diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2015-09-02 01:05:46 +0300 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2015-11-19 00:30:38 +0300 |
commit | 911808dd5e86f054ec668b04366b6357885d6b85 (patch) | |
tree | 6a2589c1db5ac57b96d557f4b6b536a5c66fba0b /winsup/cygwin/sec_helper.cc | |
parent | 7edb6b8d3e817cfb0f4c82dc9d383498d34d5380 (diff) |
Fix permission evaluation for !new_style ACLs
* security.h (authz_get_user_attribute): Declare bool.
* sec_helper.cc (authz_ctx::get_user_attribute): Make bool method.
Set S_IxOTH bits in returned attributes rather than S_IxUSR bits.
(authz_get_user_attribute): Make bool function.
* sec_acl.cc (get_posix_access): Introduce cygsid array to keep
track of all SIDs in the ACL. Move AuthZ calls into !new_style
permission post processing. When not using AuthZ, use
CheckTokenMembership to collect group permissions.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'winsup/cygwin/sec_helper.cc')
-rw-r--r-- | winsup/cygwin/sec_helper.cc | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 40b8017d1..af3307eb4 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -717,7 +717,7 @@ class authz_ctx friend class authz_ctx_cache; public: - void get_user_attribute (mode_t *, PSECURITY_DESCRIPTOR, PSID); + bool get_user_attribute (mode_t *, PSECURITY_DESCRIPTOR, PSID); }; /* Authz handles are not inheritable. */ @@ -779,7 +779,7 @@ authz_ctx_cache::context (PSID user_sid) /* Ask Authz for the effective user permissions of the user with SID user_sid on the object with security descriptor psd. We're caching the handles for the Authz resource manager and the user contexts. */ -void +bool authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd, PSID user_sid) { @@ -802,7 +802,7 @@ authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd, ctx_hdl = user_ctx_hdl; } if (!ctx_hdl && !(ctx_hdl = ctx_cache.context (user_sid))) - return; + return false; /* All set, check access. */ ACCESS_MASK access = 0; DWORD error = 0; @@ -822,16 +822,20 @@ authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd, if (AuthzAccessCheck (0, ctx_hdl, &req, NULL, psd, NULL, 0, &repl, NULL)) { if (access & FILE_READ_BITS) - *attribute |= S_IRUSR; + *attribute |= S_IROTH; if (access & FILE_WRITE_BITS) - *attribute |= S_IWUSR; + *attribute |= S_IWOTH; if (access & FILE_EXEC_BITS) - *attribute |= S_IXUSR; + *attribute |= S_IXOTH; + return true; } + return false; } -void authz_get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd, - PSID user_sid) +bool +authz_get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd, + PSID user_sid) { - authz.get_user_attribute (attribute, psd, user_sid); + *attribute = 0; + return authz.get_user_attribute (attribute, psd, user_sid); } |