diff --git a/internal/permcheck/migrate_windows.go b/internal/permcheck/migrate_windows.go index 9eb6e4e9..d83d7b0b 100644 --- a/internal/permcheck/migrate_windows.go +++ b/internal/permcheck/migrate_windows.go @@ -71,14 +71,11 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin return } - owner, err = adminsIfNot(owner) - switch { - case err != nil: + admins, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) + if err != nil { l.ErrorContext(ctx, "creating administrators sid", slogutil.KeyError, err) - case owner == nil: - l.DebugContext(ctx, "owner is already an administrator") - default: - l.InfoContext(ctx, "migrating owner", "sid", owner) + + return } // TODO(e.burkov): Check for duplicates? @@ -120,7 +117,15 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin } if setACL { - accessEntries = append(accessEntries, newFullExplicitAccess(owner)) + accessEntries = append(accessEntries, newFullExplicitAccess(admins)) + } + + if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) { + l.InfoContext(ctx, "migrating owner", "sid", owner) + owner = admins + } else { + l.DebugContext(ctx, "owner is already an administrator") + owner = nil } err = setSecurityInfo(workDir, owner, accessEntries) @@ -128,13 +133,3 @@ func migrate(ctx context.Context, logger *slog.Logger, workDir, _, _, _, _ strin l.ErrorContext(ctx, "setting security info", slogutil.KeyError, err) } } - -// adminsIfNot returns the administrators SID if sid is not a -// [windows.WinBuiltinAdministratorsSid] yet, or nil if it is. -func adminsIfNot(sid *windows.SID) (admins *windows.SID, err error) { - if sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) { - return nil, nil - } - - return windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) -}