* autoload.cc: Add load statemant for SetSecurityDescriptorControl.

* security.cc (alloc_sd): Always set SE_DACL_PROTECTED flag on Win2K and higher.
2000-12-20 12:42:43 +00:00
parent e625e1b99e
commit aa2b85cc90
3 changed files with 22 additions and 0 deletions
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -915,6 +915,21 @@ alloc_sd (uid_t uid, gid_t gid, const char *logsrv, int attribute,
      return NULL;
    }

+  /*
+   * We set the SE_DACL_PROTECTED flag here to prevent the DACL from being modified
+   * by inheritable ACEs.
+   * This flag as well as the SetSecurityDescriptorControl call are available only
+   * since Win2K.
+   */
+  static int win2KorHigher = -1;
+  if (win2KorHigher == -1)
+    {
+      DWORD version = GetVersion ();
+      win2KorHigher = (version & 0x80000000) || (version & 0xff) < 5 ? 0 : 1;
+    }
+  if (win2KorHigher > 0)
+    SetSecurityDescriptorControl (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
+
  /* Create owner for local security descriptor. */
  if (! SetSecurityDescriptorOwner(&sd, owner_sid, FALSE))
    {