* external.cc (cygwin_internal): Use security_descriptor::copy method.

* sec_helper.cc (security_descriptor::malloc): Use own free method.
	Set type.
	(security_descriptor::realloc): Handle the case that psd has been
	allocated using LocalAlloc.  Set type.
	(security_descriptor::free): Ditto.
	* security.cc (get_nt_attribute): Remove.
	(get_reg_security): Remove.
	(get_nt_object_security): Use GetSecurityInfo which handles all
	securable objects.
	(get_nt_object_attribute): Remove.
	(get_object_attribute): Call get_nt_object_security instead of
	get_nt_object_attribute.
	(get_file_attribute): Ditto.
	(check_registry_access): Call get_nt_object_security instead of
	get_reg_security.
	* security.h (cygpsid::operator PSID): Make method const, not the
	result.
	(class security_descriptor): Add type member.  Accomodate throughout.
	(security_descriptor::copy): New method.
	(security_descriptor::operator PSECURITY_DESCRIPTOR *): New operator.
This commit is contained in:
Corinna Vinschen
2006-10-22 14:57:43 +00:00
parent 2b26c2fc41
commit 2be593d961
5 changed files with 96 additions and 106 deletions

View File

@@ -1,3 +1,27 @@
2006-10-22 Corinna Vinschen <corinna@vinschen.de>
* external.cc (cygwin_internal): Use security_descriptor::copy method.
* sec_helper.cc (security_descriptor::malloc): Use own free method.
Set type.
(security_descriptor::realloc): Handle the case that psd has been
allocated using LocalAlloc. Set type.
(security_descriptor::free): Ditto.
* security.cc (get_nt_attribute): Remove.
(get_reg_security): Remove.
(get_nt_object_security): Use GetSecurityInfo which handles all
securable objects.
(get_nt_object_attribute): Remove.
(get_object_attribute): Call get_nt_object_security instead of
get_nt_object_attribute.
(get_file_attribute): Ditto.
(check_registry_access): Call get_nt_object_security instead of
get_reg_security.
* security.h (cygpsid::operator PSID): Make method const, not the
result.
(class security_descriptor): Add type member. Accomodate throughout.
(security_descriptor::copy): New method.
(security_descriptor::operator PSECURITY_DESCRIPTOR *): New operator.
2006-10-22 Corinna Vinschen <corinna@vinschen.de> 2006-10-22 Corinna Vinschen <corinna@vinschen.de>
* fhandler.cc (fhandler_base::fhaccess): Check if opening registry * fhandler.cc (fhandler_base::fhaccess): Check if opening registry

View File

@@ -293,11 +293,10 @@ cygwin_internal (cygwin_getinfo_types t, ...)
void *sd_buf = va_arg (arg, void *); void *sd_buf = va_arg (arg, void *);
DWORD sd_buf_size = va_arg (arg, DWORD); DWORD sd_buf_size = va_arg (arg, DWORD);
set_security_attribute (attribute, psa, sd); set_security_attribute (attribute, psa, sd);
if (!psa->lpSecurityDescriptor || sd.size () > sd_buf_size) if (!psa->lpSecurityDescriptor)
return sd.size (); return sd.size ();
memcpy (sd_buf, sd, sd.size ());
psa->lpSecurityDescriptor = sd_buf; psa->lpSecurityDescriptor = sd_buf;
return 0; return sd.copy (sd_buf, sd_buf_size);
} }
case CW_GET_SHMLBA: case CW_GET_SHMLBA:
{ {

