Re: Please, backport compress_gz.cc patch for setup-200206 branch was Re: ntsec patch for setup
Pavel Tsekov wrote: On Fri, 28 Feb 2003, Pavel Tsekov wrote: I also propose this patch to be backported to the 200206 branch. It helps in cases where one does a new install and install a lot of packages. http://sources.redhat.com/cgi-bin/cvsweb.cgi/setup/compress_gz.cc.diff?r1=2. 5r2=2.6cvsroot=cygwin-apps Is there any reason to not backport this patch ? Without it, one can experience random crashes, which will effectively prevent her/him to install Cygwin from scratch. See also: http://sources.redhat.com/ml/cygwin-apps/2002-07/msg00066.html I've not really taken the time to understand that section of the setup codebase, so I can't comment on the patch, but if Robert confirms it is desirable, I'll commit it ASAP if he doesn't. Max.
Re: ntsec patch for setup
Here is the same patch modified to be applied on main.cc from
setup-200207 branch.
On Fri, 10 Jan 2003, Pierre A. Humblet wrote:
This is the patch mentioned in the previous e-mail. I seems
to work fine on NT and an early version was tested on 2000 (there
are differences).
Essentially the installed files should be in the Users or
Admins groups instead of None.
Nothing changes if the user running setup does not have the
None gid.
Pierre
2003/01/10 Pierre Humblet [EMAIL PROTECTED]
* main.cc (set_default_dacl): Replace with set_default_sec.
(set_default_sec): Attempt to change the default group to
Users or Administrators if it is None, in addition to setting
Everyone in the default DACL.
(main): Call set_default_sec instead of set_default_dacl.
Index: main.cc
===
RCS file: /cvs/cygwin-apps/setup/main.cc,v
retrieving revision 2.18
diff -u -p -r2.18 main.cc
--- main.cc 4 May 2002 12:15:56 - 2.18
+++ main.cc 28 Feb 2003 11:26:55 -
@@ -74,13 +74,15 @@ HINSTANCE hinstance;
#define iswinnt(GetVersion() 0x8000)
void
-set_default_dacl ()
+set_default_sec ()
{
/* To assure that the created files have a useful ACL, the
default DACL in the process token is set to full access to
everyone. This applies to files and subdirectories created
in directories which don't propagate permissions to child
- objects. */
+ objects.
+ To assure that the files group is meaningful, a token primary
+ group of None is changed to Users or Administrators. */
/* Create a buffer which has enough room to contain the TOKEN_DEFAULT_DACL
structure plus an ACL with one ACE. */
@@ -98,20 +100,29 @@ set_default_dacl ()
return;
}
- /* Get the SID for Everyone. */
- PSID sid;
+ PSID esid = NULL, asid = NULL, usid = NULL;
+ HANDLE token = NULL;
+ struct {
+PSID psid;
+char buf[MAX_SID_LEN];
+ } gsid;
+ char lsid[MAX_SID_LEN];
+ char compname[MAX_COMPUTERNAME_LENGTH + 1];
+ char domain[MAX_COMPUTERNAME_LENGTH + 1];
+ DWORD size;
+
SID_IDENTIFIER_AUTHORITY sid_auth = { SECURITY_WORLD_SID_AUTHORITY };
- if (!AllocateAndInitializeSid (sid_auth, 1, 0, 0, 0, 0, 0, 0, 0, 0, sid))
+ if (!AllocateAndInitializeSid (sid_auth, 1, 0, 0, 0, 0, 0, 0, 0, 0, esid))
{
log (LOG_TIMESTAMP) AllocateAndInitializeSid() failed:
GetLastError () endLog;
- return;
+ goto out;
}
/* Create the ACE which grants full access to Everyone and store it
in dacl-DefaultDacl. */
if (!AddAccessAllowedAce
- (dacl-DefaultDacl, ACL_REVISION, GENERIC_ALL, sid))
+ (dacl-DefaultDacl, ACL_REVISION, GENERIC_ALL, esid))
{
log (LOG_TIMESTAMP) AddAccessAllowedAce() failed: %lu
GetLastError () endLog;
@@ -119,7 +130,6 @@ set_default_dacl ()
}
/* Get the processes access token. */
- HANDLE token;
if (!OpenProcessToken (GetCurrentProcess (),
TOKEN_READ | TOKEN_ADJUST_DEFAULT, token))
{
@@ -132,13 +142,111 @@ set_default_dacl ()
if (!SetTokenInformation (token, TokenDefaultDacl, dacl, sizeof buf))
log (LOG_TIMESTAMP) OpenProcessToken() failed: GetLastError ()
endLog;
+ /* Get the default group */
+ if (!GetTokenInformation (token, TokenPrimaryGroup, gsid, sizeof gsid, size))
+{
+ log (LOG_TIMESTAMP) GetTokenInformation() failed:
+ GetLastError () endLog;
+ goto out;
+}
+ /* Get the computer name */
+ if (!GetComputerName (compname, (size = sizeof compname, size)))
+{
+ log (LOG_TIMESTAMP) GetComputerName() failed:
+ GetLastError () endLog;
+ goto out;
+}
+
+ /* Get the local domain SID */
+ SID_NAME_USE use;
+ DWORD sz;
+ if (!LookupAccountName (NULL, compname, lsid, (size = sizeof lsid, size),
+ domain, (sz = sizeof domain, sz), use))
+{
+ log (LOG_TIMESTAMP) LookupAccountName() failed:
+ GetLastError () endLog;
+ goto out;
+}
+
+ /* Create the None SID from the domain SID.
