Try to avoid creating dangerous DENY ACEs

        * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
        GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

2 files changed, 11 insertions, 0 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 04bd520d8..a19a9e9e5 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,10 @@
 2015-04-17  Corinna Vinschen  <corinna@vinschen.de>
 
+	* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
+	GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
+
+2015-04-17  Corinna Vinschen  <corinna@vinschen.de>
+
 	* fhandler.h (fhandler_pty_slave::facl): Add prototype.
 	* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
 	(fhandler_pty_slave::fchown): Fix uid/gid handling.
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 9336dea35..7e6507736 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -316,6 +316,12 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	       idx < nentries && aclbufp[idx].a_type & check_types;
 	       ++idx)
 	    {
+	      /* Avoid to create DENY ACEs for the second orrurence of
+		 accounts which show up twice, as USER_OBJ and USER, or
+		 GROUP_OBJ and GROUP. */
+	      if ((aclbufp[idx].a_type & USER && aclsid[idx] == owner)
+		  || (aclbufp[idx].a_type & GROUP && aclsid[idx] == group))
+		continue;
 	      /* For the rules how to construct the deny access mask, see the
 		 comment right at the start of this file. */
 	      if (aclbufp[idx].a_type & USER_OBJ)