permcheck: fix nil owner

internal/permcheck/migrate_windows.go

@@ -71,14 +71,11 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin
 		return
 	}
 
-	owner, err = adminsIfNot(owner)
-	switch {
-	case err != nil:
+	admins, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+	if err != nil {
 		l.ErrorContext(ctx, "creating administrators sid", slogutil.KeyError, err)
-	case owner == nil:
-		l.DebugContext(ctx, "owner is already an administrator")
-	default:
-		l.InfoContext(ctx, "migrating owner", "sid", owner)
+
+		return
 	}
 
 	// TODO(e.burkov):  Check for duplicates?
@@ -120,7 +117,15 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin
 	}
 
 	if setACL {
-		accessEntries = append(accessEntries, newFullExplicitAccess(owner))
+		accessEntries = append(accessEntries, newFullExplicitAccess(admins))
+	}
+
+	if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
+		l.InfoContext(ctx, "migrating owner", "sid", owner)
+		owner = admins
+	} else {
+		l.DebugContext(ctx, "owner is already an administrator")
+		owner = nil
 	}
 
 	err = setSecurityInfo(workDir, owner, accessEntries)
@@ -128,13 +133,3 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin
 		l.ErrorContext(ctx, "setting security info", slogutil.KeyError, err)
 	}
 }
-
-// adminsIfNot returns the administrators SID if sid is not a
-// [windows.WinBuiltinAdministratorsSid] yet, or nil if it is.
-func adminsIfNot(sid *windows.SID) (admins *windows.SID, err error) {
-	if sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
-		return nil, nil
-	}
-
-	return windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
-}