From e6aa28d2679543b7012d82994e6fb3bff5a41eeb Mon Sep 17 00:00:00 2001
From: Eliah Kagan <degeneracypressure@gmail.com>
Date: Wed, 26 Jun 2024 18:10:24 -0400
Subject: [PATCH] fix: Check if folder is owned by administrators group (#1429)

The code had checked the process or thread's SID to see if it
matched the administrators group, but this will never be the case
since the process or thread is running as some user.

If the folder token is that of the administrators group, then at
that point we can check membership of the current thread SID in it.
---
 gix-sec/src/identity.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gix-sec/src/identity.rs b/gix-sec/src/identity.rs
index a9633b18f8a..3e260e72305 100644
--- a/gix-sec/src/identity.rs
+++ b/gix-sec/src/identity.rs
@@ -187,12 +187,12 @@ mod impl_ {
             }
 
             // Admin-group owned folders are considered owned by the current user, if they are in the admin group
-            if IsWellKnownSid(token_owner, WinBuiltinAdministratorsSid) == 0 {
+            if IsWellKnownSid(folder_owner, WinBuiltinAdministratorsSid) == 0 {
                 return Ok(false);
             }
 
             let mut is_member = 0;
-            if CheckTokenMembership(0, token_owner, &mut is_member) == 0 {
+            if CheckTokenMembership(0, folder_owner, &mut is_member) == 0 {
                 error!("Couldn't check if user is an administrator");
             }