JehanneOS/newlib
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
newlib/winsup/cygwin/security.cc
Corinna Vinschen bc444e5aa4 Reapply POSIX ACL changes. 
- New, unified implementation of POSIX permission and ACL handling.  The
    new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
    they allow to inherit the S_ISGID bit.  ACL inheritance now really
    works as desired, in a limited, but theoretically equivalent fashion
    even for non-Cygwin processes.

    To accommodate Windows default ACLs, the new code ignores SYSTEM and
    Administrators group permissions when computing the MASK/CLASS_OBJ
    permission mask on old ACLs, and it doesn't deny access to SYSTEM and
    Administrators group based on the value of MASK/CLASS_OBJ when
    creating the new ACLs.

    The new code now handles the S_ISGID bit on directories as on Linux:
    Setting S_ISGID on a directory causes new files and subdirs created
    within to inherit its group, rather than the primary group of the user
    who created the file.  This only works for files and directories
    created by Cygwin processes.

2015-05-29  Corinna Vinschen  <corinna@vinschen.de>

	Reapply POSIX ACL changes.

	* utils.xml (setfacl): Show new option output.
	(getfacl): Show new option output.

	* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
	Apply umask, if so.  Align comments.
	* security.cc (set_created_file_access): Fix permission masking by
	incoming requested file mode.

	* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
	for SYSTEM and Admins group.

	* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
	GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.

	* fhandler.h (fhandler_pty_slave::facl): Add prototype.
	* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
	(fhandler_pty_slave::fchown): Fix uid/gid handling.
	* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
	Simplify and move around code in a few places.  To improve ACL
	readability, add r/w permissions to Admins ACE appended to pty ACL.
	Add comment to explain Windows ACE Mask filtering being in the way of
	creating a real CLASS_OBJ.
	(get_posix_access): Fake CLASS_OBJ for ptys.  Explain why.
	* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
	when calling get_posix_access.

	* sec_acl.cc (set_posix_access): Move merging group perms into owner
	perms in case of owner == group after mask has been computed.  Take
	mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.

	* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
	the ACCESS_ALLOWED_ACE.

	* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
	set GROUP_OBJ and CLASS_OBJ perms to new group perms.  Add comment
	to explain why.
	* security.cc (set_created_file_access): Ditto.

	* sec_acl.cc (set_posix_access): Replace previous patch.  Return
	EINVAL if uid and/or guid is invalid and not backed by an actual
	Windows account.

	* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.

	* sec_acl.cc (set_posix_access): Handle files with owner == group.
	Rephrase switch statement checking against unfiltered a_type value.
	(get_posix_access): Handle files with owner == group.

	* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
	CLASS_OBJ mask on old-style ACLs.  Fix a comment.

	* sec_acl.cc (set_posix_access): Always make sure Admins have
	WRITE_DAC and WRITE_OWNER permissions.
	* security.h (create_object_sd_from_attribute): Drop handle parameter
	from prototype.
	* security.cc (create_object_sd_from_attribute): Drop handle parameter.
	Just create the standard POSIXy security descriptor.
	(set_object_attribute): Accommodate dropped paramter in call to
	create_object_sd_from_attribute.
	* fhandler_tty.cc: Ditto, throughout.

	* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
	mask computation.

	* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
	not umasked.
	(fhandler_base::open): Explicitely umask mode on NFS here.  Call new
	set_created_file_access rather than set_file_attribute.
	* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
	setting permissions on filesystems supporting ACLs using the new
	set_posix_access call.
	(fhandler_disk_file::fchown): Ditto.
	(fhandler_disk_file::mkdir): Call new set_created_file_access rather
	than set_file_attribute.
	* fhandler_socket.cc (fhandler_socket::bind): Don't umask here.  Add
	WRITE_OWNER access to allow writing group in case of SGID bit set.
	Call new set_created_file_access rather than set_file_attribute.
	* path.cc (symlink_worker): Call new set_created_file_access rather
	than set_file_attribute.
	* sec_acl.cc (searchace): Un-staticize.
	(set_posix_access): New, complementary functionality to
	get_posix_access.
	(setacl): Implement in terms of get_posix_access/set_posix_access.
	(get_posix_access): Add handling for just created files requiring
	their first Cygwin ACL.  Fix new_style recognition.  Handle SGID
	bit.  For old-style ACLs, ignore SYSTEM and Administrators when
	computing the {DEF_}CLASS_OBJ perms.
	* security.cc (get_file_sd): Revamp comment.  Change and (hopefully)
	speed up inheritance processing for just created files.
	(alloc_sd): Remove.
	(set_security_attribute): Call set_posix_access instead of alloc_sd.
	(get_object_attribute): Fix return value.
	(create_object_sd_from_attribute): Call set_posix_access instead of
	alloc_sd.
	(set_file_attribute): Remove.
	(set_created_file_access): New function implemented in terms of
	get_posix_access/set_posix_access.
	* security.h (set_file_attribute): Remove prototype.
	(set_created_file_access): Add prototype.
	(searchace): Ditto.
	(set_posix_access): Ditto.
	* syscalls.cc (open): Call open_with_arch with mode not umasked.

	* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
	Describe how to generate deny ACEs in more detail.  Accommodate the
	fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
	a special Cygwin ACE.  Improve further comments.
	(CYG_ACE_NEW_STYLE): Define.
	(get_posix_access): Change from Cygwin ACE to NULL deny ACE.  Fix
	CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
	NULL deny ACE if the inheritance flags say so.
	* sec_helper.cc (well_known_cygwin_sid): Remove.
	* security.h (well_known_cygwin_sid): Drop declaration.

	* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
	(get_posix_access): Rename index variable from i to idx.  Define only
	once at top level.

	* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
	Accommodate throughout.
	(add_access_denied_ace): Ditto.
	* sec_acl.cc: Accommodate above change throughout.
	* security.h (add_access_allowed_ace): Adjust prototype to above change.
	(add_access_denied_ace): Ditto.

	* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
	owner and primary group of the file.  Handle the default primary
	group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
	set.  Add comments.  Minor code rearrangements.

	Preliminary read side implementation of new permission handling.
	* acl.h (MAX_ACL_ENTRIES): Raise to 2730.  Add comment to explain.
	* sec_acl.cc:  Add leading comment to explain new ACL style.
	Add definitions and macros to use for bits in new Cygwin ACL.
	(DENY_RWX): New mask value for all temporary deny bits.
	(getace): Add bool parameter to decide when leaving all bits intact,
	rather than filtering them per the already set bits.
	(get_posix_access): New function, taking over functionality to read
	POSIX ACL from SECURITY_DESCRIPTOR.
	(getacl): Just call get_posix_access.
	* sec_helper.cc (well_known_cygwin_sid): Define.
	* security.cc (get_attribute_from_acl): Remove.
	(get_info_from_sd): Remove.
	(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
	(get_file_attribute): Ditto.
	(get_object_attribute): Ditto.
	* security.h (well_known_cygwin_sid): Declare.
	(get_posix_access): Add prototype.

	* Throughout, use simpler ACE macros from Windows' accctrl.h.

	* getfacl.c (main): Special-case SYSTEM and Admins group.  Add comments.

	* setfacl.c: Align more to Linux tool.
	(delacl): New function to delete acl entries only.
	(modacl): Drop delete functionality.  Add handling of recomputing the
	mask and default mask values.
	(delallacl): Rename from delacl.
	(setfacl): Call delacl in Delete case.  Call delallacl in DeleteAll
	and DeleteDef case.
	(usage): Accommodate new options.  Rearrange and rephrase slightly.
	(longopts): Emit 'x' in --delete case.  Add --no-mask and --mask
	options.
	(opts): Add -x and -n options.
	(main): Handle -d and -x the same.  Handle -n and --mask options.
	Drop handling for -r option.

	* getfacl.c (usage): Align more closely to Linux version.  Add new
	options -c, -e, -E.  Change formatting to accommodate longer options.
	(longopts): Rename --noname to --numeric.  Keep --noname for backward
	compatibility.  Add --omit-header, --all-effective and --no-effective
	options.
	(opts): Add -c, -e and -E option.
	(main): Handle new -c, -e, and -E options.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-11-18 22:27:54 +01:00

756 lines
22 KiB
C++
Raw Blame History

/* security.cc: NT file access control functions
Copyright 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Red Hat, Inc.
Originaly written by Gunther Ebert, gunther.ebert@ixos-leipzig.de
Completely rewritten by Corinna Vinschen <corinna@vinschen.de>
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
#include "winsup.h"
#include <unistd.h>
#include <stdlib.h>
#include <sys/acl.h>
#include "cygerrno.h"
#include "security.h"
#include "path.h"
#include "fhandler.h"
#include "dtable.h"
#include "pinfo.h"
#include "cygheap.h"
#include "ntdll.h"
#include "tls_pbuf.h"
#include <aclapi.h>
#define ALL_SECURITY_INFORMATION (DACL_SECURITY_INFORMATION \
| GROUP_SECURITY_INFORMATION \
| OWNER_SECURITY_INFORMATION)
static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE,
FILE_ALL_ACCESS };
LONG
get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
bool justcreated)
{
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
ULONG len = SD_MAXIMUM_SIZE, rlen;
/* Allocate space for the security descriptor. */
if (!sd.malloc (len))
{
set_errno (ENOMEM);
return -1;
}
/* Try to fetch the security descriptor if the handle is valid. */
if (fh)
{
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
sd, len, &rlen);
if (!NT_SUCCESS (status))
debug_printf ("NtQuerySecurityObject (%S), status %y",
pc.get_nt_native_path (), status);
}
/* If the handle was NULL, or fetching with the original handle didn't work,
try to reopen the file with READ_CONTROL and fetch the security descriptor
using that handle. */
if (!fh || !NT_SUCCESS (status))
{
status = NtOpenFile (&fh, READ_CONTROL,
fh ? pc.init_reopen_attr (attr, fh)
: pc.get_object_attr (attr, sec_none_nih),
&io, FILE_SHARE_VALID_FLAGS,
FILE_OPEN_FOR_BACKUP_INTENT);
if (!NT_SUCCESS (status))
{
sd.free ();
__seterrno_from_nt_status (status);
return -1;
}
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
sd, len, &rlen);
NtClose (fh);
if (!NT_SUCCESS (status))
{
sd.free ();
__seterrno_from_nt_status (status);
return -1;
}
}
/* We have a security descriptor now. Unfortunately, if you want to know
if an ACE is inherited from the parent object, this isn't sufficient.
In the simple case, the SDs control word contains one of the
SE_DACL_AUTO_INHERITED or SE_DACL_PROTECTED flags, or at least one of
the ACEs has the INHERITED_ACE flag set. In all of these cases we
know the DACL has been inherited.
If none of these flags is set in the SD, the information whether
or not an ACE has been inherited is not available in the DACL of the
object. In this case GetSecurityInfo fetches the SD from the parent
directory and tests if the object's SD contains inherited ACEs from the
parent.
Note that we're not testing the SE_DACL_AUTO_INHERITED and
SE_DACL_PROTECTED flags here because we know the state the file's SD
is in. Since we're creating all files with a NULL descriptor, the DACL
is either inherited from the parent, or it's the default DACL. In
neither case, one of these flags is set.
For speed, we're not calling RtlConvertToAutoInheritSecurityObject
anymore (but keep the code here for reference). Rather we just test
if one of the parent's ACEs is inheritable. If so, we know we inherited
it and set the SE_DACL_AUTO_INHERITED flag. If not, we may assume our
object's DACL is the default DACL.
This functionality is slow and the extra information is only required
when the file has been created and the permissions are about to be set
to POSIX permissions. Therefore we only use it in case the file just
got created. */
if (justcreated)
{
PACL dacl;
BOOLEAN exists, def;
ACCESS_ALLOWED_ACE *ace;
UNICODE_STRING dirname;
PSECURITY_DESCRIPTOR psd;
tmp_pathbuf tp;
/* Open the parent directory with READ_CONTROL... */
RtlSplitUnicodePath (pc.get_nt_native_path (), &dirname, NULL);
InitializeObjectAttributes (&attr, &dirname, pc.objcaseinsensitive (),