+ On NT the last subauthority of a domain is -1 and it is replaced by the RID.
+ On other systems the RID is appended. */
+ sz = *GetSidSubAuthorityCount (lsid);
+ if (*GetSidSubAuthority (lsid, sz -1) != (DWORD) -1)
+*GetSidSubAuthorityCount (lsid) = ++sz;
+ *GetSidSubAuthority (lsid, sz -1) = DOMAIN_GROUP_RID_USERS;
+
+ /* See if the group is None */
+ if (EqualSid (gsid.psid, lsid))
+{
+ bool isadmins = false, isusers = false;
+ sid_auth = (SID_IDENTIFIER_AUTHORITY) { SECURITY_NT_AUTHORITY };
+ /* Get the SID for Administrators S-1-5-32-544 */
+ if (!AllocateAndInitializeSid (sid_auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
+DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, asid))
+{
+ log (LOG_TIMESTAMP) AllocateAndInitializeSid()
Re: ntsec patch for setup
On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. Cheers, Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. Will that version still generate passwd-grp.bat from internal data? If so, domain users will continue to suffer. On the other hand if it doesn't, then we MUST update passwd-grp.sh or we fly right into the mountain. Pierre
RE: ntsec patch for setup
Sorry guys, that should have been to the list. From: Pierre A. Humblet [mailto:[EMAIL PROTECTED] Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. Will that version still generate passwd-grp.bat from internal data? If so, domain users will continue to suffer. On the other hand if it doesn't, then we MUST update passwd-grp.sh or we fly right into the mountain. If you send me the required updates I'll host a new package. I don't have time to do more :( J. === Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email. Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF
Re: ntsec patch for setup
On Fri, 28 Feb 2003, Pierre A. Humblet wrote: Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. Will that version still generate passwd-grp.bat from internal data? If so, domain users will continue to suffer. On the other hand if it doesn't, then we MUST update passwd-grp.sh or we fly right into the mountain. Pierre, please advise how to proceed. I can create the necessary patches to backport the removal of the code which creates passwd-grp.bat. I don't think it would be a big deal. Are there any other changes necessary.
Re: ntsec patch for setup
Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. The current release setup is the setup-200206 branch. There is presumably some reason why the setup-200207 branch fizzled into inactivity with only a snapshot, and no actual release. I can commit ASAP, once this issue is talked out, but I think it might be wise to use 200206 for an interim release now, unless Robert is very sure 200207 is OK. Max.
Re: ntsec patch for setup
On Fri, 28 Feb 2003, Max Bowsher wrote: Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? Failing that, I'll commit on Sunday. Either way, I'll build a release of this and upload to the snapshots page sunday. The current release setup is the setup-200206 branch. There is presumably some reason why the setup-200207 branch fizzled into inactivity with only a snapshot, and no actual release. I can commit ASAP, once this issue is talked out, but I think it might be wise to use 200206 for an interim release now, unless Robert is very sure 200207 is OK. Ooops! Right. Should be 200206. Anyway the patch I've posted earlier is against the same version of main.cc - version 2.18. So it should apply to 200206 too.
