PlaneteCasio
/
libc
1
0
Fork 0
Code Issues 6 Pull Requests Releases Wiki Activity
libc/winsup/cygwin/security.cc

745 lines
22 KiB
C++
Raw Normal View History

* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
/* security.cc: NT file access control functions
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
Originaly written by Gunther Ebert, gunther.ebert@ixos-leipzig.de
Add copyright year 2001
2001-02-21 23:59:11 +01:00
Completely rewritten by Corinna Vinschen <corinna@vinschen.de>
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
* winsup.h: take out protections of environ, errno, allow C use * *.cc: put winsup.h before other headers (for __INSIDE_CYGWIN__); use cur_environ() instead of just environ * times.cc: remove import protections * glob.c: add winsup.h * localtime.c: ditto * smallprint.c: ditto * Makefile.in: don't __INSIDE_CYGWIN__ as it messes up profiling.
2000-08-02 18:28:18 +02:00
#include "winsup.h"
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
#include <unistd.h>
#include <stdlib.h>
Implement POSIX.1e ACL functions * Makefile.in (DLL_OFILES): Add sec_posixacl.o. (SUBLIBS): Add libacl.a (libacl.a): New rule to create libacl.a. * common.din: Export POSIX ACL functions as well as most libacl.a extensions. * fhandler.h (fhander_base::acl_get): New prototype. (fhander_base::acl_set): Ditto. (fhandler_disk_file::acl_get): Ditto. (fhandler_disk_file::acl_set): Ditto. * include/acl/libacl.h: New file. * include/cygwin/version.h: Bump API minor version. * include/sys/acl.h: Drop including cygwin/acl.h. Accommodate throughout Cygwin. Add POSIX ACL definitions. * sec_acl.cc: Include sec_posixacl.h. Replace ILLEGAL_UID and ILLEGAL_GID with ACL_UNDEFINED_ID where sensible. (__aclcheck): New internal acl check function to be used for Solaris and POSIX ACLs. (aclcheck32): Call __aclcheck. (__aclcalcmask): New function to compute ACL_MASK value. (__aclsort): New internal acl sort function to be used for Solaris and POSIX ACLs. (aclsort32): Call __aclsort. (permtostr): Work directly on provided buffer. (__acltotext): New internal acltotext function to be used for Solaris and POSIX ACLs. (acltotext32): Call __acltotext. (__aclfromtext): New internal aclfromtext function to be used for Solaris and POSIX ACLs. (aclfromtext32): Call __aclfromtext. * sec_posixacl.cc: New file implemeting POSIX ACL functions. * sec_posixacl.h: New internal header. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-01-06 18:41:36 +01:00
#include <cygwin/acl.h>
* winsup.h: Eliminate inclusion of most of the cygwin .h files. Use .h files only in sources which require them. * Makefile.in: Generate dependencies with -MD option.
2000-08-22 07:10:20 +02:00
#include "cygerrno.h"
Throughout, reorganize header file inclusion to put security.h prior to fhandler.h. * fhandler.h (fhandler_base::get_inheritance): New method. * fhandler_socket.cc (fhandler_socket::create_secret_event): Use proper close-on-exec inheritance when creating. (fhandler_socket::check_peer_secret_event): Create handle as non-inheritable.
2001-07-26 21:22:24 +02:00
#include "security.h"
* winsup.h: Eliminate inclusion of most of the cygwin .h files. Use .h files only in sources which require them. * Makefile.in: Generate dependencies with -MD option.
