* advapi32.cc: Add comment.
(EqualSid): Remove. (CopySid): Remove. (AddAccessAllowedAce): Remove. (AddAccessDeniedAce): Remove. (MakeSelfRelativeSD): Remove. * flock.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto. * security.h: Ditto. (RtlEqualSid): Declare. Explain why. (RtlCopySid): Ditto.
This commit is contained in:
parent
3e8e0c33c0
commit
5735d5f6f4
@ -1,3 +1,21 @@
|
||||
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* advapi32.cc: Add comment.
|
||||
(EqualSid): Remove.
|
||||
(CopySid): Remove.
|
||||
(AddAccessAllowedAce): Remove.
|
||||
(AddAccessDeniedAce): Remove.
|
||||
(MakeSelfRelativeSD): Remove.
|
||||
* flock.cc: Replace above functions throughout with their ntdll.dll
|
||||
equivalent.
|
||||
* sec_acl.cc: Ditto.
|
||||
* sec_auth.cc: Ditto.
|
||||
* sec_helper.cc: Ditto.
|
||||
* security.cc: Ditto.
|
||||
* security.h: Ditto.
|
||||
(RtlEqualSid): Declare. Explain why.
|
||||
(RtlCopySid): Ditto.
|
||||
|
||||
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
* advapi32.cc (AccessCheck): Remove.
|
||||
|
@ -19,40 +19,10 @@ details. */
|
||||
SetLastError (RtlNtStatusToDosError (status)); \
|
||||
return NT_SUCCESS (status);
|
||||
|
||||
BOOL WINAPI
|
||||
EqualSid (PSID sid1, PSID sid2)
|
||||
{
|
||||
return !!RtlEqualSid (sid1, sid2);
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
CopySid (DWORD len, PSID dest, PSID src)
|
||||
{
|
||||
NTSTATUS status = RtlCopySid (len, dest, src);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
|
||||
{
|
||||
NTSTATUS status = RtlAddAccessAllowedAce (acl, revision, mask, sid);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
|
||||
{
|
||||
NTSTATUS status = RtlAddAccessDeniedAce (acl, revision, mask, sid);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
|
||||
BOOL WINAPI
|
||||
MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd,
|
||||
LPDWORD len)
|
||||
{
|
||||
NTSTATUS status = RtlAbsoluteToSelfRelativeSD (abs_sd, rel_sd, len);
|
||||
DEFAULT_NTSTATUS_TO_BOOL_RETURN
|
||||
}
|
||||
/* This file should only contain non-trivial implementations of advapi32
|
||||
functions, or advapi32 functions for which the ntdll.dll equivalent
|
||||
is not easy to understand. In all other case, use the ntdll.dll
|
||||
equivalent. */
|
||||
|
||||
BOOL WINAPI
|
||||
RevertToSelf ()
|
||||
|
@ -171,10 +171,11 @@ allow_others_to_sync ()
|
||||
dacl = (PACL) ((char *) sd + (uintptr_t) sd->Dacl);
|
||||
dacl->AclSize = NT_MAX_PATH * sizeof (WCHAR) - ((char *) dacl - (char *) sd);
|
||||
/* Allow everyone to SYNCHRONIZE with this process. */
|
||||
if (!AddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
|
||||
well_known_world_sid))
|
||||
status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
|
||||
well_known_world_sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
|
||||
debug_printf ("RtlAddAccessAllowedAce: %p", status);
|
||||
return;
|
||||
}
|
||||
/* Set the size of the DACL correctly. */
|
||||
|
@ -211,7 +211,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
|
||||
}
|
||||
/* Make self relative security descriptor in sd_ret. */
|
||||
DWORD sd_size = 0;
|
||||
MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
if (sd_size <= 0)
|
||||
{
|
||||
__seterrno ();
|
||||
@ -222,9 +222,10 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
|
||||
set_errno (ENOMEM);
|
||||
return -1;
|
||||
}
|
||||
if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
|
||||
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
__seterrno ();
|
||||
__seterrno_from_nt_status (status);
|
||||
return -1;
|
||||
}
|
||||
debug_printf ("Created SD-Size: %d", sd_ret.size ());
|
||||
|
@ -1047,13 +1047,14 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
dacl = (PACL) alloca (dsize);
|
||||
if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
|
||||
goto out;
|
||||
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid))
|
||||
