* sec_acl.cc (setacl): Move all permission settings to beginning of
loop. Set default rights to same values as in alloc_sd(). Set DELETE for owner and default owner only if S_IWOTH is given. * sec_acl.cc: Change all __aclent16_t to __aclent32_t except in wrapper function definitions. Replace call to the aclXYZ functions by calls aclXYZ32. (searchace): Change type of third argument to __uid32_t and use ILLEGAL_UID instead of -1; (setacl): Remove some initializations. Only give STANDARD_RIGHTS_WRITE for S_IWOTH. Replace -1 by ILLEGAL_UID. (getacl): Change type of owner_sid, group_sid and ace_sid to cygpsid. In last else clause, suppress second call to ace_sid.get_id and use TRUE in first call. Replace EqualSid by ==. (acl_access): Call internal_getgroups in USER and GROUP cases. (acecmp: Define static. (acl32): Create from 16 bit type. (facl32): Ditto. (lacl32): Ditto. (aclcheck32): Ditto. (aclsort32): Ditto. (acltomode32): Ditto. (aclfrommode32): Ditto. (acltopbits32): Ditto. (aclfrompbits32): Ditto. (acltotext32): Ditto. (aclfromtext32): Ditto, and use strechr. (acl16to32): Create. (acl): Make it a wrapper function. (facl): Ditto. (lacl): Ditto. (aclcheck): Ditto. (aclsort): Ditto. (acltomode): Ditto. (aclfrommode): Ditto. (acltopbits): Ditto. (aclfrompbits): Ditto. (acltotext): Ditto. (aclfromtext): Ditto. * security.cc (write_sd): Call set_process_privilege and check ownership. (alloc_sd): Remove call to set_process_privilege and the owner check.
This commit is contained in:
Corinna Vinschen
@ -1140,6 +1140,30 @@ write_sd (const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size)
|
||||
return -1;
|
||||
}
|
||||
|
||||
BOOL dummy;
|
||||
cygpsid owner;
|
||||
|
||||
if (!GetSecurityDescriptorOwner (sd_buf, (PSID *) &owner, &dummy))
|
||||
{
|
||||
__seterrno ();
|
||||
return -1;
|
||||
}
|
||||
/* Try turning privilege on, may not have WRITE_OWNER or WRITE_DAC access.
|
||||
Must have privilege to set different owner, else BackupWrite misbehaves */
|
||||
static int NO_COPY saved_res; /* 0: never, 1: failed, 2 & 3: OK */
|
||||
int res;
|
||||
if (!saved_res || cygheap->user.issetuid ())
|
||||
{
|
||||
res = 2 + set_process_privilege (SE_RESTORE_NAME, true,
|
||||
cygheap->user.issetuid ());
|
||||
if (!cygheap->user.issetuid ())
|
||||
saved_res = res;
|
||||
}
|
||||
else
|
||||
res = saved_res;
|
||||
if (res == 1 && owner != cygheap->user.sid ())
|
||||
return -1;
|
||||
|
||||
HANDLE fh;
|
||||
fh = CreateFile (file,
|
||||
WRITE_OWNER | WRITE_DAC,
|
||||
@ -1561,22 +1585,6 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
|
||||
}
|
||||
owner_sid.debug_print ("alloc_sd: owner SID =");
|
||||
|
||||
/* Try turning privilege on, may not have WRITE_OWNER or WRITE_DAC access.
|
||||
Must have privilege to set different owner, else BackupWrite misbehaves */
|
||||
static int NO_COPY saved_res; /* 0: never, 1: failed, 2 & 3: OK */
|
||||
int res;
|
||||
if (!saved_res || cygheap->user.issetuid ())
|
||||
{
|
||||
res = 2 + set_process_privilege (SE_RESTORE_NAME, true,
|
||||
cygheap->user.issetuid ());
|
||||
if (!cygheap->user.issetuid ())
|
||||
saved_res = res;
|
||||
}
|
||||
else
|
||||
res = saved_res;
|
||||
if (res == 1 && owner_sid != cygheap->user.sid ())
|
||||
return NULL;
|
||||
|
||||
/* Get SID of new group. */
|
||||
cygsid group_sid;
|
||||
/* Check for current user first */
|
||||
|
||||
Reference in New Issue
Block a user