NULL, NULL);
status = NtOpenFile (&fh, READ_CONTROL, &attr, &io,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_FOR_BACKUP_INTENT
| FILE_OPEN_REPARSE_POINT);
if (!NT_SUCCESS (status))
{
debug_printf ("NtOpenFile (%S), status %y", &dirname, status);
return 0;
}
/* ... fetch the parent's security descriptor ... */
psd = (PSECURITY_DESCRIPTOR) tp.w_get ();
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
psd, len, &rlen);
NtClose (fh);
if (!NT_SUCCESS (status))
{
debug_printf ("NtQuerySecurityObject (%S), status %y",
&dirname, status);
return 0;
}
#if 0
/* ... and create a new security descriptor in which all inherited ACEs
are marked with the INHERITED_ACE flag. For a description of the
undocumented RtlConvertToAutoInheritSecurityObject function from
ntdll.dll see the MSDN man page for the advapi32 function
ConvertToAutoInheritPrivateObjectSecurity. Fortunately the latter
is just a shim. */
PSECURITY_DESCRIPTOR nsd;
status = RtlConvertToAutoInheritSecurityObject (psd, sd, &nsd, NULL,
pc.isdir (),
&file_mapping);
if (!NT_SUCCESS (status))
{
debug_printf ("RtlConvertToAutoInheritSecurityObject (%S), status %y",
&dirname, status);
return 0;
}
/* Eventually copy the new security descriptor into sd and delete the
original one created by RtlConvertToAutoInheritSecurityObject from
the heap. */
len = RtlLengthSecurityDescriptor (nsd);
memcpy ((PSECURITY_DESCRIPTOR) sd, nsd, len);
RtlDeleteSecurityObject (&nsd);
#else
/* ... and check the parent descriptor for inheritable ACEs matching
our current object type (file/dir). The simple truth in our case
is, either the parent dir had inheritable ACEs and all our ACEs are
inherited, or the parent dir didn't have inheritable ACEs and all
our ACEs are taken from the default DACL. */
bool inherited = false;
BYTE search_flags = pc.isdir () ? SUB_CONTAINERS_AND_OBJECTS_INHERIT
: SUB_OBJECTS_ONLY_INHERIT;
if (NT_SUCCESS (RtlGetDaclSecurityDescriptor (psd, &exists, &dacl, &def))
&& exists && dacl)
for (ULONG idx = 0; idx < dacl->AceCount; ++idx)
if (NT_SUCCESS (RtlGetAce (dacl, idx, (PVOID *) &ace))
&& (ace->Header.AceFlags & search_flags))
{
inherited = true;
break;
}
/* Then, if the parent descriptor contained inheritable ACEs, we mark
the SD as SE_DACL_AUTO_INHERITED. Note that this requires the
matching check in get_posix_access. If we ever revert to
RtlConvertToAutoInheritSecurityObject, the check in get_posix_access
has to test every single ACE for the INHERITED_ACE flag again. */
if (inherited
&& NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd, &exists, &dacl,
&def))
&& exists && dacl)
RtlSetControlSecurityDescriptor (sd, SE_DACL_AUTO_INHERITED,
SE_DACL_AUTO_INHERITED);
#endif
}
return 0;
}
LONG
set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd, bool is_chown)
{
NTSTATUS status = STATUS_SUCCESS;
int retry = 0;
int res = -1;
for (; retry < 2; ++retry)
{
if (fh)
{
status = NtSetSecurityObject (fh,
is_chown ? ALL_SECURITY_INFORMATION
: DACL_SECURITY_INFORMATION,
sd);
if (NT_SUCCESS (status))
{
res = 0;
break;
}
}
if (!retry)
{
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
status = NtOpenFile (&fh, (is_chown ? WRITE_OWNER : 0) | WRITE_DAC,
fh ? pc.init_reopen_attr (attr, fh)
: pc.get_object_attr (attr, sec_none_nih),
&io,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_FOR_BACKUP_INTENT);
if (!NT_SUCCESS (status))
{
fh = NULL;
break;
}
}
}
if (retry && fh)
NtClose (fh);
if (!NT_SUCCESS (status))
__seterrno_from_nt_status (status);
return res;
}
static int
get_reg_sd (HANDLE handle, security_descriptor &sd_ret)
{
LONG ret;
DWORD len = 0;
ret = RegGetKeySecurity ((HKEY) handle, ALL_SECURITY_INFORMATION,
sd_ret, &len);
if (ret == ERROR_INSUFFICIENT_BUFFER)
{
if (!sd_ret.malloc (len))
set_errno (ENOMEM);
else
ret = RegGetKeySecurity ((HKEY) handle, ALL_SECURITY_INFORMATION,
sd_ret, &len);
}
if (ret != ERROR_SUCCESS)