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
|
||||
usersid)))
|
||||
goto out;
|
||||
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_admins_sid))
|
||||
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_admins_sid)))
|
||||
goto out;
|
||||
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_system_sid))
|
||||
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_system_sid)))
|
||||
goto out;
|
||||
|
||||
/* Evaluate authinf size and allocate authinf. */
|
||||
@ -1096,8 +1097,8 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
/* User SID */
|
||||
authinf->inf.User.User.Sid = offset;
|
||||
authinf->inf.User.User.Attributes = 0;
|
||||
CopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
|
||||
usersid);
|
||||
RtlCopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
|
||||
usersid);
|
||||
offset += RtlLengthSid (usersid);
|
||||
/* Groups */
|
||||
authinf->inf.Groups = offset;
|
||||
@ -1119,16 +1120,16 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
||||
if (wincap.needs_logon_sid_in_sid_list ()
|
||||
&& tmp_gsids.sids[tmpidx] == fake_logon_sid)
|
||||
gsids->Groups[i].Attributes += SE_GROUP_LOGON_ID;
|
||||
CopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
|
||||
(PSID) ((PBYTE) &authinf->inf + sids_offset),
|
||||
tmp_gsids.sids[tmpidx]);
|
||||
RtlCopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
|
||||
(PSID) ((PBYTE) &authinf->inf + sids_offset),
|
||||
tmp_gsids.sids[tmpidx]);
|
||||
sids_offset += RtlLengthSid (tmp_gsids.sids[tmpidx]);
|
||||
}
|
||||
offset += gsize;
|
||||
/* Primary Group SID */
|
||||
authinf->inf.PrimaryGroup.PrimaryGroup = offset;
|
||||
CopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
|
||||
pgrpsid);
|
||||
RtlCopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
|
||||
pgrpsid);
|
||||
offset += RtlLengthSid (pgrpsid);
|
||||
/* Privileges */
|
||||
authinf->inf.Privileges = offset;
|
||||
|
@ -504,25 +504,35 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
|
||||
return false;
|
||||
}
|
||||
if (sid1)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, sid1))
|
||||
debug_printf ("AddAccessAllowedAce(sid1) %E");
|
||||
{
|
||||
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("RtlAddAccessAllowedAce(sid1) %p", status);
|
||||
}
|
||||
if (original && (psid = cygheap->user.saved_sid ())
|
||||
&& psid != sid1 && psid != well_known_system_sid)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, psid))
|
||||
debug_printf ("AddAccessAllowedAce(original) %E");
|
||||
{
|
||||
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, psid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("RtlAddAccessAllowedAce(original) %p", status);
|
||||
}
|
||||
if (sid2)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
access2, sid2))
|
||||
debug_printf ("AddAccessAllowedAce(sid2) %E");
|
||||
{
|
||||
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, access2, sid2);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("RtlAddAccessAllowedAce(sid2) %p", status);
|
||||
}
|
||||
if (admins)
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_admins_sid))
|
||||
debug_printf ("AddAccessAllowedAce(admin) %E");
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION,
|
||||
GENERIC_ALL, well_known_system_sid))
|
||||
debug_printf ("AddAccessAllowedAce(system) %E");
|
||||
{
|
||||
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_admins_sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("RtlAddAccessAllowedAce(admin) %p", status);
|
||||
}
|
||||
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
|
||||
well_known_system_sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
debug_printf ("RtlAddAccessAllowedAce(system) %p", status);
|
||||
status = RtlFirstFreeAce (acl, &pAce);
|
||||
if (NT_SUCCESS (status) && pAce)
|
||||
acl->AclSize = (char *) pAce - (char *) acl;
|
||||
@ -574,10 +584,11 @@ _everyone_sd (void *buf, ACCESS_MASK access)
