* flock.cc (allow_others_to_sync): Define MAX_PROCESS_SD_SIZE. Use
instead of ACL_DEFAULT_SIZE. * sec_acl.cc (setacl): Use TLS buffer to allow maximum ACL size. * security.h (ACL_DEFAULT_SIZE): Drop definition. (ACL_MAXIMUM_SIZE): Define. (SD_MAXIMUM_SIZE): Define. * security.cc (get_file_sd): Allocate security_decscriptor with size SD_MAXIMUM_SIZE. (alloc_sd): Use TLS buffer to allow maximum ACL size.
This commit is contained in:
Corinna Vinschen
@@ -1,3 +1,15 @@
|
|||||||
|
2010-09-10 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* flock.cc (allow_others_to_sync): Define MAX_PROCESS_SD_SIZE. Use
|
||||||
|
instead of ACL_DEFAULT_SIZE.
|
||||||
|
* sec_acl.cc (setacl): Use TLS buffer to allow maximum ACL size.
|
||||||
|
* security.h (ACL_DEFAULT_SIZE): Drop definition.
|
||||||
|
(ACL_MAXIMUM_SIZE): Define.
|
||||||
|
(SD_MAXIMUM_SIZE): Define.
|
||||||
|
* security.cc (get_file_sd): Allocate security_decscriptor with size
|
||||||
|
SD_MAXIMUM_SIZE.
|
||||||
|
(alloc_sd): Use TLS buffer to allow maximum ACL size.
|
||||||
|
|
||||||
2010-09-10 Corinna Vinschen <corinna@vinschen.de>
|
2010-09-10 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
* mount.cc (class fs_info_cache): New class to cache filesystem
|
* mount.cc (class fs_info_cache): New class to cache filesystem
|
||||||
|
|||||||
@@ -155,10 +155,11 @@ allow_others_to_sync ()
|
|||||||
should be more than sufficient for process ACLs. Can't use tls functions
|
should be more than sufficient for process ACLs. Can't use tls functions
|
||||||
at this point because this gets called during initialization when the tls
|
at this point because this gets called during initialization when the tls
|
||||||
is not really available. */
|
is not really available. */
|
||||||
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR) alloca (ACL_DEFAULT_SIZE);
|
#define MAX_PROCESS_SD_SIZE 3072
|
||||||
|
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR) alloca (MAX_PROCESS_SD_SIZE);
|
||||||
status = NtQuerySecurityObject (NtCurrentProcess (),
|
status = NtQuerySecurityObject (NtCurrentProcess (),
|
||||||
DACL_SECURITY_INFORMATION, sd,
|
DACL_SECURITY_INFORMATION, sd,
|
||||||
ACL_DEFAULT_SIZE, &len);
|
MAX_PROCESS_SD_SIZE, &len);
|
||||||
if (!NT_SUCCESS (status))
|
if (!NT_SUCCESS (status))
|
||||||
{
|
{
|
||||||
debug_printf ("NtQuerySecurityObject: %p", status);
|
debug_printf ("NtQuerySecurityObject: %p", status);
|
||||||
|
|||||||
@@ -22,6 +22,7 @@ details. */
|
|||||||
#include "dtable.h"
|
#include "dtable.h"
|
||||||
#include "cygheap.h"
|
#include "cygheap.h"
|
||||||
#include "pwdgrp.h"
|
#include "pwdgrp.h"
|
||||||
|
#include "tls_pbuf.h"
|
||||||
|
|
||||||
static int
|
static int
|
||||||
searchace (__aclent32_t *aclp, int nentries, int type, __uid32_t id = ILLEGAL_UID)
|
searchace (__aclent32_t *aclp, int nentries, int type, __uid32_t id = ILLEGAL_UID)
|
||||||
@@ -40,6 +41,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
|
|||||||
bool &writable)
|
bool &writable)
|
||||||
{
|
{
|
||||||
security_descriptor sd_ret;
|
security_descriptor sd_ret;
|
||||||
|
tmp_pathbuf tp;
|
||||||
|
|
||||||
if (get_file_sd (handle, pc, sd_ret, false))
|