View File

@@ -224,20 +224,37 @@ get_sids_info (cygpsid owner_sid, cygpsid group_sid, __uid32_t * uidret, __gid32
PSECURITY_DESCRIPTOR PSECURITY_DESCRIPTOR
security_descriptor::malloc (size_t nsize) security_descriptor::malloc (size_t nsize)
{ {
if (psd) free ();
::free (psd); if ((psd = (PSECURITY_DESCRIPTOR) ::malloc (nsize)))
psd = (PSECURITY_DESCRIPTOR) ::malloc (nsize); {
sd_size = psd ? nsize : 0; sd_size = nsize;
type = malloced;
}
return psd; return psd;
} }
PSECURITY_DESCRIPTOR PSECURITY_DESCRIPTOR
security_descriptor::realloc (size_t nsize) security_descriptor::realloc (size_t nsize)
{ {
PSECURITY_DESCRIPTOR tmp = (PSECURITY_DESCRIPTOR) ::realloc (psd, nsize); PSECURITY_DESCRIPTOR tmp;
if (!tmp)
if (type == malloced)
{
if (!(tmp = (PSECURITY_DESCRIPTOR) ::realloc (psd, nsize)))
return NULL; return NULL;
}
else
{
if (!(tmp = (PSECURITY_DESCRIPTOR) ::malloc (nsize)))
return NULL;
if (psd)
{
memcpy (tmp, psd, LocalSize (psd));
LocalFree (psd);
}
}
sd_size = nsize; sd_size = nsize;
type = malloced;
return psd = tmp; return psd = tmp;
} }
@@ -245,9 +262,15 @@ void
security_descriptor::free () security_descriptor::free ()
{ {
if (psd) if (psd)
{
if (type == local_alloced)
LocalFree (psd);
else
::free (psd); ::free (psd);
}
psd = NULL; psd = NULL;
sd_size = 0; sd_size = 0;
type = local_alloced;
} }
#if 0 // unused #if 0 // unused

View File

@@ -1389,91 +1389,31 @@ get_info_from_sd (PSECURITY_DESCRIPTOR psd, mode_t *attribute,
(!acl_exists || !acl)?"NO ":"", *attribute, uid, gid); (!acl_exists || !acl)?"NO ":"", *attribute, uid, gid);
} }
static void int
get_nt_attribute (const char *file, mode_t *attribute, get_nt_object_security (HANDLE handle, SE_OBJECT_TYPE object_type,
__uid32_t *uidret, __gid32_t *gidret) security_descriptor &sd_ret)
{ {
security_descriptor sd; sd_ret.free ();
/* Don't use NtQuerySecurityObject. It doesn't recognize predefined
if (read_sd (file, sd) <= 0) registry keys. */
debug_printf ("read_sd %E"); DWORD ret = GetSecurityInfo (handle, object_type,
get_info_from_sd (sd, attribute, uidret, gidret);
}
static int
get_reg_security (HANDLE handle, security_descriptor &sd_ret)
{
LONG ret;
DWORD len = 0;
ret = RegGetKeySecurity ((HKEY) handle,
DACL_SECURITY_INFORMATION DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION, | OWNER_SECURITY_INFORMATION,
sd_ret, &len); NULL, NULL, NULL, NULL, sd_ret);
if (ret == ERROR_INSUFFICIENT_BUFFER)
{
if (!sd_ret.malloc (len))
set_errno (ENOMEM);
else
ret = RegGetKeySecurity ((HKEY) handle,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
sd_ret, &len);
}
if (ret != ERROR_SUCCESS) if (ret != ERROR_SUCCESS)
{ {
__seterrno (); __seterrno_from_win_error (ret);
return -1; return -1;
} }
return 0; return 0;
} }
int int
get_nt_object_security (HANDLE handle, SE_OBJECT_TYPE object_type, get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
security_descriptor &sd_ret) mode_t *attribute, __uid32_t *uidret, __gid32_t *gidret)
{ {
NTSTATUS ret; if (allow_ntsec)
ULONG len = 0;
/* Unfortunately, NtQuerySecurityObject doesn't work on predefined registry
keys like HKEY_LOCAL_MACHINE. It fails with "Invalid Handle". So we
have to retreat to the Win32 registry functions for registry keys.
What bugs me is that RegGetKeySecurity is obviously just a wrapper
around NtQuerySecurityObject, but there seems to be no function to
convert pseudo HKEY values to real handles. */
if (object_type == SE_REGISTRY_KEY)
return get_reg_security (handle, sd_ret);
ret = NtQuerySecurityObject (handle,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
sd_ret, len, &len);
if (ret == STATUS_BUFFER_TOO_SMALL)
{
if (!sd_ret.malloc (len))
set_errno (ENOMEM);
else
ret = NtQuerySecurityObject (handle,
DACL_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| OWNER_SECURITY_INFORMATION,
sd_ret, len, &len);
}
if (ret != STATUS_SUCCESS)
{
__seterrno_from_nt_status (ret);
return -1;
}
return 0;
}
static int
get_nt_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
mode_t *attribute, __uid32_t *uidret,
__gid32_t *gidret)
{ {
security_descriptor sd; security_descriptor sd;
PSECURITY_DESCRIPTOR psd = NULL; PSECURITY_DESCRIPTOR psd = NULL;
@@ -1488,16 +1428,6 @@ get_nt_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
get_info_from_sd (psd, attribute, uidret, gidret); get_info_from_sd (psd, attribute, uidret, gidret);
return 0; return 0;
} }
int
get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type,
mode_t *attribute, __uid32_t *uidret, __gid32_t *gidret)
{
if (allow_ntsec)
{
get_nt_object_attribute (handle, object_type, attribute, uidret, gidret);
return 0;
}
/* The entries are already set to default values */ /* The entries are already set to default values */
return -1; return -1;
} }
@@ -1511,9 +1441,11 @@ get_file_attribute (int use_ntsec, HANDLE handle, const char *file,
if (use_ntsec && allow_ntsec) if (use_ntsec && allow_ntsec)
{ {
if (!handle || get_nt_object_attribute (handle, SE_FILE_OBJECT, security_descriptor sd;
attribute, uidret, gidret))
get_nt_attribute (file, attribute, uidret, gidret); if (!handle || get_nt_object_security (handle, SE_FILE_OBJECT, sd))
read_sd (file, sd);
get_info_from_sd (sd, attribute, uidret, gidret);
return 0; return 0;
} }
@@ -2039,7 +1971,7 @@ check_registry_access (HANDLE hdl, int flags)
desired |= KEY_SET_VALUE; desired |= KEY_SET_VALUE;
if (flags & X_OK) if (flags & X_OK)
desired |= KEY_QUERY_VALUE; desired |= KEY_QUERY_VALUE;
if (!get_reg_security (hdl, sd)) if (!get_nt_object_security (hdl, SE_REGISTRY_KEY, sd))
ret = check_access (sd, mapping, desired, flags); ret = check_access (sd, mapping, desired, flags);
debug_printf ("flags %x, ret %d", flags, ret); debug_printf ("flags %x, ret %d", flags, ret);
return ret; return ret;