2000-08-22 07:10:20 +02:00
#include "path.h"
* devices.cc: New file. * devices.gperf: New file. * devices.shilka: New file. * cygwin-gperf: New file. * cygwin-shilka: New file. * fhandler_fifo.cc: New file. * fhandler_nodevice.cc : New file. Reorganize headers so that path.h precedes fhandler.h throughout. Remove device argument and unit arguments from fhandler constructors throughout. Remove pc arguments to fhandler functions and use internal pc element instead, throughout. Use dev element in pc throughout. Use major/minor elements rather than units and device numbers previously in fhandler class. Use correct methods for fhandler file names rather than directly accessing file name variables, throughout. * Makefile.in (DLL_OFILES): Add devices.o, fhandler_fifo.o * dcrt0.cc (dll_crt0_1): Call device::init. * devices.h: Renumber devices based on more Linux-like major/minor numbers. Add more devices. Declare standard device storage. (device): Declare struct. * dir.cc (opendir): Use new 'build_fh_name' to construct a fhandler_* type. * dtable.cc (dtable::get_debugger_info): Ditto. (cygwin_attach_handle_to_fd): Ditto. (dtable::release): Remove special FH_SOCKET case in favor of generic "need_fixup_before" test. (dtable::init_std_file_from_handle): Use either build_fh_dev or build_fh_name to build standard fhandler. (dtable::build_fh_name): Renamed from dtable::build_fhandler_from_name. Move out of dtable class. Don't accept a path_conv argument. Just build it here and pass it to: (build_fh_pc): Renamed from dtable::build_fhandler. Move out of dtable class. Use intrinsic device type in path_conv to create new fhandler. (build_fh_dev): Renamed from dtable::build_fhandler. Move out of dtable class. Simplify arguments to just take new 'device' type and a name. Just return pointer to fhandler rather than trying to insert into dtable. (dtable::dup_worker): Accommodate above build_fh name changes. (dtable::find_fifo): New (currently broken) function. (handle_to_fn): Use strechr for efficiency. * dtable.h: Reflect above build_fh name changes and argument differences. (fhandler_base *&operator []): Return self rather than copy of self. * fhandler.cc (fhandler_base::operator =): Use pc element to set normalized path. (fhandler_base::set_name): Ditto. (fhandler_base::raw_read): Use method to access name. (fhandler_base::write): Correctly use get_output_handle rather than get_handle. (handler_base::device_access_denied): New function. (fhandler_base::open): Eliminate pc argument and use pc element of fhandler_base throughout. (fhandler_base::fstat): Detect if device is based in filesystem and use fstat_fs to calculate stat, if so. (fhandler_base::fhandler_base): Eliminate handling of file names and, instead, just free appropriate component from pc. (fhandler_base::opendir): Remove path_conv parameter. * fhandler.h: Remove all device flags. (fhandler_base::pc): New element. (fhandler_base::set_name): Change argument to path_conv. (fhandler_base::error): New function. (fhandler_base::exists): New function. (fhandler_base::pc_binmode): New function. (fhandler_base::dev): New function. (fhandler_base::open_fs): New function. (fhandler_base::fstat_fs): New function. (fhandler_base::fstat_by_name): New function. (fhandler_base::fstat_by_handle): New function. (fhandler_base::isfifo): New function. (fhandler_base::is_slow): New function. (fhandler_base::is_auto_device): New function. (fhandler_base::is_fs_special): New function. (fhandler_base::device_access_denied): New function. (fhandler_base::operator DWORD&): New operator. (fhandler_base::get_name): Return normalized path from pc. (fhandler_base::get_win32_name): Return windows path from pc. (fhandler_base::isdevice): Renamed from is_device. (fhandler_base::get_native_name): Return device format. (fhandler_fifo): New class. (fhandler_nodevice): New class. (select_stuff::device_specific): Remove array. (select_stuff::device_specific_pipe): New class element. (select_stuff::device_specific_socket): New class element. (select_stuff::device_specific_serial): New class element. (select_stuff::select_stuff): Initialize new elements. * fhandler_disk_file.cc (fhandler_base::fstat_by_handle): Move to base class from fhandler_disk_file. (fhandler_base::fstat_by_name): Ditto. (fhandler_base::fstat_by_name): Ditto. (fhandler_disk_file::open): Move most functionality into fhandler_base::open_fs. (fhandler_base::open_fs): New function. (fhandler_disk_file::close): Move most functionality into fhandler_base::close_fs. (fhandler_base::close_fs): New function. * fhandler_mem.cc (fhandler_dev_mem::open): Use device name in debugging output. * fhandler_socket.cc (fhandler_socket::set_connect_secret): Copy standard urandom device into appropriate place. (fhandler_socket::accept): Reflect change in fdsock return value. * fhandler_tty.cc: See "throughouts" above. * net.cc: Accommodate fdsock change throughout. (fdsock): Return success or failure, accept