diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2015-08-31 12:34:38 +0300 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2015-11-19 00:28:40 +0300 |
| commit | 7972e63402eaca6ca78e0f8bffdcc95a141c0f64 (patch) | |
| tree | 7a1bb6816dc27b7554327a9f653505083b0eea83 /winsup | |
| parent | 42fad6ffa56f4627f414c8b76758bd71592e8400 (diff) | |
Use Authz to fetch correct user permissions.
* sec_acl.cc (getacl): Use Authz to fetch correct user permissions.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'winsup')
| -rw-r--r-- | winsup/cygwin/ChangeLog | 4 | ||||
| -rw-r--r-- | winsup/cygwin/sec_acl.cc | 26 |
2 files changed, 28 insertions, 2 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 6d0f91afe..697082ad4 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,5 +1,9 @@ 2015-11-18 Corinna Vinschen <corinna@vinschen.de> + * sec_acl.cc (getacl): Use Authz to fetch correct user permissions. + +2015-11-18 Corinna Vinschen <corinna@vinschen.de> + * autoload.cc (AuthzAccessCheck): Import. (AuthzFreeContext): Import. (AuthzInitializeContextFromSid): Import. diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index e52cdb711..82e9cb53f 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -642,6 +642,15 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, goto out; } + /* If we use the Windows user DB, use Authz to make sure the owner + permissions are correctly reflecting the Windows permissions. */ + if (cygheap->pg.nss_pwd_db ()) + { + mode_t attr = 0; + authz_get_user_attribute (&attr, psd, owner_sid); + lacl[0].a_perm = attr >> 6; + } + /* Files and dirs are created with a NULL descriptor, so inheritence rules kick in. If no inheritable entries exist in the parent object, Windows will create entries according to the user token's default DACL. @@ -787,8 +796,21 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, } if ((pos = searchace (lacl, MAX_ACL_ENTRIES, type, id)) >= 0) { - getace (lacl[pos], type, id, ace->Mask, ace->Header.AceType, - new_style && type & (USER | GROUP_OBJ | GROUP)); + /* If we use the Windows user DB, use Authz to check for user + permissions. */ + if (cygheap->pg.nss_pwd_db () && (type & (USER_OBJ | USER))) + { + /* We already handle the USER_OBJ entry above. */ + if (type == USER) + { + mode_t attr = 0; + authz_get_user_attribute (&attr, psd, ace_sid); + lacl[pos].a_perm = attr >> 6; + } + } + else + getace (lacl[pos], type, id, ace->Mask, ace->Header.AceType, + new_style && type & (USER | GROUP_OBJ | GROUP)); if (!new_style) { /* Fix up CLASS_OBJ value. */ |