Handle permissions a bit closer to POSIX 1003.1e
So far we tweaked ACL_GROUP_OBJ and ACL_MASK values the same way when creating a file. We now do what POSIX requires, namely just change ACL_MASK if it's present, otherwise ACL_GROUP_OBJ. Note that we only do this at creation time. Chmod still tweaks both to create less surprising results for the unsuspecting user. Additionally make sure to take umask only into account if no ACL_MASK value is present. That has been missed so far. * sec_acl.cc (set_posix_access): Perform check for non-existant default ACEs earlier. Ignore umask also if ACL_MASK is present. Only set owner_eq_group if we're actually handling a user entry. Mention chmod in a comment. * security.cc (set_created_file_access): Perform group/mask permission setting as required by POSIX 1003.1e. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
@@ -480,14 +480,11 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
|
||||
/* Overwrite ACL permissions as required by POSIX 1003.1e
|
||||
draft 17. */
|
||||
aclp[0].a_perm &= (attr >> 6) & S_IRWXO;
|
||||
/* Deliberate deviation from POSIX 1003.1e here. We're not
|
||||
writing CLASS_OBJ *or* GROUP_OBJ, but both. Otherwise we're
|
||||
going to be in constant trouble with user expectations. */
|
||||
if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
|
||||
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
|
||||
if (nentries > MIN_ACL_ENTRIES
|
||||
&& (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
|
||||
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
|
||||
else if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
|
||||
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
|
||||
if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
|
||||
aclp[idx].a_perm &= attr & S_IRWXO;
|
||||
}
|
||||
|
Reference in New Issue
Block a user