fd argument and device argument. * path.cc (symlink_info::major): New element. (symlink_info::minor): New element. (symlink_info::parse_device): Declare new function. (fs_info::update): Accommodate changes in path_conv class. (path_conv::fillin): Ditto. (path_conv::return_and_clear_normalized_path): Eliminate. (path_conv::set_normalized_path): New function. (path_conv::path_conv): Set info in dev element. Use path_conv methods Check for FH_FS rather than FH_BAD to indicate when to fill in filesystem stuff. where appropriate rather than direct access. Use set_normalized_path to set normalized path. (windows_device_names): Eliminate. (get_dev): Ditto. (get_raw_device_number): Ditto. (get_device_number): Ditto. (win32_device_name): Call new device name parser to do most of the heavy lifting. (mount_info::conv_to_win32_path): Fill in dev field as appropriate. (symlink_worker): Handle new device files. (symlink_info::check): Ditto. (symlink_info::parse_device): Define new function. * path.h (executable_states): Move here from fhandler.h. (fs_info): Rename variables to *_storage and create methods for accessing same. (path_conv): Add dev element, remove devn and unit and adjust inline methods to accommodate. (set_normalized_path): Declare new function. * pinfo.cc (_pinfo::commune_recv): Add broken support for handling fifos. (_pinfo::commune_send): Ditto. * pipe.cc (fhandler_pipe::close): check for existence of handle before closing it. (handler_pipe::create): Rename from make_pipe. Change arguments to accept fhandler_pipe array. Accommodate fifos. (pipe): Rework to deal with fhandler_pipe::create changes. (_pipe): Ditto. * select.cc: Use individual device_specific types throughout rather than indexing with obsolete device number. (set_bits): Use is_socket call rather than checking device number. * shared_info.h (CURR_MOUNT_MAGIC): Update. (conv_to_win32_path): Reflect addition of device argument. * syscalls.cc (mknod_worker): New function. (open): Use build_fh_name to build fhandler. (chown_worker): Detect if this is an 'auto' device rather than an on-filesystem device and handle appropriately. (chmod_device): New function. (chmod): Detect if this is an 'auto' device rather than an on-filesystem device and handle appropriately. Use chmod_device to set mode of in-filesystem devices. (stat_worker): Eliminate path_conv argument. Call build_fh_name to construct fhandler. Use fh->error() rather than pc->error to detect errors in fhandler construction. (access_worker): New function pulled from access. Accommodate in-filesystem devices. (access): Use access_worker. (fpathconf): Detect if this is an 'auto' device rather than an on-filesystem device and handle appropriately. (mknod_worker): New function. (mknod32): New function. (chroot): Free normalized path -- assuming it was actually cmalloced. * tty.cc (create_tty_master): Tweak for new device class. (tty::common_init): Ditto. * winsup.h (stat_worker): Remove. (symlink_worker): Declare. * exceptions.cc (set_process_mask): Just call sig_dispatch_pending and don't worry about pending_signals since sig_dispatch_pending should always do the right thing now. (sig_handle): Reorganize SIGCONT handling to more closely conform to SUSv3. * pinfo.h: Move __SIG enum to sigproc.h. (PICOM_FIFO): New enum element. (_pinfo): Remove 'thread2signal' stuff throughout class. (_pinfo::commune_send): Make varargs. (_pinfo::sigtodo): Eliminate. (_pinfo::thread2signal): Ditto. * signal.cc (kill_worker): Eliminate call to setthread2signal. * sigproc.cc (local_sigtodo): Eliminate. (getlocal_sigtodo): Ditto. (sigelem): New class. (pending_signals): New class. (sigqueue): New variable, start of sigqueue linked list. (sigcatch_nonmain): Eliminate. (sigcatch_main): Eliminate. (sigcatch_nosync): Eliminate. (sigcomplete_nonmain): Eliminate. (pending_signals): Eliminate. (sig_clear): Call signal thread to clear pending signals, unless already in signal thread. (sigpending): Call signal thread to get pending signals. (sig_dispatch_pending): Eliminate use of pending_signals and just check sigqueue. (sigproc_terminate): Eliminate all of the obsolete semaphore stuff. Close signal pipe handle. (sig_send): Eliminate all of the obsolete semaphore stuff and use pipe to send signals. (getevent): Eliminate. (pending_signals::add): New function. (pending_signals::del): New function. (pending_signals::next): New function. (wait_sig): Eliminate all of the obsolete semaphore stuff. Use pipe to communicate and maintain a linked list of signals. * sigproc.h: Move __SIG defines here. Add __SIGPENDING. (sig_dispatch_pending): Remove "C" specifier. (sig_handle): Accept a mask argument. * thread.cc: Remove signal handling considerations throughout.
2003-09-25 02:37:18 +02:00
#include "fhandler.h"
* winsup.h: Split out dtable definitions into separate header file. * dtable.h: New file. * sigproc.h: Eliminate pinfo.h usage here. Use it in source files that need it.