{
__seterrno ();
return -1;
}
return 0;
}
int
get_reg_attribute (HKEY hkey, mode_t *attribute, uid_t *uidret,
gid_t *gidret)
{
security_descriptor sd;
if (!get_reg_sd (hkey, sd))
{
get_posix_access (sd, attribute, uidret, gidret, NULL, 0);
return 0;
}
/* The entries are already set to default values */
return -1;
}
int
get_file_attribute (HANDLE handle, path_conv &pc,
mode_t *attribute, uid_t *uidret, gid_t *gidret)
{
if (pc.has_acls ())
{
security_descriptor sd;
if (!get_file_sd (handle, pc, sd, false))
{
get_posix_access (sd, attribute, uidret, gidret, NULL, 0);
return 0;
}
/* ENOSYS is returned by get_file_sd if fetching the DACL from a remote
share returns STATUS_INVALID_NETWORK_RESPONSE, which in turn is
converted to ERROR_BAD_NET_RESP. This potentially occurs when trying
to fetch DACLs from a NT4 machine which is not part of the domain of
the requesting machine. */
else if (get_errno () != ENOSYS)
{
if (uidret)
*uidret = ILLEGAL_UID;
if (gidret)
*gidret = ILLEGAL_GID;
return -1;
}
}
if (uidret)
*uidret = myself->uid;
if (gidret)
*gidret = myself->gid;
return -1;
}
bool
add_access_allowed_ace (PACL acl, DWORD attributes, PSID sid, size_t &len_add,
DWORD inherit)
{
NTSTATUS status = RtlAddAccessAllowedAceEx (acl, ACL_REVISION, inherit,
attributes, sid);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return false;
}
len_add += sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
return true;
}
bool
add_access_denied_ace (PACL acl, DWORD attributes, PSID sid, size_t &len_add,
DWORD inherit)
{
NTSTATUS status = RtlAddAccessDeniedAceEx (acl, ACL_REVISION, inherit,
attributes, sid);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return false;
}
len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
return true;
}
void
set_security_attribute (path_conv &pc, int attribute, PSECURITY_ATTRIBUTES psa,
security_descriptor &sd)
{
psa->lpSecurityDescriptor = sd.malloc (SECURITY_DESCRIPTOR_MIN_LENGTH);
RtlCreateSecurityDescriptor ((PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION);
psa->lpSecurityDescriptor = set_posix_access (attribute, geteuid32 (),
getegid32 (), NULL, 0,
sd, false);
}
int
get_object_sd (HANDLE handle, security_descriptor &sd)
{
ULONG len = 0;
NTSTATUS status;
status = NtQuerySecurityObject (handle, ALL_SECURITY_INFORMATION,
sd, len, &len);
if (status != STATUS_BUFFER_TOO_SMALL)
{
__seterrno_from_nt_status (status);
return -1;
}
if (!sd.malloc (len))
{
set_errno (ENOMEM);
return -1;
}
status = NtQuerySecurityObject (handle, ALL_SECURITY_INFORMATION,
sd, len, &len);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return -1;
}
return 0;
}
int
get_object_attribute (HANDLE handle, uid_t *uidret, gid_t *gidret,
mode_t *attribute)
{
security_descriptor sd;
mode_t attr = S_IFCHR;
if (get_object_sd (handle, sd))
return -1;
if (attribute)
*attribute |= S_IFCHR;
else
attribute = &attr;
return get_posix_access (sd, attribute, uidret, gidret, NULL, 0)
>= 0 ? 0 : -1;
}
int
create_object_sd_from_attribute (uid_t uid, gid_t gid, mode_t attribute,
security_descriptor &sd)
{
return set_posix_access (S_IFCHR | attribute, uid, gid, NULL, 0, sd, false)
? 0 : -1;
}
int
set_object_sd (HANDLE handle, security_descriptor &sd, bool chown)
{
NTSTATUS status;
status = NtSetSecurityObject (handle, chown ? ALL_SECURITY_INFORMATION
: DACL_SECURITY_INFORMATION, sd);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return -1;
}
return 0;
}
int
set_object_attribute (HANDLE handle, uid_t uid, gid_t gid, mode_t attribute)
{
security_descriptor sd;
if (create_object_sd_from_attribute (uid, gid, attribute, sd)
|| set_object_sd (handle, sd, uid != ILLEGAL_UID || gid != ILLEGAL_GID))
return -1;
return 0;
}
int
set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
{
int ret = -1;
security_descriptor sd, sd_ret;
mode_t attr_rd;
uid_t uid;
gid_t gid;
tmp_pathbuf tp;
aclent_t *aclp;