Re: ntsec patch for setup
Morrison, John wrote: BTW, this script doesn't add any domain users... -c adds the current user, if a domain user. If you are on a domain account at work, please test it, it takes a few seconds. Just did. How does it cope if it can't access the domain? It doesn't even try. It squeezes all the information it can from the local machine, e.g. HOMEDRIVE/HOMEPATH to find the home directory. Pierre
Re: ntsec patch for setup
On Sat, 2003-03-01 at 01:32, Max Bowsher wrote: I can commit ASAP, once this issue is talked out, but I think it might be wise to use 200206 for an interim release now, unless Robert is very sure 200207 is OK. 200206. I wasn't thinking for a sec there. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
Robert Collins wrote:
On Sat, 2003-03-01 at 01:32, Max Bowsher wrote:
I can commit ASAP, once this issue is talked out, but I think it
might be wise to use 200206 for an interim release now, unless
Robert is very sure 200207 is OK.
200206. I wasn't thinking for a sec there.
Right.
I've built setup from 200206 with ntsec patch as backported by Pavel. I ran
into other problems:
1) I had to merge these fixes, which enable building of setup with gcc-2.
cvs upd -kk -j2.22 -j2.23 Makefile.am
cvs upd -kk -j2.84 -j2.85 Makefile.in
cvs upd -kk -j1.5 -j1.6 libgetopt++/Makefile.am
They are to do with erroneous inclusion of -lstdc++ (which is of course
gcc3's now)
2) gcc2 (not g++2) chokes on some lines in /usr/include/mingw/string.h. I
had to patch as below, adding prototypes before the functions declared
inline.
I propose to commit the backported ntsec patch and gcc-2 fixes when I
return, in about 2 hours.
I see Pavel has just sent in a passwd-grp.bat removal patch just now. I'll
apply that once it gets the OK from Robert.
Max.
Patch follows:
--- /usr/include/mingw/string.h.orig 2003-02-28 15:07:21.0 +
+++ /usr/include/mingw/string.h 2003-02-28 15:12:50.0 +
-162,12 +162,16
int strcmpi (const char*, const char*);
int stricmp (const char*, const char*);
extern __inline__ int
+strcasecmp (const char * __sz1, const char * __sz2);
+extern __inline__ int
strcasecmp (const char * __sz1, const char * __sz2)
{return _stricmp (__sz1, __sz2);}
int stricoll (const char*, const char*);
char* strlwr (char*);
int strnicmp (const char*, const char*, size_t);
extern __inline__ int
+strncasecmp (const char * __sz1, const char * __sz2, size_t
__sizeMaxCompare);
+extern __inline__ int
strncasecmp (const char * __sz1, const char * __sz2, size_t
__sizeMaxCompare)
{return _strnicmp (__sz1, __sz2, __sizeMaxCompare);}
char* strnset (char*, int, size_t);
-180,6 +184,8
/* NOTE: There is no _wcscmpi, but this is for compatibility. */
extern __inline__ int
+wcscmpi (const wchar_t * __ws1, const wchar_t * __ws2);
+extern __inline__ int
wcscmpi (const wchar_t * __ws1, const wchar_t * __ws2)
{return _wcsicmp (__ws1, __ws2);}
wchar_t* wcsdup (wchar_t*);
Re: ntsec patch for setup
On Fri, 28 Feb 2003, Pavel Tsekov wrote:
2) gcc2 (not g++2) chokes on some lines in /usr/include/mingw/string.h. I
had to patch as below, adding prototypes before the functions declared
inline.
There are also some complaints about autoload.c. Will see what I can do.
