Cygwin: ACLs: don't allow special accounts as USER entry

While accounts from the BUILTIN, NT AUTHORITY, and NT SERVICE domains
can be owner of a file, they are always treated as group entries if they
show up as additional entrys in a Windows ACL.  Consequentially, it
shouldn't be possible to add or remove them as USER entry, for instance,
via setfacl.

Add a check to disallow BUILTIN, NT AUTHORITY, and NT SERVICE accounts
as USER entries in a POSIX ACL.

Fixes: bc444e5 ("Reapply POSIX ACL changes.")
Signed-off-by: Corinna Vinschen <[email protected]>

(cherry picked from commit 98112b9)

Author: github-cygwin

winsup/cygwin/release/3.6.1

@@ -20,3 +20,6 @@ Fixes:
   Addresses: https://cygwin.com/pipermail/cygwin/2025-March/257783.html
 
 - Fix reference counting when dlopen/dlclose a DLL with RTLD_NODELETE.
+
+- Disallow accounts from the BUILTIN, NT AUTHORITY, NT SERVICE domains
+  as USER entry in a POSIX ACL.  Only allow USER_OBJ, GROUP_OBJ and GROUP.

winsup/cygwin/sec/acl.cc

@@ -256,7 +256,21 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	      }
 	  }
 	if (!aclsid[idx])
-	  aclsid[idx] = sidfromuid (aclbufp[idx].a_id, &cldap);
+	  {
+	    struct passwd *pw = internal_getpwuid (aclbufp[idx].a_id, &cldap);
+	    if (pw)
+	      {
+		/* Don't allow to pass special accounts as USER, only as
+		   USER_OBJ, GROUP_OBJ, or GROUP */
+#define BUILTIN	"U-BUILTIN\\"
+#define NT_AUTH "U-NT AUTHORITY\\"
+#define NT_SVC  "U-NT SERVICE\\"
+		if (strncmp (pw->pw_gecos, BUILTIN, strlen (BUILTIN)) != 0
+		    && strncmp (pw->pw_gecos, NT_AUTH, strlen (NT_AUTH)) != 0
+		    && strncmp (pw->pw_gecos, NT_SVC, strlen (NT_SVC)) != 0)
+		  aclsid[idx] = (PSID) ((pg_pwd *) pw)->sid;
+	      }
+	  }
 	break;
       case GROUP_OBJ:
 	aclsid[idx] = group;