2000-08-12 07:35:42 +02:00
#include "dtable.h"
#include "pinfo.h"
* cygheap.cc (cygheap_root::cygheap_root): New function. (cygheap_root::~cygheap_root): Ditto. (cygheap_root::operator=): Ditto. (cygheap_user::~cygheap_user): Ditto. (cygheap_user::set_name): Ditto. (cygheap_user::set_logsrv): Ditto. (cygheap_user::set_domain): Ditto. (cygheap_user::set_sid): Ditto. * cygheap.h (cygheap_root): New class. (cygheap_user): Ditto. (init_cygheap): Change type of `root' member to cygheap_root. Add `user' member. * dir.cc (opendir): Use new `cygheap_root' class. * dcrt0.cc (dll_crt0_1): Use new `cygheap_user' class. * fork.cc (fork_parent): Ditto. * grp.cc (getgroups): Ditto. * passwd.cc (search_for): Ditto. * path.cc: Use new `cygheap_root' class throughout. * pinfo.h (_pinfo): Remove `use_psid'. Move `username', `psid', `logsrv', `domain', `orig_{uid,gid}' and `real_{uid,gid}' to cygheap_user class. * security.cc: Use new `cygheap_user' class throughout. * shared.cc (sec_user): Ditto. * sigproc.cc (proc_subproc): Remove copy statements for user related information moved to `cygheap_user' class. * spawn.cc (spawn_guts): Invalidate current chroot settings when creating Windows environment. Use new `cygheap_user' class. * syscalls.cc: Use new `cygheap_user' class throughout. * uinfo.cc: Ditto. * uinfo.cc (internal_getlogin): Change parameters to reflect the move of user information to cygheap.
2000-11-15 01:13:09 +01:00
#include "cygheap.h"
* autoload.cc: Add load statements for `LookupAccountNameW', `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory', `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum', `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and `NtCreateToken'. * ntdll.h: Add declaration for `NtCreateToken'. * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. (cygsid::string): Define as const method. (cygsid::get_sid): Set psid to NO_SID on error. (cygsid::getfromstr): Ditto. (cygsid::getfrompw): Simplify. (cygsid::getfromgr): Check for gr == NULL. (legal_sid_type): Move to security.h. (set_process_privilege): Return -1 on error, otherwise 0 or 1 related to previous privilege setting. * security.cc (extract_nt_dom_user): Remove `static'. (lsa2wchar): New function. (open_local_policy): Ditto. (close_local_policy): Ditto. (get_lsa_srv_inf): Ditto. (get_logon_server): Ditto. (get_logon_server_and_user_domain): Ditto. (get_user_groups): Ditto. (is_group_member): Ditto. (get_user_local_groups): Ditto. (sid_in_token_groups): Ditto. (get_user_primary_group): Ditto. (get_group_sidlist): Ditto. (get_system_priv_list): Ditto. (get_priv_list): Ditto. (get_dacl): Ditto. (create_token): Ditto. (subauth): Return immediately if SE_TCB_NAME can't be assigned. Change all return statements in case of error to jumps to `out' label. Add `out' label to support cleanup. * security.h: Add extern declarations for `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. Add extern declarations for functions `create_token', `extract_nt_dom_user' and `get_logon_server_and_user_domain'. (class cygsid): Add method `assign'. Change operator= to call new `assign' method. Add `debug_print' method. (class cygsidlist): New class. (legal_sid_type): Moved from sec_helper.cc to here. * spawn.cc (spawn_guts) Revert reversion of previous patch. Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid' again. * syscalls.cc (seteuid): Rearranged. Call `create_token' now when needed. Call `subauth' if `create_token' fails. Try setting token owner and primary group only if token was not explicitely created by `create_token'. * uinfo.cc (internal_getlogin): Try harder to generate correct user information. Especially don't trust return value of `GetUserName'.
2001-05-20 10:10:47 +02:00
#include "ntdll.h"
* flock.cc (allow_others_to_sync): Define MAX_PROCESS_SD_SIZE. Use instead of ACL_DEFAULT_SIZE. * sec_acl.cc (setacl): Use TLS buffer to allow maximum ACL size. * security.h (ACL_DEFAULT_SIZE): Drop definition. (ACL_MAXIMUM_SIZE): Define. (SD_MAXIMUM_SIZE): Define. * security.cc (get_file_sd): Allocate security_decscriptor with size SD_MAXIMUM_SIZE. (alloc_sd): Use TLS buffer to allow maximum ACL size.