|
||||
RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
|
||||
PACL dacl = (PACL) (psd + 1);
|
||||
RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
|
||||
if (!AddAccessAllowedAce (dacl, ACL_REVISION, access,
|
||||
well_known_world_sid))
|
||||
status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, access,
|
||||
well_known_world_sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
|
||||
debug_printf ("RtlAddAccessAllowedAce: %p", status);
|
||||
return NULL;
|
||||
}
|
||||
LPVOID ace;
|
||||
|
@ -316,7 +316,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
|
||||
}
|
||||
}
|
||||
*attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID);
|
||||
if (owner_sid && group_sid && EqualSid (owner_sid, group_sid)
|
||||
if (owner_sid && group_sid && RtlEqualSid (owner_sid, group_sid)
|
||||
/* FIXME: temporary exception for /var/empty */
|
||||
&& well_known_system_sid != group_sid)
|
||||
{
|
||||
@ -469,9 +469,10 @@ bool
|
||||
add_access_allowed_ace (PACL acl, int offset, DWORD attributes,
|
||||
PSID sid, size_t &len_add, DWORD inherit)
|
||||
{
|
||||
if (!AddAccessAllowedAce (acl, ACL_REVISION, attributes, sid))
|
||||
NTSTATUS status = RtlAddAccessAllowedAce (acl, ACL_REVISION, attributes, sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
__seterrno ();
|
||||
__seterrno_from_nt_status (status);
|
||||
return false;
|
||||
}
|
||||
ACCESS_ALLOWED_ACE *ace;
|
||||
@ -485,9 +486,10 @@ bool
|
||||
add_access_denied_ace (PACL acl, int offset, DWORD attributes,
|
||||
PSID sid, size_t &len_add, DWORD inherit)
|
||||
{
|
||||
if (!AddAccessDeniedAce (acl, ACL_REVISION, attributes, sid))
|
||||
NTSTATUS status = RtlAddAccessDeniedAce (acl, ACL_REVISION, attributes, sid);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
__seterrno ();
|
||||
__seterrno_from_nt_status (status);
|
||||
return false;
|
||||
}
|
||||
ACCESS_DENIED_ACE *ace;
|
||||
@ -839,7 +841,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
|
||||
|
||||
/* Make self relative security descriptor. */
|
||||
DWORD sd_size = 0;
|
||||
MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
if (sd_size <= 0)
|
||||
{
|
||||
__seterrno ();
|
||||
@ -850,9 +852,10 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
|
||||
set_errno (ENOMEM);
|
||||
return NULL;
|
||||
}
|
||||
if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
|
||||
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
||||
if (!NT_SUCCESS (status))
|
||||
{
|
||||
__seterrno ();
|
||||
__seterrno_from_nt_status (status);
|
||||
return NULL;
|
||||
}
|
||||
debug_printf ("Created SD-Size: %u", sd_ret.size ());
|
||||
|
@ -95,6 +95,18 @@ cygpsid NO_COPY name = (PSID) &name##_struct;
|
||||
#define FILE_WRITE_BITS (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL)
|
||||
#define FILE_EXEC_BITS (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL)
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
{
|
||||
#endif
|
||||
/* We need these declarations, otherwise g++ complains that the below
|
||||
inline methods use an undefined function, if ntdll.h isn't included. */
|
||||
BOOLEAN NTAPI RtlEqualSid (PSID, PSID);
|
||||
NTSTATUS NTAPI RtlCopySid (ULONG, PSID, PSID);
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
class cygpsid {
|
||||
protected:
|
||||
PSID psid;
|
||||
@ -114,7 +126,7 @@ public:
|
||||
{
|
||||
if (!psid || !nsid)
|
||||
return nsid == psid;
|
||||
return EqualSid (psid, nsid);
|
||||
return RtlEqualSid (psid, nsid);
|
||||
}
|
||||
bool operator!= (const PSID nsid) const
|
||||
{ return !(*this == nsid); }
|
||||
@ -143,7 +155,7 @@ class cygsid : public cygpsid {
|
||||
else
|
||||
{
|
||||
psid = (PSID) sbuf;
|
||||
CopySid (MAX_SID_LEN, psid, nsid);
|
||||
RtlCopySid (MAX_SID_LEN, psid, nsid);
|
||||
well_known_sid = well_known;
|
||||
}
|
||||
return psid;
|
||||
|
Loading…
x
Reference in New Issue
Block a user