Fix permission evaluation for !new_style ACLs

* security.h (authz_get_user_attribute): Declare bool.
	* sec_helper.cc (authz_ctx::get_user_attribute): Make bool method.
	Set S_IxOTH bits in returned attributes rather than S_IxUSR bits.
	(authz_get_user_attribute): Make bool function.
	* sec_acl.cc (get_posix_access): Introduce cygsid array to keep
	track of all SIDs in the ACL.  Move AuthZ calls into !new_style
	permission post processing.  When not using AuthZ, use
	CheckTokenMembership to collect group permissions.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen
2015-09-02 00:05:46 +02:00
parent 7edb6b8d3e
commit 911808dd5e
4 changed files with 71 additions and 53 deletions

View File

@@ -717,7 +717,7 @@ class authz_ctx
friend class authz_ctx_cache;
public:
void get_user_attribute (mode_t *, PSECURITY_DESCRIPTOR, PSID);
bool get_user_attribute (mode_t *, PSECURITY_DESCRIPTOR, PSID);
};
/* Authz handles are not inheritable. */
@@ -779,7 +779,7 @@ authz_ctx_cache::context (PSID user_sid)
/* Ask Authz for the effective user permissions of the user with SID user_sid
on the object with security descriptor psd. We're caching the handles for
the Authz resource manager and the user contexts. */
void
bool
authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
PSID user_sid)
{
@@ -802,7 +802,7 @@ authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
ctx_hdl = user_ctx_hdl;
}
if (!ctx_hdl && !(ctx_hdl = ctx_cache.context (user_sid)))
return;
return false;
/* All set, check access. */
ACCESS_MASK access = 0;
DWORD error = 0;
@@ -822,16 +822,20 @@ authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
if (AuthzAccessCheck (0, ctx_hdl, &req, NULL, psd, NULL, 0, &repl, NULL))
{
if (access & FILE_READ_BITS)
*attribute |= S_IRUSR;
*attribute |= S_IROTH;
if (access & FILE_WRITE_BITS)
*attribute |= S_IWUSR;
*attribute |= S_IWOTH;
if (access & FILE_EXEC_BITS)
*attribute |= S_IXUSR;
*attribute |= S_IXOTH;
return true;
}
return false;
}
void authz_get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
PSID user_sid)
bool
authz_get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
PSID user_sid)
{
authz.get_user_attribute (attribute, psd, user_sid);
*attribute = 0;
return authz.get_user_attribute (attribute, psd, user_sid);
}