View File

@@ -43,7 +43,7 @@ protected:
public: public:
cygpsid () {} cygpsid () {}
cygpsid (PSID nsid) { psid = nsid; } cygpsid (PSID nsid) { psid = nsid; }
operator const PSID () { return psid; } operator PSID () const { return psid; }
const PSID operator= (PSID nsid) { return psid = nsid;} const PSID operator= (PSID nsid) { return psid = nsid;}
__uid32_t get_id (BOOL search_grp, int *type = NULL); __uid32_t get_id (BOOL search_grp, int *type = NULL);
int get_uid () { return get_id (FALSE); } int get_uid () { return get_id (FALSE); }
@@ -182,16 +182,28 @@ class security_descriptor {
protected: protected:
PSECURITY_DESCRIPTOR psd; PSECURITY_DESCRIPTOR psd;
DWORD sd_size; DWORD sd_size;
enum { local_alloced, malloced } type;
public: public:
security_descriptor () : psd (NULL), sd_size (0) {} security_descriptor () : psd (NULL), sd_size (0), type (local_alloced) {}
~security_descriptor () { free (); } ~security_descriptor () { free (); }
PSECURITY_DESCRIPTOR malloc (size_t nsize); PSECURITY_DESCRIPTOR malloc (size_t nsize);
PSECURITY_DESCRIPTOR realloc (size_t nsize); PSECURITY_DESCRIPTOR realloc (size_t nsize);
void free (); void free ();
inline DWORD size () const { return sd_size; } inline DWORD size () {
if (!sd_size && psd && type == local_alloced)
sd_size = LocalSize (psd);
return sd_size;
}
inline DWORD copy (void *buf, DWORD buf_size) {
if (buf_size < size ())
return sd_size;
memcpy (buf, psd, sd_size);
return 0;
}
inline operator const PSECURITY_DESCRIPTOR () { return psd; } inline operator const PSECURITY_DESCRIPTOR () { return psd; }
inline operator PSECURITY_DESCRIPTOR *() { return &psd; }
}; };
class user_groups { class user_groups {