int nentries, idx;
if (!get_file_sd (handle, pc, sd, true))
{
attr |= S_JUSTCREATED;
if (pc.isdir ())
attr |= S_IFDIR;
attr_rd = attr;
aclp = (aclent_t *) tp.c_get ();
if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid,
aclp, MAX_ACL_ENTRIES)) >= 0)
{
if (S_ISLNK (attr))
{
/* Symlinks always get the request POSIX perms. */
aclp[0].a_perm = (attr >> 6) & S_IRWXO;
if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
if (nentries > MIN_ACL_ENTRIES
&& (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
aclp[idx].a_perm = attr & S_IRWXO;
}
else
{
/* Overwrite ACL permissions as required by POSIX 1003.1e
draft 17. */
aclp[0].a_perm &= (attr >> 6) & S_IRWXO;
/* Deliberate deviation from POSIX 1003.1e here. We're not
writing CLASS_OBJ *or* GROUP_OBJ, but both. Otherwise we're
going to be in constant trouble with user expectations. */
if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
if (nentries > MIN_ACL_ENTRIES
&& (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
aclp[idx].a_perm &= attr & S_IRWXO;
}
/* Construct appropriate inherit attribute for new directories.
Basically we do this only for the sake of non-Cygwin applications.
Cygwin applications don't need these. Additionally, if the
S_ISGID bit is set, propagate it. */
if (S_ISDIR (attr))
{
if (searchace (aclp, nentries, DEF_USER_OBJ) < 0)
{
aclp[nentries].a_type = DEF_USER_OBJ;
aclp[nentries].a_id = ILLEGAL_UID;
aclp[nentries++].a_perm = (attr >> 6) & S_IRWXO;
}
if (searchace (aclp, nentries, DEF_GROUP_OBJ) < 0)
{
aclp[nentries].a_type = DEF_GROUP_OBJ;
aclp[nentries].a_id = ILLEGAL_GID;
aclp[nentries++].a_perm = (attr >> 3) & S_IRWXO;
}
if (searchace (aclp, nentries, DEF_OTHER_OBJ) < 0)
{
aclp[nentries].a_type = DEF_OTHER_OBJ;
aclp[nentries].a_id = ILLEGAL_UID;
aclp[nentries++].a_perm = attr & S_IRWXO;
}
if (attr_rd & S_ISGID)
attr |= S_ISGID;
}
if (set_posix_access (attr, uid, gid, aclp, nentries, sd_ret,
pc.fs_is_samba ()))
ret = set_file_sd (handle, pc, sd_ret, attr_rd & S_ISGID);
}
}
return ret;
}
static int
check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
ACCESS_MASK desired, int flags, bool effective)
{
int ret = -1;
NTSTATUS status, allow;
ACCESS_MASK granted;
DWORD plen = sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES);
PPRIVILEGE_SET pset = (PPRIVILEGE_SET) alloca (plen);
HANDLE tok = ((effective && cygheap->user.issetuid ())
? cygheap->user.imp_token ()
: hProcImpToken);
if (!tok)
{
if (!DuplicateTokenEx (hProcToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenImpersonation,
&hProcImpToken))
{
__seterrno ();
return ret;
}
tok = hProcImpToken;
}
status = NtAccessCheck (sd, tok, desired, &mapping, pset, &plen, &granted,
&allow);
if (!NT_SUCCESS (status))
__seterrno ();
else if (!NT_SUCCESS (allow))
{
/* CV, 2006-10-16: Now, that's really weird. Imagine a user who has no
standard access to a file, but who has backup and restore privileges
and these privileges are enabled in the access token. One would
expect that the AccessCheck function takes this into consideration
when returning the access status. Otherwise, why bother with the
pset parameter, right?
But not so. AccessCheck actually returns a status of "false" here,
even though opening a file with backup resp. restore intent
naturally succeeds for this user. This definitely spoils the results
of access(2) for administrative users or the SYSTEM account. So, in
case the access check fails, another check against the user's
backup/restore privileges has to be made. Sigh. */
int granted_flags = 0;
BOOLEAN has_priv;
if (flags & R_OK)
{
pset->PrivilegeCount = 1;
pset->Control = 0;
pset->Privilege[0].Luid.HighPart = 0L;
pset->Privilege[0].Luid.LowPart = SE_BACKUP_PRIVILEGE;
pset->Privilege[0].Attributes = 0;
status = NtPrivilegeCheck (tok, pset, &has_priv);
if (NT_SUCCESS (status) && has_priv)
granted_flags |= R_OK;
}
if (flags & W_OK)
