os/user: change Windows user lookup to treat accounts for well-known groups as valid.

dblohm7 · dblohm7 · commit af4ad6b47dda · 2022-10-27T15:15:48.000-06:00
Some built-in Windows accounts such as `NT AUTHORITY\SYSTEM` are considered to be users, but are classified by the OS as syscall.SidTypeWellKnownGroup, not as syscall.SidTypeUser. This change modifies account querying to consider both types to be valid. Fixes golang#49509 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
diff --git a/src/os/user/lookup_windows.go b/src/os/user/lookup_windows.go
@@ -84,13 +84,19 @@ func getProfilesDirectory() (string, error) {
 	}
 }
 
+// isValidUserAccountType returns true if acctType is a valid type for user accounts.
+func isValidUserAccountType(acctType uint32) bool {
+	// Some built-in system accounts are classified as well-known groups instead of users.
+	return acctType == syscall.SidTypeUser || acctType == syscall.SidTypeWellKnownGroup
+}
+
 // lookupUsernameAndDomain obtains the username and domain for usid.
 func lookupUsernameAndDomain(usid *syscall.SID) (username, domain string, e error) {
 	username, domain, t, e := usid.LookupAccount("")
 	if e != nil {
 		return "", "", e
 	}
-	if t != syscall.SidTypeUser {
+	if !isValidUserAccountType(t) {
 		return "", "", fmt.Errorf("user: should be user account type, not %d", t)
 	}
 	return username, domain, nil
@@ -324,7 +330,7 @@ func lookupUser(username string) (*User, error) {
 	if e != nil {
 		return nil, e
 	}
-	if t != syscall.SidTypeUser {
+	if !isValidUserAccountType(t) {
 		return nil, fmt.Errorf("user: should be user account type, not %d", t)
 	}
 	return newUserFromSid(sid)
diff --git a/src/os/user/lookup_windows_test.go b/src/os/user/lookup_windows_test.go
@@ -0,0 +1,17 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package user
+
+import (
+	"testing"
+)
+
+func TestLookupLocalSystem(t *testing.T) {
+	// The string representation of the SID for `NT AUTHORITY\SYSTEM`
+	const localSystemSID = "S-1-5-18"
+	if _, err := LookupId(localSystemSID); err != nil {
+		t.Fatalf("LookupId(%q): %v", localSystemSID, err)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -84,13 +84,19 @@ func getProfilesDirectory() (string, error) {`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`
	`87`	`+// isValidUserAccountType returns true if acctType is a valid type for user accounts.`
	`88`	`+func isValidUserAccountType(acctType uint32) bool {`
	`89`	`+ // Some built-in system accounts are classified as well-known groups instead of users.`
	`90`	`+ return acctType == syscall.SidTypeUser \|\| acctType == syscall.SidTypeWellKnownGroup`
	`91`	`+}`
	`92`	`+`
`87`	`93`	`// lookupUsernameAndDomain obtains the username and domain for usid.`
`88`	`94`	`func lookupUsernameAndDomain(usid *syscall.SID) (username, domain string, e error) {`
`89`	`95`	`username, domain, t, e := usid.LookupAccount("")`
`90`	`96`	`if e != nil {`
`91`	`97`	`return "", "", e`
`92`	`98`	`}`
`93`		`- if t != syscall.SidTypeUser {`
	`99`	`+ if !isValidUserAccountType(t) {`
`94`	`100`	`return "", "", fmt.Errorf("user: should be user account type, not %d", t)`
`95`	`101`	`}`
`96`	`102`	`return username, domain, nil`
`@@ -324,7 +330,7 @@ func lookupUser(username string) (*User, error) {`
`324`	`330`	`if e != nil {`
`325`	`331`	`return nil, e`
`326`	`332`	`}`
`327`		`- if t != syscall.SidTypeUser {`
	`333`	`+ if !isValidUserAccountType(t) {`
`328`	`334`	`return nil, fmt.Errorf("user: should be user account type, not %d", t)`
`329`	`335`	`}`
`330`	`336`	`return newUserFromSid(sid)`