The attached patch will cure some of the warnings in autoload.c, but not
all. I don't know how to fix the others. Its too cryptic for me ;)
The patch fixes these warnings:
../setup/autoload.c:36: warning: initialization discards qualifiers from
pointer target type
../setup/autoload.c:49: warning: initialization discards qualifiers from
pointer target type
../setup/autoload.c:63: warning: function declaration isn't a prototype
These I cannot handle:
../setup/autoload.c:36: warning: `wininet_info' defined but not used
../setup/autoload.c:49: warning: `advapi32_info' defined but not used
../setup/autoload.c:67: warning: `autoload_common' defined but not used
Index: autoload.c
===
RCS file: /cvs/cygwin-apps/setup/autoload.c,v
retrieving revision 2.3
diff -u -p -r2.3 autoload.c
--- autoload.c 13 Nov 2001 01:49:31 - 2.3
+++ autoload.c 28 Feb 2003 16:31:49 -
@@ -19,7 +19,7 @@ static const char *cvsid = \n%%% $Id: a
#include win32.h
typedef struct {
- char *name;
+ const char *name;
HINSTANCE handle;
} DllInfo;
@@ -60,7 +60,7 @@ typedef struct {
char name[100];
} AutoEntry;
-static void autoload_common () __asm__ (autoload_common);
+static void autoload_common (int) __asm__ (autoload_common);
static void
autoload_common (int x)
Re: ntsec patch for setup
On Sat, 2003-03-01 at 05:23, Max Bowsher wrote: Robert Collins wrote: On Fri, 2003-02-28 at 22:44, Pavel Tsekov wrote: Here is the same patch modified to be applied on main.cc from setup-200207 branch. This looks reasonable. Pavel, if you have write access, please commit to the setup-200207 branch, otherwise, Max - if you have time could you? If this is OK for branch, is it ok for HEAD, as well? Yes - I'd meant to apply it a while back actually :]. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
On Sat, 2003-03-01 at 02:54, Max Bowsher wrote: I've built setup from 200206 with ntsec patch as backported by Pavel. I ran into other problems: 1) I had to merge these fixes, which enable building of setup with gcc-2. cvs upd -kk -j2.22 -j2.23 Makefile.am cvs upd -kk -j2.84 -j2.85 Makefile.in cvs upd -kk -j1.5 -j1.6 libgetopt++/Makefile.am I haven't reviewed these for 200206, but as you need them for 200206 please check the updated files in, with one exception: don't alter libgetopt. It's not branched as I recall, as it's an external dependency. If it is branched, then it's fine to commit the update. If it's not branched, there should be some LDFLAGS or CXXFLAGS to get it to build and link ok. Also, we dont' need to get the fixed version into CVS as the setup source is distributed via itself :}. You can use 'make release' to create the requisite files. 2) gcc2 (not g++2) chokes on some lines in /usr/include/mingw/string.h. I had to patch as below, adding prototypes before the functions declared inline. I propose to commit the backported ntsec patch and gcc-2 fixes when I return, in about 2 hours. Please do. I see Pavel has just sent in a passwd-grp.bat removal patch just now. I'll apply that once it gets the OK from Robert. Max. Patch follows: --- /usr/include/mingw/string.h.orig 2003-02-28 15:07:21.0 + +++ /usr/include/mingw/string.h 2003-02-28 15:12:50.0 + You might want to send a patch for this to cygwin-patches :}. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
On Sat, 2003-03-01 at 03:41, Pavel Tsekov wrote: On Fri, 28 Feb 2003, Pavel Tsekov wrote: 2) gcc2 (not g++2) chokes on some lines in /usr/include/mingw/string.h. I had to patch as below, adding prototypes before the functions declared inline. There are also some complaints about autoload.c. Will see what I can do. The attached patch will cure some of the warnings in autoload.c, but not all. I don't know how to fix the others. Its too cryptic for me ;) Uhmm, don't touch autoload! Just disable warnings for autoload.c. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
On Tue, 2003-01-21 at 14:00, Pierre A. Humblet wrote:
At 10:24 PM 1/19/2003 -, Max Bowsher wrote:
I'd suggest something like this:
if (isusers)
{
nsid = usid;
log(LOG_TIMESTAMP) Changing gid to Users endLog;
}
else if (isadmins)
nsid = asid;
log(LOG_TIMESTAMP) Changing gid to Administrators endLog;
}
OK, I will wait for Rob comments and add this if Rob doesn't find
it easier to include it himself.
Max, while you're committing things, please throw the above into the
mix. Logging may be essential for diagnosing issues.
Rob
--
GPG key available at: http://users.bigpond.net.au/robertc/keys.txt.
signature.asc
Description: This is a digitally signed message part
Re: ntsec patch for setup
Robert Collins wrote: On Sat, 2003-03-01 at 02:54, Max Bowsher wrote: I've built setup from 200206 with ntsec patch as backported by Pavel. I ran into other problems: 1) I had to merge these fixes, which enable building of setup with gcc-2. cvs upd -kk -j2.22 -j2.23 Makefile.am cvs upd -kk -j2.84 -j2.85 Makefile.in cvs upd -kk -j1.5 -j1.6 libgetopt++/Makefile.am I haven't reviewed these for 200206, but as you need them for 200206 please check the updated files in, with one exception: don't alter libgetopt. It's not branched as I recall, as it's an external dependency. If it is branched, then it's fine to commit the update. Libgetopt++ is branched, and the stuff is committed already. --- /usr/include/mingw/string.h.orig 2003-02-28 15:07:21.0 + +++ /usr/include/mingw/string.h 2003-02-28 15:12:50.0 + You might want to send a patch for this to cygwin-patches :}. Silly me. Oh well, I've raised the issue on cygwin and [EMAIL PROTECTED], so I'll see what response it gets first. Max.
