sub_auth_rid (sid) & 0xff);
 #else
 	  if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */)
-	    uid = 0x10000 + 0x100 * sid_id_auth (sid)
-		  + 0x10 * sid_sub_auth (sid, 0)
-		  + (sid_sub_auth_rid (sid) & 0xf);
+	    {
+	      /* Filter out all SIDs not referring to an App Package, for
+	         instance, Capability SIDs (S-1-15-3-...) */
+	      if (sid_sub_auth (sid, 0) != SECURITY_APP_PACKAGE_BASE_RID)
+		return NULL;
+	      uid = 0x10000 + 0x100 * sid_id_auth (sid)
+		    + 0x10 * SECURITY_APP_PACKAGE_BASE_RID
+		    + (sid_sub_auth_rid (sid) & 0xf);
+	    }
 	  else if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */)
 	    uid = 0x10000 + 0x100 * sid_id_auth (sid)
 		  + (sid_sub_auth_rid (sid) & 0xff);
@@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
       fully_qualified_name = true;
       acc_type = SidTypeUnknown;
     }
-  else if (sid_id_auth (sid) == 12 && sid_sub_auth (sid, 0) == 1)
-    {
-      /* Special AzureAD group SID which can't be resolved by
-         LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
-	 as group entry, not as passwd entry. */
-      if (is_passwd ())
-	return NULL;
-      uid = gid = 0x1001;
-      wcpcpy (dom, L"AzureAD");
-      wcpcpy (name = namebuf, L"Group");
-      fully_qualified_name = true;
-      acc_type = SidTypeUnknown;
-    }
-  else if (sid_id_auth (sid) == 5 &&
-	   sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
+  else if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
+	   && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
     {
       /* Special IIS APPPOOL group SID which can't be resolved by
          LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
@@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
 	}
       acc_type = SidTypeUnknown;
     }
+  else if (sid_id_auth (sid) == 12 /* AzureAD ID */
+	   && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */)
+    {
+      /* Special AzureAD group SID which can't be resolved by
+         LookupAccountSid (ERROR_NONE_MAPPED).  This is only allowed
+	 as group entry, not as passwd entry. */
+      if (is_passwd ())
+	return NULL;
+      uid = gid = 0x1001;
+      wcpcpy (dom, L"AzureAD");
+      wcpcpy (name = namebuf, L"Group");
+      fully_qualified_name = true;
+      acc_type = SidTypeUnknown;
+    }
+  else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
+	   && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID)
+    /* Filter out Capability SIDs */
+    return NULL;
   else if (sid_id_auth (sid) == 22)
     {
       /* Samba UNIX Users/Groups