Fix clone ownership under Windows Administrator Protection#2039
Draft
tyrielv wants to merge 1 commit into
Draft
Conversation
Under Windows "Administrator protection" (AP), an elevated process runs as a hidden, profile-separated shadow admin account (MACHINE\admin_<user>) whose SID is a local account (S-1-5-21-...) that differs from the real (non-elevated) user's SID. When `gvfs clone` runs elevated, the enlistment's `src` and `.git` directories are created owned by the Administrators group. EnsureDirectoryIsOwnedByCurrentUser then reassigned ownership to the current user to satisfy git's dubious-ownership check. Under AP the "current user" is the shadow admin, so ownership was set to admin_<user> — which the real user does not match. The real (non-elevated) user then hit `fatal: detected dubious ownership`, because git's Administrators-group membership grace does not cover another specific user's SID, and the shadow admin cannot SetOwner to the real user's SID either. Detect the AP shadow admin from the running process's own token — its effective elevation identity — and, when present, leave the directory owner as the Administrators group instead of reassigning it to the shadow admin. An Administrators-owned directory is accepted by modern git and the libgit2 non-elevated-admin-owner overlay for any Administrators member — the real user, the shadow admin, and SYSTEM (for automount) alike. Detection inspects the token rather than the TypeOfAdminApprovalMode policy value so it stays correct across an AP policy change that has not yet been rebooted (where the policy value is pending but elevation still yields a shadow admin). A shadow admin is identified as a local account SID (S-1-5-21-...) whose ProfileList profile directory is ADMIN_-prefixed; the real interactive user (a domain or Entra ID account) is excluded. Assisted-by: Claude Opus 4.8 Signed-off-by: Tyrie Vella <tyrielv@gmail.com>
a251e89 to
8164d13
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Under Windows Administrator protection (AP), an elevated process runs as a hidden, profile-separated shadow admin account (
MACHINE\admin_<user>) whose SID is a local account (S-1-5-21-…) that differs from the real, non-elevated user's SID.When
gvfs cloneruns elevated, the enlistment'ssrcand.gitdirectories are created owned by the Administrators group.EnsureDirectoryIsOwnedByCurrentUserthen reassigned ownership to the current user to satisfy git's dubious-ownership check. Under AP the "current user" is the shadow admin, so ownership was set toadmin_<user>.The real (non-elevated) user then hits:
because git's Administrators-group-membership grace does not cover another specific user's SID, and the shadow admin cannot
SetOwnerto the real user's SID either.Fix
Detect AP via
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!TypeOfAdminApprovalMode == 2. When AP is active, leave the directory owner as the Administrators group instead of reassigning it to the shadow admin.An
Administrators-owned directory is accepted by modern git and the libgit2non-elevated-admin-owneroverlay for any Administrators member — the real user, the shadow admin, andSYSTEM(for automount) alike. So skipping the reassignment under AP is correct for every consumer.When AP is not active, behavior is unchanged (owner reassigned to the current user, as before).
Changes
GVFS.Platform.Windows/WindowsPlatform.cs— addIsAdminApprovalModeEnabled()(readsTypeOfAdminApprovalMode).GVFS.Platform.Windows/WindowsFileSystem.cs— inEnsureDirectoryIsOwnedByCurrentUser, skip the Administrators→current-user reassignment when AP is active.Testing
GVFS.Platform.Windows, 0 warnings / 0 errors).Related
4e23d28a).