* autoload.cc: Add load statemant for SetSecurityDescriptorControl.

* security.cc (alloc_sd): Always set SE_DACL_PROTECTED flag on
        Win2K and higher.

winsup/cygwin/ChangeLog

@@ -1,3 +1,9 @@
+Wed Dec 20 13:37:00 2000  Corinna Vinschen <corinna@vinschen.de>
+
+	* autoload.cc: Add load statemant for SetSecurityDescriptorControl.
+	* security.cc (alloc_sd): Always set SE_DACL_PROTECTED flag on
+	Win2K and higher.
+
 Wed Dec 20 01:02:13 2000  Christopher Faylor <cgf@cygnus.com>
 
 	* exceptions.cc (reset_signal_arrived): Make global to avoid inlining.

winsup/cygwin/autoload.cc

@@ -228,6 +228,7 @@ LoadDLLfunc (RegisterEventSourceA, 8, advapi32)
 LoadDLLfunc (ReportEventA, 36, advapi32)
 LoadDLLfunc (RevertToSelf, 0, advapi32)
 LoadDLLfunc (SetKernelObjectSecurity, 12, advapi32)
+LoadDLLfunc (SetSecurityDescriptorControl, 12, advapi32)
 LoadDLLfunc (SetSecurityDescriptorDacl, 16, advapi32)
 LoadDLLfunc (SetSecurityDescriptorGroup, 12, advapi32)
 LoadDLLfunc (SetSecurityDescriptorOwner, 12, advapi32)

winsup/cygwin/security.cc

@@ -915,6 +915,21 @@ alloc_sd (uid_t uid, gid_t gid, const char *logsrv, int attribute,
       return NULL;
     }
 
+  /*
+   * We set the SE_DACL_PROTECTED flag here to prevent the DACL from being modified
+   * by inheritable ACEs.
+   * This flag as well as the SetSecurityDescriptorControl call are available only
+   * since Win2K.
+   */
+  static int win2KorHigher = -1;
+  if (win2KorHigher == -1)
+    {
+      DWORD version = GetVersion ();
+      win2KorHigher = (version & 0x80000000) || (version & 0xff) < 5 ? 0 : 1;
+    }
+  if (win2KorHigher > 0)
+    SetSecurityDescriptorControl (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
+
   /* Create owner for local security descriptor. */
   if (! SetSecurityDescriptorOwner(&sd, owner_sid, FALSE))
     {