Apply mask execute bit for SYSTEM and Admins group.

        * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
        for SYSTEM and Admins group.

        * getfacl.c (main): Special-case SYSTEM and Admins group.  Add comments.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

4 files changed, 34 insertions, 7 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index a19a9e9e5..dda1a9563 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2015-04-20  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
+	for SYSTEM and Admins group.
+
 2015-04-17  Corinna Vinschen  <corinna@vinschen.de>
 
 	* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 65b31315c..bddd21c54 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -329,16 +329,18 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	      else if (aclbufp[idx].a_type & USER)
 		deny = (aclbufp[idx].a_perm ^ class_obj)
 		       | (~aclbufp[idx].a_perm & other_obj);
+	      /* Accommodate Windows: Only generate deny masks for SYSTEM
+		 and the Administrators group in terms of the execute bit,
+		 if they are not the primary group. */
+	      else if (aclbufp[idx].a_type & GROUP
+		       && (aclsid[idx] == well_known_system_sid
+			   || aclsid[idx] == well_known_admins_sid))
+		deny = aclbufp[idx].a_perm & ~(class_obj | S_IROTH | S_IWOTH);
 	      else
 		deny = (aclbufp[idx].a_perm & ~class_obj)
 		       | (~aclbufp[idx].a_perm & other_obj);
 	      if (!deny)
 		continue;
-	      /* Accommodate Windows: Never generate deny masks for SYSTEM
-		 and the Administrators group. */
-	      if (aclsid[idx] == well_known_system_sid
-		  || aclsid[idx] == well_known_admins_sid)
-		continue;
 	      access = 0;
 	      if (deny & S_IROTH)
 		access |= FILE_DENY_READ;
diff --git a/winsup/utils/ChangeLog b/winsup/utils/ChangeLog
index a48f8693f..b37792ab3 100644
--- a/winsup/utils/ChangeLog
+++ b/winsup/utils/ChangeLog
@@ -1,3 +1,7 @@
+2015-04-20  Corinna Vinschen  <corinna@vinschen.de>
+
+	* getfacl.c (main): Special-case SYSTEM and Admins group.  Add comments.
+
 2015-04-16  Corinna Vinschen  <corinna@vinschen.de>
 
 	* setfacl.c: Align more to Linux tool.
diff --git a/winsup/utils/getfacl.c b/winsup/utils/getfacl.c
index 07d8a8a9f..45e5e2090 100644
--- a/winsup/utils/getfacl.c
+++ b/winsup/utils/getfacl.c
@@ -279,16 +279,32 @@ main (int argc, char **argv)
 	    {
 	    case USER:
 	    case GROUP_OBJ:
-	    case GROUP:
 	      effective = acls[i].a_perm & mask;
 	      print_effective = 1;
 	      break;
+	    case GROUP:
+	      /* Special case SYSTEM and Admins group:  The mask only
+	         applies to them as far as the execute bit is concerned. */
+	      if (acls[i].a_id == 18 || acls[i].a_id == 544)
+		effective = acls[i].a_perm & (mask | S_IROTH | S_IWOTH);
+	      else
+		effective = acls[i].a_perm & mask;
+	      print_effective = 1;
+	      break;
 	    case DEF_USER:
 	    case DEF_GROUP_OBJ:
-	    case DEF_GROUP:
 	      effective = acls[i].a_perm & def_mask;
 	      print_effective = 1;
 	      break;
+	    case DEF_GROUP:
+	      /* Special case SYSTEM and Admins group:  The mask only
+	         applies to them as far as the execute bit is concerned. */
+	      if (acls[i].a_id == 18 || acls[i].a_id == 544)
+		effective = acls[i].a_perm & (def_mask | S_IROTH | S_IWOTH);
+	      else
+		effective = acls[i].a_perm & def_mask;
+	      print_effective = 1;
+	      break;
 	    }
 	  if (print_effective && eopt >= 0
 	      && (eopt > 0 || effective != acls[i].a_perm))