From dc7b67316d01c77d81ad6561869b9b89527c2ac8 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Fri, 2 Dec 2022 16:37:33 +0100
Subject: [PATCH] Cygwin: uinfo: prefer token primary group

internal_getlogin overwrites the process token primary group if it
differs from the primary group as stored in the passwd DB.

However, this also overwrites the primary group of the process if
it has been deliberately changed by a former process (e. g., newgrp),
and the current process has a non-Cygwin process as parent.

Our docs claim we restrict overwriting the primary group to local,
non-domain user accounts anyway, and it was actually meant this way.

So check for exactly that before overwriting the primary group
in the token:  It's only allowed if the user is a local account
and the primary group in the token is still the default group
"None".

Fixes: 6cc7c925ce861 ("(internal_getlogin): Give primary group
from user token more weight.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
 winsup/cygwin/uinfo.cc | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index a96c5e7fc..db475d710 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -163,11 +163,20 @@ internal_getlogin (cygheap_user &user)
 
       user.set_name (pwd->pw_name);
       myself->uid = pwd->pw_uid;
-      myself->gid = pwd->pw_gid;
+      myself->gid = pgrp ? pgrp->gr_gid : pwd->pw_gid;
+
       /* If the primary group in the passwd DB is different from the primary
-	 group in the user token, we have to find the SID of that group and
-	 try to override the token primary group. */
-      if (!pgrp || myself->gid != pgrp->gr_gid)
+	 group in the user token, and if the primary group is the default
+	 group of a local user ("None", localized), we have to find the SID
+	 of that group and try to override the token primary group.  Also
+	 makes sure we're not on a domain controller, where account_sid ()
+	 == primary_sid (). */
+      gsid = cygheap->dom.account_sid ();
+      gsid.append (DOMAIN_GROUP_RID_USERS);
+      if (!pgrp
+	  || (myself->gid != pgrp->gr_gid
+	      && cygheap->dom.account_sid () != cygheap->dom.primary_sid ()
+	      && RtlEqualSid (gsid, user.groups.pgsid)))
 	{
 	  if (gsid.getfromgr (grp = internal_getgrgid (pwd->pw_gid, &cldap)))
 	    {