This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] Apply mask execute bit for SYSTEM and Admins group.
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 20 Apr 2015 10:06:18 -0000
- Subject: [newlib-cygwin] Apply mask execute bit for SYSTEM and Admins group.
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=b364582734085ab498dcf75c2f4538d0c4253234
commit b364582734085ab498dcf75c2f4538d0c4253234
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Mon Apr 20 12:06:05 2015 +0200
Apply mask execute bit for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/ChangeLog | 5 +++++
winsup/cygwin/sec_acl.cc | 12 +++++++-----
winsup/utils/ChangeLog | 4 ++++
winsup/utils/getfacl.c | 20 ++++++++++++++++++--
4 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index a19a9e9..dda1a95 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2015-04-20 Corinna Vinschen <corinna@vinschen.de>
+
+ * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
+ for SYSTEM and Admins group.
+
2015-04-17 Corinna Vinschen <corinna@vinschen.de>
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 65b3131..bddd21c 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -329,16 +329,18 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
else if (aclbufp[idx].a_type & USER)
deny = (aclbufp[idx].a_perm ^ class_obj)
| (~aclbufp[idx].a_perm & other_obj);
+ /* Accommodate Windows: Only generate deny masks for SYSTEM
+ and the Administrators group in terms of the execute bit,
+ if they are not the primary group. */
+ else if (aclbufp[idx].a_type & GROUP
+ && (aclsid[idx] == well_known_system_sid
+ || aclsid[idx] == well_known_admins_sid))
+ deny = aclbufp[idx].a_perm & ~(class_obj | S_IROTH | S_IWOTH);
else
deny = (aclbufp[idx].a_perm & ~class_obj)
| (~aclbufp[idx].a_perm & other_obj);
if (!deny)
continue;
- /* Accommodate Windows: Never generate deny masks for SYSTEM
- and the Administrators group. */
- if (aclsid[idx] == well_known_system_sid
- || aclsid[idx] == well_known_admins_sid)
- continue;
access = 0;
if (deny & S_IROTH)
access |= FILE_DENY_READ;
diff --git a/winsup/utils/ChangeLog b/winsup/utils/ChangeLog
index a48f869..b37792a 100644
--- a/winsup/utils/ChangeLog
+++ b/winsup/utils/ChangeLog
@@ -1,3 +1,7 @@
+2015-04-20 Corinna Vinschen <corinna@vinschen.de>
+
+ * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
+
2015-04-16 Corinna Vinschen <corinna@vinschen.de>
* setfacl.c: Align more to Linux tool.
diff --git a/winsup/utils/getfacl.c b/winsup/utils/getfacl.c
index 07d8a8a..45e5e20 100644
--- a/winsup/utils/getfacl.c
+++ b/winsup/utils/getfacl.c
@@ -279,16 +279,32 @@ main (int argc, char **argv)
{
case USER:
case GROUP_OBJ:
- case GROUP:
effective = acls[i].a_perm & mask;
print_effective = 1;
break;
+ case GROUP:
+ /* Special case SYSTEM and Admins group: The mask only
+ applies to them as far as the execute bit is concerned. */
+ if (acls[i].a_id == 18 || acls[i].a_id == 544)
+ effective = acls[i].a_perm & (mask | S_IROTH | S_IWOTH);
+ else
+ effective = acls[i].a_perm & mask;
+ print_effective = 1;
+ break;
case DEF_USER:
case DEF_GROUP_OBJ:
- case DEF_GROUP:
effective = acls[i].a_perm & def_mask;
print_effective = 1;
break;
+ case DEF_GROUP:
+ /* Special case SYSTEM and Admins group: The mask only
+ applies to them as far as the execute bit is concerned. */
+ if (acls[i].a_id == 18 || acls[i].a_id == 544)
+ effective = acls[i].a_perm & (def_mask | S_IROTH | S_IWOTH);
+ else
+ effective = acls[i].a_perm & def_mask;
+ print_effective = 1;
+ break;
}
if (print_effective && eopt >= 0
&& (eopt > 0 || effective != acls[i].a_perm))