diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2015-02-25 14:38:48 +0300 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2015-02-25 14:38:48 +0300 |
commit | 6db85570262ee0314002d187ee7c935e58577578 (patch) | |
tree | 0b6226ca01ac72fd672b0c2f7d8d5abcfdb6882b /winsup/cygwin/security.cc | |
parent | bc3116147b9b02bc18db6c5927b68247739065dc (diff) |
* security.cc (alloc_sd): Add temporary workaround which disallows
any secondary user to have more permissions than the primary group
in calls to chmod. Add comment to explain why.
Diffstat (limited to 'winsup/cygwin/security.cc')
-rw-r--r-- | winsup/cygwin/security.cc | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 4c46e05d9..c2318063e 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -1,7 +1,7 @@ /* security.cc: NT file access control functions Copyright 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, - 2008, 2009, 2010, 2011, 2012, 2013, 2014 Red Hat, Inc. + 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Red Hat, Inc. Originaly written by Gunther Ebert, gunther.ebert@ixos-leipzig.de Completely rewritten by Corinna Vinschen <corinna@vinschen.de> @@ -776,6 +776,15 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute, inheritable ACEs are preceding non-inheritable ACEs. */ ace->Header.AceFlags &= ~INHERITED_ACE; } + else if (uid == ILLEGAL_UID && gid == ILLEGAL_UID + && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) + /* FIXME: Temporary workaround for the problem that chmod does + not affect the group permissions if other users and groups + in the ACL have more permissions than the primary group due + to the CLASS_OBJ emulation. The temporary workaround is to + disallow any secondary ACE in the ACL more permissions than + the primary group when writing a new ACL via chmod. */ + ace->Mask &= group_allow; /* * Add unrelated ACCESS_DENIED_ACE to the beginning but * behind the owner_deny, ACCESS_ALLOWED_ACE to the end. |