diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2010-12-16 10:31:09 +0000 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2010-12-16 10:31:09 +0000 |
| commit | 9296807af3c5ffe07fe00316dc7552a57df7fea9 (patch) | |
| tree | f744d53ec1cc89d4d2b2ee6983a3d5d83c41e9d2 | |
| parent | e445b7c33672fc8b81fabeff9e5cb795c87b87db (diff) | |
| download | cygnal-9296807af3c5ffe07fe00316dc7552a57df7fea9.tar.gz cygnal-9296807af3c5ffe07fe00316dc7552a57df7fea9.tar.bz2 cygnal-9296807af3c5ffe07fe00316dc7552a57df7fea9.zip | |
* security.cc (alloc_sd): Really fix erroneous inheritence entry
duplication now. Add more comments for clarity.
| -rw-r--r-- | winsup/cygwin/ChangeLog | 5 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 31 |
2 files changed, 25 insertions, 11 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index d7e5f005d..823d7d2f5 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,8 @@ +2010-12-16 Corinna Vinschen <corinna@vinschen.de> + + * security.cc (alloc_sd): Really fix erroneous inheritence entry + duplication now. Add more comments for clarity. + 2010-12-15 Christian Franke <franke@computer.org> * sec_acl.cc (getacl): Ensure that the default acl contains at least diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index cddb3f173..73b740c1d 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -641,25 +641,32 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute, { cygpsid ace_sid ((PSID) &ace->SidStart); - /* Check for related ACEs. */ + /* Always skip NULL SID as well as admins SID on virtual device files + in /proc/sys. */ if (ace_sid == well_known_null_sid || (S_ISCHR (attribute) && ace_sid == well_known_admins_sid)) continue; + /* Check for ACEs which are always created in the preceding code + and check for the default inheritence ACEs which will be created + for just created directories. Skip them for just created + directories or if they are not inherited. If they are inherited, + make sure they are *only* inherited, so they don't collide with + the permissions set in this function. */ if ((ace_sid == cur_owner_sid) || (ace_sid == owner_sid) || (ace_sid == cur_group_sid) - || (ace_sid == group_sid)) + || (ace_sid == group_sid) + || (ace_sid == well_known_creator_owner_sid) + || (ace_sid == well_known_creator_group_sid) + || (ace_sid == well_known_world_sid)) { - if (ace->Header.AceFlags - & (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)) - ace->Header.AceFlags |= INHERIT_ONLY_ACE; - else + if ((S_ISDIR (attribute) && (attribute & S_JUSTCREATED)) + || (ace->Header.AceFlags + & (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)) == 0) continue; + else + ace->Header.AceFlags |= INHERIT_ONLY_ACE; } - else if ((ace_sid == well_known_creator_owner_sid) - || (ace_sid == well_known_creator_group_sid) - || (ace_sid == well_known_world_sid)) - continue; if (attribute & S_JUSTCREATED) { /* Since files and dirs are created with a NULL descriptor, @@ -693,7 +700,9 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute, acl_len += ace->Header.AceSize; } - /* Construct appropriate inherit attribute for new directories */ + /* Construct appropriate inherit attribute for new directories. Keep in + mind that we do this only for the sake of non-Cygwin applications. + Cygwin applications don't need this. */ if (S_ISDIR (attribute) && (attribute & S_JUSTCREATED)) { const DWORD inherit = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE |