JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* dir.cc (mkdir): Use local security_descriptor. Call

Browse Source 
set_security_attribute appropriately.
	* external.cc (cygwin_internal): Ditto.
	* fhandler.cc (fhandler_base::open): Ditto.
	* fhandler_socket.cc (fhandler_socket::bind): Ditto.
	* path.cc (symlink_worker): Ditto.
	* sec_acl.cc (setacl): Ditto. Call read_sd appropriately.
	(getace): Ditto.
	* sec_helper.cc (security_descriptor::malloc): New method.
	(security_descriptor::realloc): New method.
	(security_descriptor::free): New method.
	* security.cc (read_sd): Get security_descriptor as parameter instead
	of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check.
	Allocate the security_descriptor buffer according to size returned by
	a call to GetFileSecurity. Return buffer size on success.
	(write_sd): Get security_descriptor as parameter instead of
	PSECURITY_DESCRIPTOR and a size.
	(get_nt_attribute): Use local security_descriptor.
	(get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY.
	Allocate security_descriptor buffer according to size returned by
	a call to RegGetKeySecurity.
	(alloc_sd): Make static. Get security_descriptor as parameter instead
	of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check.
	(set_security_attribute): Get security_descriptor as parameter instead
	of PSECURITY_DESCRIPTOR and a size.
	(set_nt_attribute): Use local security_descriptor.
	(check_file_access): Ditto.
	* security.h: Add class security_descriptor.
	(read_sd): Change declaration to get security_descriptor as parameter
	instead of PSECURITY_DESCRIPTOR and a size.
	(write_sd): Ditto.
	(set_security_attribute): Ditto.
	(alloc_sd): Remove declaration.
	* thread.cc (semaphore::semaphore): Use local security_descriptor. Call
	set_security_attribute appropriately.
This commit is contained in:
Corinna Vinschen 2003-11-26 13:23:27 +00:00
parent 3db690789f
commit 12069cf31b
11 changed files with 200 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
winsup/cygwin/ChangeLog
View File

@ -1,3 +1,41 @@
2003-11-26 Corinna Vinschen <corinna@vinschen.de>
* dir.cc (mkdir): Use local security_descriptor. Call
set_security_attribute appropriately.
* external.cc (cygwin_internal): Ditto.
* fhandler.cc (fhandler_base::open): Ditto.
* fhandler_socket.cc (fhandler_socket::bind): Ditto.
* path.cc (symlink_worker): Ditto.
* sec_acl.cc (setacl): Ditto. Call read_sd appropriately.
(getace): Ditto.
* sec_helper.cc (security_descriptor::malloc): New method.
(security_descriptor::realloc): New method.
(security_descriptor::free): New method.
* security.cc (read_sd): Get security_descriptor as parameter instead
of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check.
Allocate the security_descriptor buffer according to size returned by
a call to GetFileSecurity. Return buffer size on success.
(write_sd): Get security_descriptor as parameter instead of
PSECURITY_DESCRIPTOR and a size.
(get_nt_attribute): Use local security_descriptor.
(get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY.
Allocate security_descriptor buffer according to size returned by
a call to RegGetKeySecurity.
(alloc_sd): Make static. Get security_descriptor as parameter instead
of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check.
(set_security_attribute): Get security_descriptor as parameter instead
of PSECURITY_DESCRIPTOR and a size.
(set_nt_attribute): Use local security_descriptor.
(check_file_access): Ditto.
* security.h: Add class security_descriptor.
(read_sd): Change declaration to get security_descriptor as parameter
instead of PSECURITY_DESCRIPTOR and a size.
(write_sd): Ditto.
(set_security_attribute): Ditto.
(alloc_sd): Remove declaration.
* thread.cc (semaphore::semaphore): Use local security_descriptor. Call
set_security_attribute appropriately.
2003-11-26 Corinna Vinschen <corinna@vinschen.de> 2003-11-26 Corinna Vinschen <corinna@vinschen.de>
* sec_acl.h (getace): Use FILE_*_BITS as permission mask. * sec_acl.h (getace): Use FILE_*_BITS as permission mask.

3
winsup/cygwin/dir.cc
View File

@ -263,6 +263,7 @@ mkdir (const char *dir, mode_t mode)
{ {
int res = -1; int res = -1;
SECURITY_ATTRIBUTES sa = sec_none_nih; SECURITY_ATTRIBUTES sa = sec_none_nih;
security_descriptor sd;
path_conv real_dir (dir, PC_SYM_NOFOLLOW); path_conv real_dir (dir, PC_SYM_NOFOLLOW);
@ -278,7 +279,7 @@ mkdir (const char *dir, mode_t mode)
if (allow_ntsec && real_dir.has_acls ()) if (allow_ntsec && real_dir.has_acls ())
set_security_attribute (S_IFDIR | ((mode & 07777) & ~cygheap->umask), set_security_attribute (S_IFDIR | ((mode & 07777) & ~cygheap->umask),
&sa, alloca (4096), 4096); &sa, sd);
if (CreateDirectoryA (real_dir.get_win32 (), &sa)) if (CreateDirectoryA (real_dir.get_win32 (), &sa))
{ {

9
winsup/cygwin/external.cc
View File

@ -268,12 +268,17 @@ cygwin_internal (cygwin_getinfo_types t, ...)
} }
case CW_GET_POSIX_SECURITY_ATTRIBUTE: case CW_GET_POSIX_SECURITY_ATTRIBUTE:
{ {
security_descriptor sd;
int attribute = va_arg (arg, int); int attribute = va_arg (arg, int);
PSECURITY_ATTRIBUTES psa = va_arg (arg, PSECURITY_ATTRIBUTES); PSECURITY_ATTRIBUTES psa = va_arg (arg, PSECURITY_ATTRIBUTES);
void *sd_buf = va_arg (arg, void *); void *sd_buf = va_arg (arg, void *);
DWORD sd_buf_size = va_arg (arg, DWORD); DWORD sd_buf_size = va_arg (arg, DWORD);
set_security_attribute (attribute, psa, sd_buf, sd_buf_size); set_security_attribute (attribute, psa, sd);
return psa->lpSecurityDescriptor ? 0 : -1; if (!psa->lpSecurityDescriptor || sd.size () > sd_buf_size)
return sd.size ();
memcpy (sd_buf, sd, sd.size ());
psa->lpSecurityDescriptor = sd_buf;
return 0;
} }
case CW_GET_SHMLBA: case CW_GET_SHMLBA:
{ {

3
winsup/cygwin/fhandler.cc
View File

@ -342,6 +342,7 @@ fhandler_base::open (int flags, mode_t mode)
int shared; int shared;
int creation_distribution; int creation_distribution;
SECURITY_ATTRIBUTES sa = sec_none; SECURITY_ATTRIBUTES sa = sec_none;
security_descriptor sd;
syscall_printf ("(%s, %p) query_open %d", get_win32_name (), flags, get_query_open ()); syscall_printf ("(%s, %p) query_open %d", get_win32_name (), flags, get_query_open ());
@ -421,7 +422,7 @@ fhandler_base::open (int flags, mode_t mode)
/* If the file should actually be created and ntsec is on, /* If the file should actually be created and ntsec is on,
set files attributes. */ set files attributes. */
if (flags & O_CREAT && get_device () == FH_FS && allow_ntsec && has_acls ()) if (flags & O_CREAT && get_device () == FH_FS && allow_ntsec && has_acls ())
set_security_attribute (mode, &sa, alloca (4096), 4096); set_security_attribute (mode, &sa, sd);
x = CreateFile (get_win32_name (), access, shared, &sa, creation_distribution, x = CreateFile (get_win32_name (), access, shared, &sa, creation_distribution,
file_attributes, 0); file_attributes, 0);

3
winsup/cygwin/fhandler_socket.cc
View File

@ -442,8 +442,9 @@ fhandler_socket::bind (const struct sockaddr *name, int namelen)
if (!(mode & (S_IWUSR | S_IWGRP | S_IWOTH))) if (!(mode & (S_IWUSR | S_IWGRP | S_IWOTH)))
attr |= FILE_ATTRIBUTE_READONLY; attr |= FILE_ATTRIBUTE_READONLY;
SECURITY_ATTRIBUTES sa = sec_none; SECURITY_ATTRIBUTES sa = sec_none;
security_descriptor sd;
if (allow_ntsec && pc.has_acls ()) if (allow_ntsec && pc.has_acls ())
set_security_attribute (mode, &sa, alloca (4096), 4096); set_security_attribute (mode, &sa, sd);
HANDLE fh = CreateFile (pc, GENERIC_WRITE, 0, &sa, CREATE_NEW, attr, 0); HANDLE fh = CreateFile (pc, GENERIC_WRITE, 0, &sa, CREATE_NEW, attr, 0);
if (fh == INVALID_HANDLE_VALUE) if (fh == INVALID_HANDLE_VALUE)
{ {

3
winsup/cygwin/path.cc
View File

@ -2491,6 +2491,7 @@ symlink_worker (const char *topath, const char *frompath, bool use_winsym,
char w32topath[CYG_MAX_PATH + 1]; char w32topath[CYG_MAX_PATH + 1];
DWORD written; DWORD written;
SECURITY_ATTRIBUTES sa = sec_none_nih; SECURITY_ATTRIBUTES sa = sec_none_nih;
security_descriptor sd;
/* POSIX says that empty 'frompath' is invalid input whlie empty /* POSIX says that empty 'frompath' is invalid input whlie empty
'topath' is valid -- it's symlink resolver job to verify if 'topath' is valid -- it's symlink resolver job to verify if
@ -2565,7 +2566,7 @@ symlink_worker (const char *topath, const char *frompath, bool use_winsym,
if (allow_ntsec && win32_path.has_acls ()) if (allow_ntsec && win32_path.has_acls ())
set_security_attribute (S_IFLNK | STD_RBITS | STD_WBITS, set_security_attribute (S_IFLNK | STD_RBITS | STD_WBITS,
&sa, alloca (4096), 4096); &sa, sd);
h = CreateFile (win32_path, GENERIC_WRITE, 0, &sa, create_how, h = CreateFile (win32_path, GENERIC_WRITE, 0, &sa, create_how,
FILE_ATTRIBUTE_NORMAL, 0); FILE_ATTRIBUTE_NORMAL, 0);

34
winsup/cygwin/sec_acl.cc
View File

@ -49,11 +49,9 @@ searchace (__aclent32_t *aclp, int nentries, int type, __uid32_t id = ILLEGAL_UI
static int static int
setacl (const char *file, int nentries, __aclent32_t *aclbufp) setacl (const char *file, int nentries, __aclent32_t *aclbufp)
{ {
DWORD sd_size = 4096; security_descriptor sd_ret;
char sd_buf[4096];
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) sd_buf;
if (read_sd (file, psd, &sd_size) <= 0) if (read_sd (file, sd_ret) <= 0)
{ {
debug_printf ("read_sd %E"); debug_printf ("read_sd %E");
return -1; return -1;
@ -63,7 +61,7 @@ setacl (const char *file, int nentries, __aclent32_t *aclbufp)
/* Get owner SID. */ /* Get owner SID. */
PSID owner_sid; PSID owner_sid;
if (!GetSecurityDescriptorOwner (psd, &owner_sid, &dummy)) if (!GetSecurityDescriptorOwner (sd_ret, &owner_sid, &dummy))
{ {
__seterrno (); __seterrno ();
return -1; return -1;
@ -72,7 +70,7 @@ setacl (const char *file, int nentries, __aclent32_t *aclbufp)
/* Get group SID. */ /* Get group SID. */
PSID group_sid; PSID group_sid;
if (!GetSecurityDescriptorGroup (psd, &group_sid, &dummy)) if (!GetSecurityDescriptorGroup (sd_ret, &group_sid, &dummy))
{ {
__seterrno (); __seterrno ();
return -1; return -1;
@ -206,21 +204,21 @@ setacl (const char *file, int nentries, __aclent32_t *aclbufp)
__seterrno (); __seterrno ();
return -1; return -1;
} }
/* Make self relative security descriptor in psd. */ /* Make self relative security descriptor in sd_ret. */
sd_size = 0; DWORD sd_size = 0;
MakeSelfRelativeSD (&sd, psd, &sd_size); MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
if (sd_size <= 0) if (sd_size <= 0)
{ {
__seterrno (); __seterrno ();
return -1; return -1;
} }
if (!MakeSelfRelativeSD (&sd, psd, &sd_size)) if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
{ {
__seterrno (); __seterrno ();
return -1; return -1;
} }
debug_printf ("Created SD-Size: %d", sd_size); debug_printf ("Created SD-Size: %d", sd_ret.size ());
return write_sd (file, psd, sd_size); return write_sd (file, sd_ret);
} }
/* Temporary access denied bits */ /* Temporary access denied bits */
@ -257,12 +255,10 @@ getace (__aclent32_t &acl, int type, int id, DWORD win_ace_mask,
static int static int
getacl (const char *file, DWORD attr, int nentries, __aclent32_t *aclbufp) getacl (const char *file, DWORD attr, int nentries, __aclent32_t *aclbufp)
{ {
DWORD sd_size = 4096; security_descriptor sd;
char sd_buf[4096];
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) sd_buf;
int ret; int ret;
if ((ret = read_sd (file, psd, &sd_size)) <= 0) if ((ret = read_sd (file, sd)) <= 0)
{ {
debug_printf ("read_sd %E"); debug_printf ("read_sd %E");
return ret; return ret;
@ -274,7 +270,7 @@ getacl (const char *file, DWORD attr, int nentries, __aclent32_t *aclbufp)
__uid32_t uid; __uid32_t uid;
__gid32_t gid; __gid32_t gid;
if (!GetSecurityDescriptorOwner (psd, (PSID *) &owner_sid, &dummy)) if (!GetSecurityDescriptorOwner (sd, (PSID *) &owner_sid, &dummy))
{ {
debug_printf ("GetSecurityDescriptorOwner %E"); debug_printf ("GetSecurityDescriptorOwner %E");
__seterrno (); __seterrno ();
@ -282,7 +278,7 @@ getacl (const char *file, DWORD attr, int nentries, __aclent32_t *aclbufp)
} }
uid = owner_sid.get_uid (); uid = owner_sid.get_uid ();
if (!GetSecurityDescriptorGroup (psd, (PSID *) &group_sid, &dummy)) if (!GetSecurityDescriptorGroup (sd, (PSID *) &group_sid, &dummy))
{ {
debug_printf ("GetSecurityDescriptorGroup %E"); debug_printf ("GetSecurityDescriptorGroup %E");
__seterrno (); __seterrno ();
@ -305,7 +301,7 @@ getacl (const char *file, DWORD attr, int nentries, __aclent32_t *aclbufp)
PACL acl; PACL acl;
BOOL acl_exists; BOOL acl_exists;
if (!GetSecurityDescriptorDacl (psd, &acl_exists, &acl, &dummy)) if (!GetSecurityDescriptorDacl (sd, &acl_exists, &acl, &dummy))
{ {
__seterrno (); __seterrno ();
debug_printf ("GetSecurityDescriptorDacl %E"); debug_printf ("GetSecurityDescriptorDacl %E");

29
winsup/cygwin/sec_helper.cc
View File

@ -225,6 +225,35 @@ get_sids_info (cygpsid owner_sid, cygpsid group_sid, __uid32_t * uidret, __gid32
return ret; return ret;
} }
PSECURITY_DESCRIPTOR
security_descriptor::malloc (size_t nsize)
{
if (psd)
::free (psd);
psd = (PSECURITY_DESCRIPTOR) ::malloc (nsize);
sd_size = psd ? nsize : 0;
return psd;
}
PSECURITY_DESCRIPTOR
security_descriptor::realloc (size_t nsize)
{
PSECURITY_DESCRIPTOR tmp = (PSECURITY_DESCRIPTOR) ::realloc (psd, nsize);
if (!tmp)
return NULL;
sd_size = nsize;
return psd = tmp;
}
void
security_descriptor::free (void)
{
if (psd)
::free (psd);
psd = NULL;
sd_size = 0;
}
#if 0 // unused #if 0 // unused
#define SIDLEN (sidlen = MAX_SID_LEN, &sidlen) #define SIDLEN (sidlen = MAX_SID_LEN, &sidlen)
#define DOMLEN (domlen = INTERNET_MAX_HOST_NAME_LENGTH, &domlen) #define DOMLEN (domlen = INTERNET_MAX_HOST_NAME_LENGTH, &domlen)

165
winsup/cygwin/security.cc
View File

@ -1067,23 +1067,18 @@ out:
of the SD on success. Unfortunately NT returns of the SD on success. Unfortunately NT returns
0 in `len' on success, while W2K returns the 0 in `len' on success, while W2K returns the
correct size! correct size!
2003-11-26: Now the function allocates the space needed by itself so
it knows the real size and returns it in the security_descriptor object.
*/ */
LONG LONG
read_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size) read_sd (const char *file, security_descriptor &sd)
{ {
/* Check parameters */
if (!sd_size)
{
set_errno (EINVAL);
return -1;
}
debug_printf ("file = %s", file);
DWORD len = 0; DWORD len = 0;
const char *pfile = file; const char *pfile = file;
char fbuf[PATH_MAX]; char fbuf[CYG_MAX_PATH];
if (current_codepage == oem_cp) if (current_codepage == oem_cp)
{ {
DWORD fname_len = min (sizeof (fbuf) - 1, strlen (file)); DWORD fname_len = min (sizeof (fbuf) - 1, strlen (file));
@ -1096,34 +1091,38 @@ read_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size)
OWNER_SECURITY_INFORMATION OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION, | DACL_SECURITY_INFORMATION,
sd_buf, *sd_size, &len)) NULL, 0, &len)
&& GetLastError () != ERROR_INSUFFICIENT_BUFFER)
{ {
debug_printf ("file = %s", file);
__seterrno (); __seterrno ();
return -1; return -1;
} }
debug_printf ("file = %s: len=%d", file, len); debug_printf ("file = %s: len=%d", file, len);
if (len > *sd_size) if (!sd.malloc (len))
{ {
*sd_size = len; set_errno (ENOMEM);
return 0; return -1;
} }
return 1; if (!GetFileSecurity (pfile,
OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION,
sd, len, &len))
{
__seterrno ();
return -1;
}
return sd.size ();
} }
LONG LONG
write_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size) write_sd (const char *file, security_descriptor &sd)
{ {
/* Check parameters */
if (!sd_buf || !sd_size)
{
set_errno (EINVAL);
return -1;
}
BOOL dummy; BOOL dummy;
cygpsid owner; cygpsid owner;
if (!GetSecurityDescriptorOwner (sd_buf, (PSID *) &owner, &dummy)) if (!GetSecurityDescriptorOwner (sd, (PSID *) &owner, &dummy))
{ {
__seterrno (); __seterrno ();
return -1; return -1;
@ -1168,7 +1167,7 @@ write_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size)
header.dwStreamId = BACKUP_SECURITY_DATA; header.dwStreamId = BACKUP_SECURITY_DATA;
header.dwStreamAttributes = STREAM_CONTAINS_SECURITY; header.dwStreamAttributes = STREAM_CONTAINS_SECURITY;
header.Size.HighPart = 0; header.Size.HighPart = 0;
header.Size.LowPart = sd_size; header.Size.LowPart = sd.size ();
header.dwStreamNameSize = 0; header.dwStreamNameSize = 0;
if (!BackupWrite (fh, (LPBYTE) &header, if (!BackupWrite (fh, (LPBYTE) &header,
3 * sizeof (DWORD) + sizeof (LARGE_INTEGER), 3 * sizeof (DWORD) + sizeof (LARGE_INTEGER),
@ -1180,7 +1179,7 @@ write_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size)
} }
/* write new security descriptor */ /* write new security descriptor */
if (!BackupWrite (fh, (LPBYTE) sd_buf, if (!BackupWrite (fh, (LPBYTE) (PSECURITY_DESCRIPTOR) sd,
header.Size.LowPart + header.dwStreamNameSize, header.Size.LowPart + header.dwStreamNameSize,
&bytes_written, FALSE, TRUE, &context)) &bytes_written, FALSE, TRUE, &context))
{ {
@ -1361,19 +1360,11 @@ static void
get_nt_attribute (const char *file, mode_t *attribute, get_nt_attribute (const char *file, mode_t *attribute,
__uid32_t *uidret, __gid32_t *gidret) __uid32_t *uidret, __gid32_t *gidret)
{ {
/* Yeah, sounds too much, but I've seen SDs of 2100 bytes! */ security_descriptor sd;
DWORD sd_size = 4096;
char sd_buf[4096];
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) sd_buf;
if (read_sd (file, psd, &sd_size) <= 0) if (read_sd (file, sd) <= 0)
{ debug_printf ("read_sd %E");
debug_printf ("read_sd %E"); get_info_from_sd (sd, attribute, uidret, gidret);
psd = NULL;
}
get_info_from_sd (psd, attribute, uidret, gidret);
return;
} }
int int
@ -1411,26 +1402,37 @@ get_file_attribute (int use_ntsec, const char *file,
static void static void
get_nt_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, get_nt_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
mode_t *attribute, __uid32_t *uidret, __gid32_t *gidret) mode_t *attribute, __uid32_t *uidret,
__gid32_t *gidret)
{ {
PSECURITY_DESCRIPTOR psd; security_descriptor sd;
char sd_buf[4096]; PSECURITY_DESCRIPTOR psd = NULL;
if (object_type == SE_REGISTRY_KEY) if (object_type == SE_REGISTRY_KEY)
{ {
/* use different code for registry handles, for performance reasons */ /* use different code for registry handles, for performance reasons */
psd = (PSECURITY_DESCRIPTOR) & sd_buf[0]; DWORD len = 0;
DWORD len = sizeof (sd_buf); if (RegGetKeySecurity ((HKEY) handle,
if (ERROR_SUCCESS != RegGetKeySecurity ((HKEY) handle, DACL_SECURITY_INFORMATION
DACL_SECURITY_INFORMATION | | GROUP_SECURITY_INFORMATION
GROUP_SECURITY_INFORMATION | | OWNER_SECURITY_INFORMATION,
OWNER_SECURITY_INFORMATION, sd, &len) != ERROR_INSUFFICIENT_BUFFER)
psd, &len))
{ {
__seterrno (); __seterrno ();
debug_printf ("RegGetKeySecurity %E"); debug_printf ("RegGetKeySecurity %E");
psd = NULL;
} }
if (!sd.malloc (len))
set_errno (ENOMEM);
else if (RegGetKeySecurity ((HKEY) handle,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
sd, &len) != ERROR_SUCCESS)
{
__seterrno ();
debug_printf ("RegGetKeySecurity %E");
}
get_info_from_sd (sd, attribute, uidret, gidret);
} }
else else
{ {
@ -1444,13 +1446,10 @@ get_nt_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
debug_printf ("GetSecurityInfo %E"); debug_printf ("GetSecurityInfo %E");
psd = NULL; psd = NULL;
} }
get_info_from_sd (psd, attribute, uidret, gidret);
if (psd)
LocalFree (psd);
} }
get_info_from_sd (psd, attribute, uidret, gidret);
if (psd != (PSECURITY_DESCRIPTOR) & sd_buf[0])
LocalFree (psd);
return;
} }
int int
@ -1498,18 +1497,13 @@ add_access_denied_ace (PACL acl, int offset, DWORD attributes,
return TRUE; return TRUE;
} }
PSECURITY_DESCRIPTOR static PSECURITY_DESCRIPTOR
alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret) security_descriptor &sd_ret)
{ {
BOOL dummy; BOOL dummy;
debug_printf("uid %d, gid %d, attribute %x", uid, gid, attribute); debug_printf("uid %d, gid %d, attribute %x", uid, gid, attribute);
if (!sd_ret || !sd_size_ret)
{
set_errno (EINVAL);
return NULL;
}
/* Get owner and group from current security descriptor. */ /* Get owner and group from current security descriptor. */
PSID cur_owner_sid = NULL; PSID cur_owner_sid = NULL;
@ -1788,33 +1782,37 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
} }
/* Make self relative security descriptor. */ /* Make self relative security descriptor. */
*sd_size_ret = 0; DWORD sd_size = 0;
MakeSelfRelativeSD (&sd, sd_ret, sd_size_ret); MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
if (*sd_size_ret <= 0) if (sd_size <= 0)
{ {
__seterrno (); __seterrno ();
return NULL; return NULL;
} }
if (!MakeSelfRelativeSD (&sd, sd_ret, sd_size_ret)) if (!sd_ret.malloc (sd_size))
{
set_errno (ENOMEM);
return NULL;
}
if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
{ {
__seterrno (); __seterrno ();
return NULL; return NULL;
} }
debug_printf ("Created SD-Size: %d", *sd_size_ret); debug_printf ("Created SD-Size: %u", sd_ret.size ());
return sd_ret; return sd_ret;
} }
void void
set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa, set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
void *sd_buf, DWORD sd_buf_size) security_descriptor &sd)
{ {
psa->lpSecurityDescriptor = sd_buf; psa->lpSecurityDescriptor = sd.malloc (SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor ((PSECURITY_DESCRIPTOR) sd_buf, InitializeSecurityDescriptor ((PSECURITY_DESCRIPTOR)psa->lpSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION); SECURITY_DESCRIPTOR_REVISION);
psa->lpSecurityDescriptor = alloc_sd (geteuid32 (), getegid32 (), attribute, psa->lpSecurityDescriptor = alloc_sd (geteuid32 (), getegid32 (),
(PSECURITY_DESCRIPTOR) sd_buf, attribute, sd);
&sd_buf_size);
} }
static int static int
@ -1824,22 +1822,19 @@ set_nt_attribute (const char *file, __uid32_t uid, __gid32_t gid,
if (!wincap.has_security ()) if (!wincap.has_security ())
return 0; return 0;
DWORD sd_size = 4096; security_descriptor sd;
char sd_buf[4096];
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) sd_buf;
int ret; int ret;
if ((ret = read_sd (file, psd, &sd_size)) <= 0) if ((ret = read_sd (file, sd)) <= 0)
{ {
debug_printf ("read_sd %E"); debug_printf ("read_sd %E");
return -1; return -1;
} }
sd_size = 4096; if (!alloc_sd (uid, gid, attribute, sd))
if (!(psd = alloc_sd (uid, gid, attribute, psd, &sd_size)))
return -1; return -1;
return write_sd (file, psd, sd_size); return write_sd (file, sd);
} }
int int
@ -1872,9 +1867,9 @@ int
check_file_access (const char *fn, int flags) check_file_access (const char *fn, int flags)
{ {
int ret = -1; int ret = -1;
char sd_buf[4096];
DWORD sd_size = sizeof sd_buf; security_descriptor sd;
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) sd_buf;
HANDLE hToken, hIToken; HANDLE hToken, hIToken;
BOOL status; BOOL status;
char pbuf[sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES)]; char pbuf[sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES)];
@ -1883,7 +1878,7 @@ check_file_access (const char *fn, int flags)
FILE_GENERIC_WRITE, FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE, FILE_GENERIC_EXECUTE,
FILE_ALL_ACCESS }; FILE_ALL_ACCESS };
if (read_sd (fn, psd, &sd_size) <= 0) if (read_sd (fn, sd) <= 0)
goto done; goto done;
if (cygheap->user.issetuid ()) if (cygheap->user.issetuid ())
@ -1906,7 +1901,7 @@ check_file_access (const char *fn, int flags)
desired |= FILE_WRITE_DATA; desired |= FILE_WRITE_DATA;
if (flags & X_OK) if (flags & X_OK)
desired |= FILE_EXECUTE; desired |= FILE_EXECUTE;
if (!AccessCheck (psd, hIToken, desired, &mapping, if (!AccessCheck (sd, hIToken, desired, &mapping,
(PPRIVILEGE_SET) pbuf, &plength, &granted, &status)) (PPRIVILEGE_SET) pbuf, &plength, &granted, &status))
__seterrno (); __seterrno ();
else if (!status) else if (!status)

26
winsup/cygwin/security.h
View File

@ -167,6 +167,24 @@ public:
} }
}; };
/* Wrapper class to allow simple deleting of buffer space allocated
by read_sd() */
class security_descriptor {
protected:
PSECURITY_DESCRIPTOR psd;
DWORD sd_size;
public:
security_descriptor () : psd (NULL), sd_size (0) {}
~security_descriptor () { free (); }
PSECURITY_DESCRIPTOR malloc (size_t nsize);
PSECURITY_DESCRIPTOR realloc (size_t nsize);
void free (void);
inline DWORD size (void) const { return sd_size; }
inline operator const PSECURITY_DESCRIPTOR () { return psd; }
};
class user_groups { class user_groups {
public: public:
cygsid pgsid; cygsid pgsid;
@ -228,14 +246,14 @@ int __stdcall set_file_attribute (int, const char *, int);
int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int); int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *, int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *,
__uid32_t * = NULL, __gid32_t * = NULL); __uid32_t * = NULL, __gid32_t * = NULL);
LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size); LONG __stdcall read_sd (const char *file, security_descriptor &sd);
LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size); LONG __stdcall write_sd (const char *file, security_descriptor &sd);
BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
int __stdcall check_file_access (const char *, int); int __stdcall check_file_access (const char *, int);
void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa, void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
void *sd_buf, DWORD sd_buf_size); security_descriptor &sd_buf);
bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *); bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *);
@ -268,8 +286,6 @@ extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID,
int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len); int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len); BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
extern inline SECURITY_ATTRIBUTES * extern inline SECURITY_ATTRIBUTES *
sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0) sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)

3
winsup/cygwin/thread.cc
View File

@ -1676,8 +1676,9 @@ semaphore::semaphore (const char *sem_name, int oflag, mode_t mode,
if (oflag & O_CREAT) if (oflag & O_CREAT)
{ {
SECURITY_ATTRIBUTES sa = sec_all; SECURITY_ATTRIBUTES sa = sec_all;
security_descriptor sd;
if (allow_ntsec) if (allow_ntsec)
set_security_attribute (mode, &sa, alloca (4096), 4096); set_security_attribute (mode, &sa, sd);
this->win32_obj_id = ::CreateSemaphore (&sa, value, LONG_MAX, sem_name); this->win32_obj_id = ::CreateSemaphore (&sa, value, LONG_MAX, sem_name);
if (!this->win32_obj_id) if (!this->win32_obj_id)
magic = 0; magic = 0;