From 2d647173bb2056dfd87a184ac2b6e5ded660a466 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Thu, 9 Apr 2009 09:19:03 +0000
Subject: 	* fhandler_disk_file.cc (fhandler_disk_file::fchown): Catch an
 	error when changing the user account on a standalone Samba server. 
 Explain why. 	* sec_acl.cc (setacl): Accommodate additional parameter to
 set_file_sd. 	* sec_helper.cc (SECURITY_SAMBA_UNIX_AUTHORITY): Define. 
 (well_known_samba_unix_user_fake_sid): Define. 	* security.cc
 (set_file_sd): Take additional parameter if ownership 	should be changed. 
 Restrict requested permissions accordingly. 	(set_file_attribute):
 Accommodate additional parameter to set_file_sd. 	* security.h
 (well_known_samba_unix_user_fake_sid): Declare. 	(set_file_sd): Align
 declaration to above change.

---
 winsup/cygwin/security.cc | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'winsup/cygwin/security.cc')

diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index c9de92b0a..a7d4a56f7 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -83,7 +83,7 @@ get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd)
 }
 
 LONG
-set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd)
+set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd, bool is_chown)
 {
   NTSTATUS status = STATUS_SUCCESS;
   int retry = 0;
@@ -93,7 +93,10 @@ set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd)
     {
       if (fh)
 	{
-	  status = NtSetSecurityObject (fh, ALL_SECURITY_INFORMATION, sd);
+	  status = NtSetSecurityObject (fh,
+					is_chown ? ALL_SECURITY_INFORMATION
+						 : DACL_SECURITY_INFORMATION,
+					sd);
 	  if (NT_SUCCESS (status))
 	    {
 	      res = 0;
@@ -104,8 +107,7 @@ set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd)
 	{
 	  OBJECT_ATTRIBUTES attr;
 	  IO_STATUS_BLOCK io;
-
-	  status = NtOpenFile (&fh, WRITE_OWNER | WRITE_DAC,
+	  status = NtOpenFile (&fh, (is_chown ? WRITE_OWNER  : 0) | WRITE_DAC,
 			       pc.get_object_attr (attr, sec_none_nih),
 			       &io, FILE_SHARE_VALID_FLAGS,
 			       FILE_OPEN_FOR_BACKUP_INTENT
@@ -712,7 +714,8 @@ set_file_attribute (HANDLE handle, path_conv &pc,
 
       if (!get_file_sd (handle, pc, sd)
 	  && alloc_sd (pc, uid, gid, attribute, sd))
-	ret = set_file_sd (handle, pc, sd);
+	ret = set_file_sd (handle, pc, sd,
+			   uid != ILLEGAL_UID || gid != ILLEGAL_GID);
     }
   else
     ret = 0;
-- 
cgit v1.2.3