diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2015-02-25 14:40:34 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2015-02-25 14:40:34 +0300 |
| commit | a1cb13411d78b06dd3dba2fca7cdd4c825aef58b (patch) | |
| tree | 055dd05bd7be857b6a7ac2d8a3ff7f169f459122 | |
| parent | 6db85570262ee0314002d187ee7c935e58577578 (diff) | |
* security.cc (alloc_sd): Fix comment style. Remove code unused for
years.
| -rw-r--r-- | winsup/cygwin/ChangeLog | 5 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 29 |
2 files changed, 8 insertions, 26 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 7a338a466..d50351f8b 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,5 +1,10 @@ 2015-02-25 Corinna Vinschen <corinna@vinschen.de> + * security.cc (alloc_sd): Fix comment style. Remove code unused for + years. + +2015-02-25 Corinna Vinschen <corinna@vinschen.de> + * security.cc (alloc_sd): Add temporary workaround which disallows any secondary user to have more permissions than the primary group in calls to chmod. Add comment to explain why. diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index c2318063e..929e8a32e 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -785,11 +785,9 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute, disallow any secondary ACE in the ACL more permissions than the primary group when writing a new ACL via chmod. */ ace->Mask &= group_allow; - /* - * Add unrelated ACCESS_DENIED_ACE to the beginning but - * behind the owner_deny, ACCESS_ALLOWED_ACE to the end. - * FIXME: this would break the order of the inherit-only ACEs - */ + /* Add unrelated ACCESS_DENIED_ACE to the beginning but behind + the owner_deny, ACCESS_ALLOWED_ACE to the end. FIXME: this + would break the order of the inherit-only ACEs. */ status = RtlAddAce (acl, ACL_REVISION, ace->Header.AceType == ACCESS_DENIED_ACE_TYPE ? (owner_deny ? 1 : 0) : MAXDWORD, @@ -810,32 +808,11 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute, { const DWORD inherit = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE; -#if 0 /* FIXME: Not done currently as this breaks the canonical order */ - /* Set deny ACE for owner. */ - if (owner_deny - && !add_access_denied_ace (acl, ace_off++, owner_deny, - well_known_creator_owner_sid, acl_len, inherit)) - return NULL; - /* Set deny ACE for group here to respect the canonical order, - if this does not impact owner */ - if (group_deny && !(group_deny & owner_allow) - && !add_access_denied_ace (acl, ace_off++, group_deny, - well_known_creator_group_sid, acl_len, inherit)) - return NULL; -#endif /* Set allow ACE for owner. */ if (!add_access_allowed_ace (acl, ace_off++, owner_allow, well_known_creator_owner_sid, acl_len, inherit)) return NULL; -#if 0 /* FIXME: Not done currently as this breaks the canonical order and - won't be preserved on chown and chmod */ - /* Set deny ACE for group, conflicting with owner_allow. */ - if (group_deny & owner_allow - && !add_access_denied_ace (acl, ace_off++, group_deny, - well_known_creator_group_sid, acl_len, inherit)) - return NULL; -#endif /* Set allow ACE for group. */ if (!add_access_allowed_ace (acl, ace_off++, group_allow, well_known_creator_group_sid, acl_len, |