Re: ntsec patch for setup
Robert Collins wrote: On Sat, 2003-03-01 at 03:41, Pavel Tsekov wrote: On Fri, 28 Feb 2003, Pavel Tsekov wrote: 2) gcc2 (not g++2) chokes on some lines in /usr/include/mingw/string.h. I had to patch as below, adding prototypes before the functions declared inline. There are also some complaints about autoload.c. Will see what I can do. The attached patch will cure some of the warnings in autoload.c, but not all. I don't know how to fix the others. Its too cryptic for me ;) Uhmm, don't touch autoload! Just disable warnings for autoload.c. The warnings are only warnings, and are *not* treated as errors. No change needed. Max.
Re: ntsec patch for setup
At 10:24 PM 1/19/2003 -, Max Bowsher wrote:
I'd suggest something like this:
if (isusers)
{
nsid = usid;
log(LOG_TIMESTAMP) Changing gid to Users endLog;
}
else if (isadmins)
nsid = asid;
log(LOG_TIMESTAMP) Changing gid to Administrators endLog;
}
OK, I will wait for Rob comments and add this if Rob doesn't find
it easier to include it himself.
Pierre
Re: ntsec patch for setup
Pierre A. Humblet wrote: This is the patch mentioned in the previous e-mail. I seems to work fine on NT and an early version was tested on 2000 (there are differences). Essentially the installed files should be in the Users or Admins groups instead of None. Nothing changes if the user running setup does not have the None gid. Sounds like this should migitate most new user's ntsec problems. It would probably be nice to add some logging to the success case, so its easier to see that it has actually taken effect. I don't understand this code: + isadmins = isadmins || EqualSid(groups-Groups[pg].Sid, asid); + isusers = isusers || EqualSid(groups-Groups[pg].Sid, usid); If I'm reading it right, isadmins and isusers were initialized as false several lines above, and not touched since - so why not a direct assignment? Max.
Re: ntsec patch for setup
At 06:25 PM 1/19/2003 -, Max Bowsher wrote: Pierre A. Humblet wrote: It would probably be nice to add some logging to the success case, so its easier to see that it has actually taken effect. OK. Good idea. I don't mind doing it but you know better what formats to use etc.. to fit with the rest. Let me know how you want to proceed. I don't understand this code: + isadmins = isadmins || EqualSid(groups-Groups[pg].Sid, asid); + isusers = isusers || EqualSid(groups-Groups[pg].Sid, usid); If I'm reading it right, isadmins and isusers were initialized as false several lines above, and not touched since - so why not a direct assignment? That's in the pg loop. So the effect is to set isadmins or isusers to true if the admins or users sids are found anywhere in the token groups. A direct assignment would in effect only consider the last sid in the groups array. Pierre
Re: ntsec patch for setup
On Sat, 2003-01-11 at 14:36, Pierre A. Humblet wrote: This is the patch mentioned in the previous e-mail. I seems to work fine on NT and an early version was tested on 2000 (there are differences). I'll be looking at this shortly - I am for it in principal. Rob -- GPG key available at: http://users.bigpond.net.au/robertc/keys.txt. signature.asc Description: This is a digitally signed message part
Re: ntsec patch for setup
Pierre A. Humblet wrote:
At 06:25 PM 1/19/2003 -, Max Bowsher wrote:
Pierre A. Humblet wrote:
It would probably be nice to add some logging to the success case,
so its easier to see that it has actually taken effect.
OK. Good idea. I don't mind doing it but you know better
what formats to use etc.. to fit with the rest. Let me
know how you want to proceed.
Formats? What formats? :-) Setup has already has some badly punctuated /
badly spelt log strings. Anyway, I'd suggest something like this:
if (isusers)
{
nsid = usid;
log(LOG_TIMESTAMP) Changing gid to Users endLog;
}
else if (isadmins)
nsid = asid;
log(LOG_TIMESTAMP) Changing gid to Administrators endLog;
}
I don't understand this code:
+ isadmins = isadmins || EqualSid(groups-Groups[pg].Sid, asid);
+ isusers = isusers || EqualSid(groups-Groups[pg].Sid, usid);
If I'm reading it right, isadmins and isusers were initialized as
false several lines above, and not touched since - so why not a
direct assignment?
That's in the pg loop. So the effect is to set isadmins or isusers
to true if the admins or users sids are found anywhere in the token
groups. A direct assignment would in effect only consider the last
sid in the groups array.
*I must pay more attention!*
Max.