{
pset->PrivilegeCount = 1;
pset->Control = 0;
pset->Privilege[0].Luid.HighPart = 0L;
pset->Privilege[0].Luid.LowPart = SE_RESTORE_PRIVILEGE;
pset->Privilege[0].Attributes = 0;
status = NtPrivilegeCheck (tok, pset, &has_priv);
if (NT_SUCCESS (status) && has_priv)
granted_flags |= W_OK;
}
if (granted_flags == flags)
ret = 0;
else
set_errno (EACCES);
}
else
ret = 0;
return ret;
}
/* Samba override. Check security descriptor for Samba UNIX user and group
accounts and check if we have an RFC 2307 mapping to a Windows account.
Create a new security descriptor with all of the UNIX accounts with
valid mapping replaced with their Windows counterpart. */
static void
convert_samba_sd (security_descriptor &sd_ret)
{
NTSTATUS status;
BOOLEAN dummy;
PSID sid;
cygsid owner;
cygsid group;
SECURITY_DESCRIPTOR sd;
cyg_ldap cldap;
tmp_pathbuf tp;
PACL acl, oacl;
size_t acl_len;
PACCESS_ALLOWED_ACE ace;
if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
return;
owner = sid;
if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
return;
group = sid;
if (sid_id_auth (owner) == 22)
{
struct passwd *pwd;
uid_t uid = owner.get_uid (&cldap);
if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
owner.getfrompw (pwd);
}
if (sid_id_auth (group) == 22)
{
struct group *grp;
gid_t gid = group.get_gid (&cldap);
if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
group.getfromgr (grp);
}
if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
&oacl, &dummy)))
return;
acl = (PACL) tp.w_get ();
RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
acl_len = sizeof (ACL);
for (DWORD i = 0; i < oacl->AceCount; ++i)
if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
{
cygsid ace_sid ((PSID) &ace->SidStart);
if (sid_id_auth (ace_sid) == 22)
{
if (sid_sub_auth (ace_sid, 0) == 1) /* user */
{
struct passwd *pwd;
uid_t uid = ace_sid.get_uid (&cldap);
if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
ace_sid.getfrompw (pwd);
}
else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
{
struct group *grp;
gid_t gid = ace_sid.get_gid (&cldap);
if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
ace_sid.getfromgr (grp);
}
}
if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
ace->Header.AceFlags))
return;
}
acl->AclSize = acl_len;
RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
if (!NT_SUCCESS (status))
return;
DWORD sd_size = 0;
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (sd_size > 0 && sd_ret.malloc (sd_size))
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
}
int
check_file_access (path_conv &pc, int flags, bool effective)
{
security_descriptor sd;
int ret = -1;
ACCESS_MASK desired = 0;
if (flags & R_OK)
desired |= FILE_READ_DATA;
if (flags & W_OK)
desired |= FILE_WRITE_DATA;
if (flags & X_OK)
desired |= FILE_EXECUTE;
if (!get_file_sd (pc.handle (), pc, sd, false))
{
/* Tweak Samba security descriptor as necessary. */
if (pc.fs_is_samba ())
convert_samba_sd (sd);
ret = check_access (sd, file_mapping, desired, flags, effective);
}
debug_printf ("flags %y, ret %d", flags, ret);
return ret;
}
int
check_registry_access (HANDLE hdl, int flags, bool effective)
{
security_descriptor sd;
int ret = -1;
static GENERIC_MAPPING NO_COPY_RO reg_mapping = { KEY_READ,
KEY_WRITE,
KEY_EXECUTE,
KEY_ALL_ACCESS };
ACCESS_MASK desired = 0;
if (flags & R_OK)
desired |= KEY_ENUMERATE_SUB_KEYS;
if (flags & W_OK)
desired |= KEY_SET_VALUE;
if (flags & X_OK)
desired |= KEY_QUERY_VALUE;
if ((HKEY) hdl == HKEY_PERFORMANCE_DATA)
/* RegGetKeySecurity() always fails with ERROR_INVALID_HANDLE. */
ret = 0;
else if (!get_reg_sd (hdl, sd))
ret = check_access (sd, reg_mapping, desired, flags, effective);
/* As long as we can't write the registry... */
if (flags & W_OK)
{
set_errno (EROFS);
ret = -1;
}
debug_printf ("flags %y, ret %d", flags, ret);
return ret;
}
Reference in New Issue View Git Blame Copy Permalink