From 30782f7de4936bbc4c2e666cbaf587039c895fd3 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Mon, 18 Feb 2019 21:45:34 +0100
Subject: Cygwin: s4uauth: convert token to primary token

Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token.  MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
 winsup/cygwin/sec_auth.cc | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 316ae99..beff327 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1556,6 +1556,8 @@ msv1_0_auth:
   MSV1_0_S4U_LOGON *s4u_logon;
   USHORT user_len, domain_len;
 
+  /* Per MSDN MsV1_0S4ULogon is not implemented on Vista, but surprisingly
+     it works. */
   RtlInitAnsiString (&name, MSV1_0_PACKAGE_NAME);
   status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
   if (status != STATUS_SUCCESS)
@@ -1607,6 +1609,30 @@ out:
   if (profile)
     LsaFreeReturnBuffer (profile);
 
+  if (token)
+    {
+      /* Convert to primary token.  Strictly speaking this is only
+	 required on Vista/2008.  CreateProcessAsUser also takes
+	 impersonation tokens since Windows 7. */
+      HANDLE tmp_token;
+
+      if (DuplicateTokenEx (token, MAXIMUM_ALLOWED, &sec_none,
+			    SecurityImpersonation, TokenPrimary, &tmp_token))
+	{
+	  CloseHandle (token);
+	  token = tmp_token;
+	}
+      else
+	{
+	  __seterrno ();
+	  debug_printf ("DuplicateTokenEx %E");
+	  /* Make sure not to allow create_token. */
+	  status = STATUS_INVALID_HANDLE;
+	  CloseHandle (token);
+	  token = NULL;
+	}
+    }
+
   pop_self_privilege ();
   ret_status = status;
   return token;
-- 
cgit v1.1