if (get_file_sd (handle, pc, sd_ret, false))
|
||||||
return -1;
|
return -1;
|
||||||
@@ -83,7 +85,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Fill access control list. */
|
/* Fill access control list. */
|
||||||
PACL acl = (PACL) alloca (ACL_DEFAULT_SIZE);
|
PACL acl = (PACL) tp.w_get ();
|
||||||
size_t acl_len = sizeof (ACL);
|
size_t acl_len = sizeof (ACL);
|
||||||
int ace_off = 0;
|
int ace_off = 0;
|
||||||
|
|
||||||
@@ -92,7 +94,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
|
|||||||
struct __group32 *gr;
|
struct __group32 *gr;
|
||||||
int pos;
|
int pos;
|
||||||
|
|
||||||
if (!InitializeAcl (acl, ACL_DEFAULT_SIZE, ACL_REVISION))
|
if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
|
||||||
{
|
{
|
||||||
__seterrno ();
|
__seterrno ();
|
||||||
return -1;
|
return -1;
|
||||||
|
|||||||
@@ -24,6 +24,7 @@ details. */
|
|||||||
#include "cygheap.h"
|
#include "cygheap.h"
|
||||||
#include "ntdll.h"
|
#include "ntdll.h"
|
||||||
#include "pwdgrp.h"
|
#include "pwdgrp.h"
|
||||||
|
#include "tls_pbuf.h"
|
||||||
#include <aclapi.h>
|
#include <aclapi.h>
|
||||||
|
|
||||||
#define ALL_SECURITY_INFORMATION (DACL_SECURITY_INFORMATION \
|
#define ALL_SECURITY_INFORMATION (DACL_SECURITY_INFORMATION \
|
||||||
@@ -68,7 +69,7 @@ get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
ULONG len = 32768;
|
ULONG len = SD_MAXIMUM_SIZE;
|
||||||
|
|
||||||
if (!sd.malloc (len))
|
if (!sd.malloc (len))
|
||||||
{
|
{
|
||||||
@@ -413,6 +414,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
|
|||||||
security_descriptor &sd_ret)
|
security_descriptor &sd_ret)
|
||||||
{
|
{
|
||||||
BOOL dummy;
|
BOOL dummy;
|
||||||
|
tmp_pathbuf tp;
|
||||||
|
|
||||||
/* NOTE: If the high bit of attribute is set, we have just created
|
/* NOTE: If the high bit of attribute is set, we have just created
|
||||||
a file or directory. See below for an explanation. */
|
a file or directory. See below for an explanation. */
|
||||||
@@ -483,8 +485,8 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Initialize local access control list. */
|
/* Initialize local access control list. */
|
||||||
PACL acl = (PACL) alloca (ACL_DEFAULT_SIZE);
|
PACL acl = (PACL) tp.w_get ();
|
||||||
if (!InitializeAcl (acl, ACL_DEFAULT_SIZE, ACL_REVISION))
|
if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
|
||||||
{
|
{
|
||||||
__seterrno ();
|
__seterrno ();
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|||||||
@@ -26,7 +26,8 @@ details. */
|
|||||||
#define MAX_DACL_LEN(n) (sizeof (ACL) \
|
#define MAX_DACL_LEN(n) (sizeof (ACL) \
|
||||||
+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
|
+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
|
||||||
#define SD_MIN_SIZE (sizeof (SECURITY_DESCRIPTOR) + MAX_DACL_LEN (1))
|
#define SD_MIN_SIZE (sizeof (SECURITY_DESCRIPTOR) + MAX_DACL_LEN (1))
|
||||||
#define ACL_DEFAULT_SIZE 3072
|
#define ACL_MAXIMUM_SIZE 65532 /* Yeah, right. 64K - sizeof (DWORD). */
|
||||||
|
#define SD_MAXIMUM_SIZE 65536
|
||||||
#define NO_SID ((PSID)NULL)
|
#define NO_SID ((PSID)NULL)
|
||||||
|
|
||||||
#ifndef SE_CREATE_TOKEN_PRIVILEGE
|
#ifndef SE_CREATE_TOKEN_PRIVILEGE
|
||||||
|
|||||||
Reference in New Issue
Block a user