* autoload.cc: Add load statemant for SetSecurityDescriptorControl.

* security.cc (alloc_sd): Always set SE_DACL_PROTECTED flag on Win2K and higher.
author: Corinna Vinschen <corinna@vinschen.de> 2000-12-20 15:42:43 +0300
committer: Corinna Vinschen <corinna@vinschen.de> 2000-12-20 15:42:43 +0300
commit: aa2b85cc90a41b143a62196af77736bad9b2da70 (patch)
tree: 4a45d14789a3eccf13747a58f410dae0223831a6 /winsup/cygwin/security.cc
parent: e625e1b99ec6b3edd58199937d3788f7c17aca98 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 67caf689e..f5cb8138f 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -915,6 +915,21 @@ alloc_sd (uid_t uid, gid_t gid, const char *logsrv, int attribute,
       return NULL;
     }
 
+  /*
+   * We set the SE_DACL_PROTECTED flag here to prevent the DACL from being modified
+   * by inheritable ACEs.
+   * This flag as well as the SetSecurityDescriptorControl call are available only
+   * since Win2K.
+   */
+  static int win2KorHigher = -1;
+  if (win2KorHigher == -1)
+    {
+      DWORD version = GetVersion ();
+      win2KorHigher = (version & 0x80000000) || (version & 0xff) < 5 ? 0 : 1;
+    }
+  if (win2KorHigher > 0)
+    SetSecurityDescriptorControl (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
+
   /* Create owner for local security descriptor. */
   if (! SetSecurityDescriptorOwner(&sd, owner_sid, FALSE))
     {
author	Corinna Vinschen <corinna@vinschen.de>	2000-12-20 15:42:43 +0300
committer	Corinna Vinschen <corinna@vinschen.de>	2000-12-20 15:42:43 +0300
commit	aa2b85cc90a41b143a62196af77736bad9b2da70 (patch)
tree	4a45d14789a3eccf13747a58f410dae0223831a6 /winsup/cygwin/security.cc
parent	e625e1b99ec6b3edd58199937d3788f7c17aca98 (diff)