When an Administrator creates a file or directory, the created
file/directory is owned not by the Administrator SID, but by the
_Administrators Group_ SID. The reason is that users with administrator
privileges usually run in unprivileged ("non-elevated") mode, and their
user SID does not change when running in elevated mode.
This is is relevant e.g. when running a GitHub workflow on a build
agent, which runs in elevated mode: cloning a Git repository in a script
step will cause the worktree to be owned by the Administrators Group
SID, for example.
Let's handle this case as following: if the current user is an
administrator, Git should consider a worktree owned by the
Administrators Group as if it were owned by said user.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
else if (sid && IsValidSid(sid)) {
/* Now, verify that the SID matches the current user's */
static PSID current_user_sid;
+ BOOL is_member;
if (!current_user_sid)
current_user_sid = get_current_user_sid();
IsValidSid(current_user_sid) &&
EqualSid(sid, current_user_sid))
result = 1;
+ else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) &&
+ CheckTokenMembership(NULL, sid, &is_member) &&
+ is_member)
+ /*
+ * If owned by the Administrators group, and the
+ * current user is an administrator, we consider that
+ * okay, too.
+ */
+ result = 1;
else if (report &&
IsWellKnownSid(sid, WinWorldSid) &&
!acls_supported(path)) {
projects / thirdparty / git.git / commitdiff
