5 files changed, 81 insertions, 16 deletions

diff --git a/doc/file.n b/doc/file.n
index eeb67ed..58b03d8 100644
--- a/doc/file.n
+++ b/doc/file.n
@@ -484,10 +484,9 @@ not the effective ones.
 .TP
 \fBWindows\fR\0\0\0\0
 .
-The \fBfile owned\fR subcommand currently always reports that the current user
-is the owner of the file, without regard for what the operating system
-believes to be true, making an ownership test useless. This issue (#3613671)
-may be fixed in a future release of Tcl.
+The \fBfile owned\fR subcommand uses the user identifier (SID) of
+the process token, not the thread token which may be impersonating
+some other user.
 .SH EXAMPLES
 .PP
 This procedure shows how to search for C files in a given directory
diff --git a/generic/tclCmdAH.c b/generic/tclCmdAH.c
index a53f1f7..13d3df5 100644
--- a/generic/tclCmdAH.c
+++ b/generic/tclCmdAH.c
@@ -12,6 +12,9 @@
  */
 
 #include "tclInt.h"
+#ifdef _WIN32
+#   include "tclWinInt.h"
+#endif
 #include <locale.h>
 
 /*
@@ -1600,21 +1603,13 @@ FileAttrIsOwnedCmd(
 	Tcl_WrongNumArgs(interp, 1, objv, "name");
 	return TCL_ERROR;
     }
-    if (GetStatBuf(NULL, objv[1], Tcl_FSStat, &buf) == TCL_OK) {
-	/*
-	 * For Windows, there are no user ids associated with a file, so we
-	 * always return 1.
-	 *
-	 * TODO: use GetSecurityInfo to get the real owner of the file and
-	 * test for equivalence to the current user.
-	 */
-
 #if defined(_WIN32) || defined(__CYGWIN__)
-	value = 1;
+    value = TclWinFileOwned(objv[1]);
 #else
+    if (GetStatBuf(NULL, objv[1], Tcl_FSStat, &buf) == TCL_OK) {
 	value = (geteuid() == buf.st_uid);
-#endif
     }
+#endif
     Tcl_SetObjResult(interp, Tcl_NewBooleanObj(value));
     return TCL_OK;
 }
diff --git a/tests/cmdAH.test b/tests/cmdAH.test
index 6240500..c74bddb 100644
--- a/tests/cmdAH.test
+++ b/tests/cmdAH.test
@@ -1296,6 +1296,12 @@ test cmdAH-25.2.1 {Tcl_FileObjCmd: owned} -constraints unix -setup {
 test cmdAH-25.3 {Tcl_FileObjCmd: owned} {unix notRoot} {
     file owned /
 } 0
+test cmdAH-25.3.1 {Tcl_FileObjCmd: owned} -constraints win -body {
+    file owned $env(windir)
+} -result 0
+test cmdAH-25.4 {Tcl_FileObjCmd: owned} -body {
+    file owned nosuchfile
+} -result 0
 
 # readlink
 test cmdAH-26.1 {Tcl_FileObjCmd: readlink} -returnCodes error -body {
diff --git a/win/tclWinFile.c b/win/tclWinFile.c
index 7f6dff9..3e8a171 100755
--- a/win/tclWinFile.c
+++ b/win/tclWinFile.c
@@ -16,8 +16,9 @@
 #include "tclFileSystem.h"
 #include <winioctl.h>
 #include <shlobj.h>
-#include <lm.h>		/* For TclpGetUserHome(). */
+#include <lm.h>		        /* For TclpGetUserHome(). */
 #include <userenv.h>		/* For TclpGetUserHome(). */
+#include <aclapi.h>             /* For GetNamedSecurityInfo */
 
 #ifdef _MSC_VER
 #   pragma comment(lib, "userenv.lib")
@@ -3134,6 +3135,69 @@ TclpUtime(
 }
 
 /*
+ *---------------------------------------------------------------------------
+ *
+ * TclWinFileOwned --
+ *
+ *	Returns 1 if the specified file exists and is owned by the current
+ *      user and 0 otherwise. Like the Unix case, the check is made using
+ *      the real process SID, not the effective (impersonation) one.
+ *
+ *---------------------------------------------------------------------------
+ */
+
+int
+TclWinFileOwned(
+    Tcl_Obj *pathPtr)		/* File whose ownership is to be checked */
+{
+    const TCHAR *native;
+    PSID ownerSid = NULL;
+    PSECURITY_DESCRIPTOR secd = NULL;
+    HANDLE token;
+    LPBYTE buf = NULL;
+    DWORD bufsz;
+    int owned = 0;
+
+    native = Tcl_FSGetNativePath(pathPtr);
+
+    if (GetNamedSecurityInfo(native, SE_FILE_OBJECT,
+                             OWNER_SECURITY_INFORMATION, &ownerSid,
+                             NULL, NULL, NULL, &secd) != ERROR_SUCCESS) {
+        /* Either not a file, or we do not have access to it in which
+           case we are in all likelihood not the owner */
+        return 0;
+    }
+        
+    /* 
+     * Getting the current process SID is a multi-step process.
+     * We make the assumption that if a call fails, this process is
+     * so underprivileged it could not possibly own anything. Normally
+     * a process can *always* look up its own token.
+     */
+    if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)) {
+        /* Find out how big the buffer needs to be */
+        bufsz = 0;
+        GetTokenInformation(token, TokenUser, NULL, 0, &bufsz);
+        if (bufsz) {
+            buf = ckalloc(bufsz);
+            if (GetTokenInformation(token, TokenUser, buf, bufsz, &bufsz)) {
+                owned = EqualSid(ownerSid, ((PTOKEN_USER) buf)->User.Sid);
+            }
+        }
+        CloseHandle(token);
+    }
+
+vamoose:
+    /* Free allocations and be done */
+    if (secd)
+        LocalFree(secd);            /* Also frees ownerSid */
+    if (buf)
+        ckfree(buf);
+    
+    return (owned != 0);        /* Convert non-0 to 1 */
+}
+    
+/*
  * Local Variables:
  * mode: c
  * c-basic-offset: 4
diff --git a/win/tclWinInt.h b/win/tclWinInt.h
index 9df424f..6b098f8 100644
--- a/win/tclWinInt.h
+++ b/win/tclWinInt.h
@@ -72,6 +72,7 @@ MODULE_SCOPE int	TclWinSymLinkCopyDirectory(const TCHAR *LinkOriginal,
 			    const TCHAR *LinkCopy);
 MODULE_SCOPE int	TclWinSymLinkDelete(const TCHAR *LinkOriginal,
 			    int linkOnly);
+MODULE_SCOPE int        TclWinFileOwned(Tcl_Obj *);
 #if defined(TCL_THREADS) && defined(USE_THREAD_ALLOC)
 MODULE_SCOPE void	TclWinFreeAllocCache(void);
 MODULE_SCOPE void	TclFreeAllocCache(void *);