diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2006-10-21 15:05:32 +0400 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2006-10-21 15:05:32 +0400 |
| commit | 1b4153db7433184f220941a0954a521bbb01ec04 (patch) | |
| tree | 6c598d3f46537e016212df4a546f48bced54bdc3 /winsup/cygwin/security.cc | |
| parent | 9367c0dcff74e0462e4f5d4fd9886cc1a19b04c5 (diff) | |
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access
for registry keys/values if ntsec is on.
* security.cc (check_access): New static function derived from
check_file_access, but object type agnostic.
(check_file_access): Only do file specific stuff. Call check_access.
(check_registry_access): New access check function for registry keys/
values.
* security.h (check_registry_access): Declare.
Diffstat (limited to 'winsup/cygwin/security.cc')
| -rw-r--r-- | winsup/cygwin/security.cc | 91 |
1 files changed, 57 insertions, 34 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 5484b7028..dceb5b571 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -1944,38 +1944,19 @@ set_file_attribute (bool use_ntsec, HANDLE handle, const char *file, myself->uid, myself->gid, attribute); } -int -check_file_access (const char *fn, int flags) +static int +check_access (security_descriptor &sd, GENERIC_MAPPING &mapping, + DWORD desired, int flags) { int ret = -1; - - security_descriptor sd; - - HANDLE hToken; BOOL status; - DWORD desired = 0, granted; - DWORD plength = sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES); - PPRIVILEGE_SET pset = (PPRIVILEGE_SET) alloca (plength); - static GENERIC_MAPPING NO_COPY mapping = { FILE_GENERIC_READ, - FILE_GENERIC_WRITE, - FILE_GENERIC_EXECUTE, - FILE_ALL_ACCESS }; - if (read_sd (fn, sd) <= 0) - goto done; - - if (cygheap->user.issetuid ()) - hToken = cygheap->user.token (); - else - hToken = hProcImpToken; + DWORD granted; + DWORD plen = sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES); + PPRIVILEGE_SET pset = (PPRIVILEGE_SET) alloca (plen); + HANDLE tok = cygheap->user.issetuid () ? cygheap->user.token () + : hProcImpToken; - if (flags & R_OK) - desired |= FILE_READ_DATA; - if (flags & W_OK) - desired |= FILE_WRITE_DATA; - if (flags & X_OK) - desired |= FILE_EXECUTE; - if (!AccessCheck (sd, hToken, desired, &mapping, - pset, &plength, &granted, &status)) + if (!AccessCheck (sd, tok, desired, &mapping, pset, &plen, &granted, &status)) __seterrno (); else if (!status) { @@ -1993,31 +1974,73 @@ check_file_access (const char *fn, int flags) backup/restore privileges has to be made. Sigh. */ int granted_flags = 0; if (flags & R_OK) - { + { pset->PrivilegeCount = 1; pset->Control = 0; pset->Privilege[0].Luid = *privilege_luid (SE_BACKUP_PRIV); pset->Privilege[0].Attributes = 0; - if (PrivilegeCheck (hToken, pset, &status) && status) + if (PrivilegeCheck (tok, pset, &status) && status) granted_flags |= R_OK; } if (flags & W_OK) - { + { pset->PrivilegeCount = 1; pset->Control = 0; pset->Privilege[0].Luid = *privilege_luid (SE_RESTORE_PRIV); pset->Privilege[0].Attributes = 0; - if (PrivilegeCheck (hToken, pset, &status) && status) + if (PrivilegeCheck (tok, pset, &status) && status) granted_flags |= W_OK; } if (granted_flags == flags) - ret = 0; + ret = 0; else set_errno (EACCES); } else ret = 0; - done: + return ret; +} + +int +check_file_access (const char *fn, int flags) +{ + security_descriptor sd; + int ret = -1; + static GENERIC_MAPPING NO_COPY mapping = { FILE_GENERIC_READ, + FILE_GENERIC_WRITE, + FILE_GENERIC_EXECUTE, + FILE_ALL_ACCESS }; + DWORD desired = 0; + if (flags & R_OK) + desired |= FILE_READ_DATA; + if (flags & W_OK) + desired |= FILE_WRITE_DATA; + if (flags & X_OK) + desired |= FILE_EXECUTE; + if (read_sd (fn, sd) > 0) + ret = check_access (sd, mapping, desired, flags); + debug_printf ("flags %x, ret %d", flags, ret); + return ret; +} + +int +check_registry_access (HANDLE hdl, int flags) +{ + security_descriptor sd; + int ret = -1; + static GENERIC_MAPPING NO_COPY mapping = { KEY_READ, + KEY_WRITE, + KEY_EXECUTE, + KEY_ALL_ACCESS }; + DWORD desired = 0; + if (flags & R_OK) + desired |= KEY_ENUMERATE_SUB_KEYS; + if (flags & W_OK) + desired |= KEY_SET_VALUE; + if (flags & X_OK) + desired |= KEY_QUERY_VALUE; + if (!get_reg_security (hdl, sd)) + ret = check_access (sd, mapping, desired, flags); debug_printf ("flags %x, ret %d", flags, ret); return ret; } |