From af4ad6b47ddaa646eac8136125d742316181fc04 Mon Sep 17 00:00:00 2001
From: Aaron Klotz <aaron@tailscale.com>
Date: Thu, 27 Oct 2022 15:02:31 -0600
Subject: [PATCH] os/user: change Windows user lookup to treat accounts for
 well-known groups as valid.

Some built-in Windows accounts such as `NT AUTHORITY\SYSTEM` are considered to
be users, but are classified by the OS as syscall.SidTypeWellKnownGroup, not as
syscall.SidTypeUser.

This change modifies account querying to consider both types to be valid.

Fixes https://github.com/golang/go/issues/49509

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
---
 src/os/user/lookup_windows.go      | 10 ++++++++--
 src/os/user/lookup_windows_test.go | 17 +++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 src/os/user/lookup_windows_test.go

diff --git a/src/os/user/lookup_windows.go b/src/os/user/lookup_windows.go
index f65773ced3a36d..6b12c430a9ce22 100644
--- a/src/os/user/lookup_windows.go
+++ b/src/os/user/lookup_windows.go
@@ -84,13 +84,19 @@ func getProfilesDirectory() (string, error) {
 	}
 }
 
+// isValidUserAccountType returns true if acctType is a valid type for user accounts.
+func isValidUserAccountType(acctType uint32) bool {
+	// Some built-in system accounts are classified as well-known groups instead of users.
+	return acctType == syscall.SidTypeUser || acctType == syscall.SidTypeWellKnownGroup
+}
+
 // lookupUsernameAndDomain obtains the username and domain for usid.
 func lookupUsernameAndDomain(usid *syscall.SID) (username, domain string, e error) {
 	username, domain, t, e := usid.LookupAccount("")
 	if e != nil {
 		return "", "", e
 	}
-	if t != syscall.SidTypeUser {
+	if !isValidUserAccountType(t) {
 		return "", "", fmt.Errorf("user: should be user account type, not %d", t)
 	}
 	return username, domain, nil
@@ -324,7 +330,7 @@ func lookupUser(username string) (*User, error) {
 	if e != nil {
 		return nil, e
 	}
-	if t != syscall.SidTypeUser {
+	if !isValidUserAccountType(t) {
 		return nil, fmt.Errorf("user: should be user account type, not %d", t)
 	}
 	return newUserFromSid(sid)
diff --git a/src/os/user/lookup_windows_test.go b/src/os/user/lookup_windows_test.go
new file mode 100644
index 00000000000000..f1edd03013ae80
--- /dev/null
+++ b/src/os/user/lookup_windows_test.go
@@ -0,0 +1,17 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package user
+
+import (
+	"testing"
+)
+
+func TestLookupLocalSystem(t *testing.T) {
+	// The string representation of the SID for `NT AUTHORITY\SYSTEM`
+	const localSystemSID = "S-1-5-18"
+	if _, err := LookupId(localSystemSID); err != nil {
+		t.Fatalf("LookupId(%q): %v", localSystemSID, err)
+	}
+}