* security.cc (get_attribute_from_acl): Don't spill Everyone permissions

into group permissions if owner SID == group SID.
	(alloc_sd): Add parenthesis for clarity.
This commit is contained in:
Corinna Vinschen 2015-03-02 10:52:07 +00:00
parent 583d56ee20
commit f9f1fbe47e
2 changed files with 12 additions and 5 deletions

View File

@ -1,3 +1,9 @@
2015-03-02 Corinna Vinschen <corinna@vinschen.de>
* security.cc (get_attribute_from_acl): Don't spill Everyone permissions
into group permissions if owner SID == group SID.
(alloc_sd): Add parenthesis for clarity.
2015-02-28 Corinna Vinschen <corinna@vinschen.de> 2015-02-28 Corinna Vinschen <corinna@vinschen.de>
* uinfo.cc (pwdgrp::add_line): Return NULL if parsing a line failed. * uinfo.cc (pwdgrp::add_line): Return NULL if parsing a line failed.

View File

@ -242,6 +242,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
mode_t allow = 0; mode_t allow = 0;
mode_t deny = 0; mode_t deny = 0;
mode_t *flags, *anti; mode_t *flags, *anti;
bool isownergroup = RtlEqualSid (owner_sid, group_sid);
for (DWORD i = 0; i < acl->AceCount; ++i) for (DWORD i = 0; i < acl->AceCount; ++i)
{ {
@ -268,15 +269,15 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
{ {
if (ace->Mask & FILE_READ_BITS) if (ace->Mask & FILE_READ_BITS)
*flags |= ((!(*anti & S_IROTH)) ? S_IROTH : 0) *flags |= ((!(*anti & S_IROTH)) ? S_IROTH : 0)
| ((!(*anti & S_IRGRP)) ? S_IRGRP : 0) | ((!isownergroup && !(*anti & S_IRGRP)) ? S_IRGRP : 0)
| ((!(*anti & S_IRUSR)) ? S_IRUSR : 0); | ((!(*anti & S_IRUSR)) ? S_IRUSR : 0);
if (ace->Mask & FILE_WRITE_BITS) if (ace->Mask & FILE_WRITE_BITS)
*flags |= ((!(*anti & S_IWOTH)) ? S_IWOTH : 0) *flags |= ((!(*anti & S_IWOTH)) ? S_IWOTH : 0)
| ((!(*anti & S_IWGRP)) ? S_IWGRP : 0) | ((!isownergroup && !(*anti & S_IWGRP)) ? S_IWGRP : 0)
| ((!(*anti & S_IWUSR)) ? S_IWUSR : 0); | ((!(*anti & S_IWUSR)) ? S_IWUSR : 0);
if (ace->Mask & FILE_EXEC_BITS) if (ace->Mask & FILE_EXEC_BITS)
*flags |= ((!(*anti & S_IXOTH)) ? S_IXOTH : 0) *flags |= ((!(*anti & S_IXOTH)) ? S_IXOTH : 0)
| ((!(*anti & S_IXGRP)) ? S_IXGRP : 0) | ((!isownergroup && !(*anti & S_IXGRP)) ? S_IXGRP : 0)
| ((!(*anti & S_IXUSR)) ? S_IXUSR : 0); | ((!(*anti & S_IXUSR)) ? S_IXUSR : 0);
if ((S_ISDIR (*attribute)) && if ((S_ISDIR (*attribute)) &&
(ace->Mask & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD)) (ace->Mask & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD))
@ -302,7 +303,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
if (ace->Mask & FILE_EXEC_BITS) if (ace->Mask & FILE_EXEC_BITS)
*flags |= ((!(*anti & S_IXUSR)) ? S_IXUSR : 0); *flags |= ((!(*anti & S_IXUSR)) ? S_IXUSR : 0);
/* Apply deny mask to group if group SID == owner SID. */ /* Apply deny mask to group if group SID == owner SID. */
if (group_sid && RtlEqualSid (owner_sid, group_sid) if (group_sid && isownergroup
&& ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) && ace->Header.AceType == ACCESS_DENIED_ACE_TYPE)
{ {
if (ace->Mask & FILE_READ_BITS) if (ace->Mask & FILE_READ_BITS)
@ -708,7 +709,7 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute,
owner_sid, acl_len, NO_INHERITANCE)) owner_sid, acl_len, NO_INHERITANCE))
return NULL; return NULL;
/* Set deny ACE for group, if still needed. */ /* Set deny ACE for group, if still needed. */
if (group_deny & owner_allow && !isownergroup if ((group_deny & owner_allow) && !isownergroup
&& !add_access_denied_ace (acl, ace_off++, group_deny, && !add_access_denied_ace (acl, ace_off++, group_deny,
group_sid, acl_len, NO_INHERITANCE)) group_sid, acl_len, NO_INHERITANCE))
return NULL; return NULL;