This is the mail archive of the cygwin-cvs@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[newlib-cygwin] Fix attempt to create ACLs without NULL SID


https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=e2ea143083c2bd2e5142582309ff227bc68bee23

commit e2ea143083c2bd2e5142582309ff227bc68bee23
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Mon Apr 18 12:07:04 2016 +0200

    Fix attempt to create ACLs without NULL SID
    
    Commit f75114fc was supposed to drop NULL SIDs in case the permissions
    are simple enough not to require mask values or special POSIX bits
    (S_ISVTX, etc).  The check was incorrect.  This patch is supposed to
    fix the problem.
    
    	* sec_acl.cc (set_posix_access): Fix condition under which we
    	write a NULL SID.
    
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/sec_acl.cc | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 28daadd..138fd3e 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -151,6 +151,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
   int idx, start_idx, tmp_idx;
   bool owner_eq_group = false;
   bool dev_has_admins = false;
+  bool has_class_obj;
 
   /* Initialize local security descriptor. */
   RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
@@ -339,6 +340,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
       tmp_idx = searchace (aclbufp, nentries, def | CLASS_OBJ);
       if (tmp_idx >= 0)
 	{
+	  has_class_obj = true;
 	  class_obj = aclbufp[tmp_idx].a_perm;
 	  access |= CYG_ACE_MASK_TO_WIN (class_obj);
 	}
@@ -346,6 +348,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	{
 	  /* Setting class_obj to group_obj allows to write below code without
 	     additional checks for existence of a CLASS_OBJ. */
+	  has_class_obj = false;
 	  class_obj = group_obj;
 	}
       /* Note that Windows filters the ACE Mask value so it only reflects
@@ -358,9 +361,9 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	 no special bits set.  In all other cases we either need the NULL SID
 	 ACE or we write it to avoid calls to AuthZ from get_posix_access. */
       if (!S_ISCHR (attr)
-	  && access != CYG_ACE_NEW_STYLE
-	  && ((user_obj | group_obj | other_obj) != user_obj
-	      || (group_obj | other_obj) != group_obj)
+	  && (has_class_obj
+	      || ((user_obj | group_obj | other_obj) != user_obj
+		  || (group_obj | other_obj) != group_obj))
 	  && !add_access_denied_ace (acl, access, well_known_null_sid, acl_len,
 				     inherit))
 	return NULL;


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]