2010-09-10 16:53:44 +02:00
#include "tls_pbuf.h"
* sec_helper.cc (security_descriptor::free): If sd_size is 0, call LocalFree instead of ::free. * sec_acl.cc: Throughout replace old ACE flag definitions with current definitions as used in MSDN man pages. * security.cc: Ditto. * fhandler.cc (fhandler_base::open): Make sure file has really been just created before fixing file permissions. Add S_JUSTCREATED attribute to set_file_attribute call. * fhandler_disk_file.cc (fhandler_disk_file::mkdir): Always create dir with default security descriptor and fix descriptor afterwards. Add S_JUSTCREATED flag to set_file_attribute call. * fhandler_socket.cc (fhandler_socket::bind): Ditto for AF_LOCAL socket files. * path.cc (symlink_worker): Ditto for symlinks. * security.cc (get_file_sd): Call GetSecurityInfo rather than NtQuerySecurityObject. Explain why. Change error handling accordingly. (alloc_sd): Skip non-inherited, non-standard entries in ACL if S_JUSTCREATED attribute is set. Explain why. Minor format fixes. * security.h (S_JUSTCREATED): New define. (security_descriptor::operator=): New operator.
2009-10-30 20:58:53 +01:00
#include <aclapi.h>
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
#define ALL_SECURITY_INFORMATION (DACL_SECURITY_INFORMATION \
| GROUP_SECURITY_INFORMATION \
| OWNER_SECURITY_INFORMATION)
* autoload.cc: Add load statements for `LookupAccountNameW', `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory', `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum', `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and `NtCreateToken'. * ntdll.h: Add declaration for `NtCreateToken'. * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. (cygsid::string): Define as const method. (cygsid::get_sid): Set psid to NO_SID on error. (cygsid::getfromstr): Ditto. (cygsid::getfrompw): Simplify. (cygsid::getfromgr): Check for gr == NULL. (legal_sid_type): Move to security.h. (set_process_privilege): Return -1 on error, otherwise 0 or 1 related to previous privilege setting. * security.cc (extract_nt_dom_user): Remove `static'. (lsa2wchar): New function. (open_local_policy): Ditto. (close_local_policy): Ditto. (get_lsa_srv_inf): Ditto. (get_logon_server): Ditto. (get_logon_server_and_user_domain): Ditto. (get_user_groups): Ditto. (is_group_member): Ditto. (get_user_local_groups): Ditto. (sid_in_token_groups): Ditto. (get_user_primary_group): Ditto. (get_group_sidlist): Ditto. (get_system_priv_list): Ditto. (get_priv_list): Ditto. (get_dacl): Ditto. (create_token): Ditto. (subauth): Return immediately if SE_TCB_NAME can't be assigned. Change all return statements in case of error to jumps to `out' label. Add `out' label to support cleanup. * security.h: Add extern declarations for `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. Add extern declarations for functions `create_token', `extract_nt_dom_user' and `get_logon_server_and_user_domain'. (class cygsid): Add method `assign'. Change operator= to call new `assign' method. Add `debug_print' method. (class cygsidlist): New class. (legal_sid_type): Moved from sec_helper.cc to here. * spawn.cc (spawn_guts) Revert reversion of previous patch. Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid' again. * syscalls.cc (seteuid): Rearranged. Call `create_token' now when needed. Call `subauth' if `create_token' fails. Try setting token owner and primary group only if token was not explicitely created by `create_token'. * uinfo.cc (internal_getlogin): Try harder to generate correct user information. Especially don't trust return value of `GetUserName'.
2001-05-20 10:10:47 +02:00
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
static GENERIC_MAPPING NO_COPY_RO file_mapping = { FILE_GENERIC_READ,
FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE,
FILE_ALL_ACCESS };
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
LONG
* security.cc (get_file_sd): Add bool parameter justcreated. Use GetSecurityInfo only if justcreated is true, NtQuerySecurityObject otherwise. Add comment to explain why. Don't waste time to call NtQuerySecurityObject twice, just allocate big enough area. (get_file_attribute): Call get_file_sd with justcreated set to false. (set_file_attribute): Call get_file_sd with justcreated depending on S_JUSTCREATED pseudo file attribute. (check_file_access): Call get_file_sd with justcreated set to false. * sec_acl.cc (setacl): Ditto. (getacl): Ditto. * security.h: Convert many functions to regparm functions. (get_file_sd): Declare with extra bool parameter.
2010-09-10 11:32:13 +02:00
get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
bool justcreated)
* autoload.cc: Add load statements for `LookupAccountNameW', `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory', `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum', `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and `NtCreateToken'. * ntdll.h: Add declaration for `NtCreateToken'. * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. (cygsid::string): Define as const method. (cygsid::get_sid): Set psid to NO_SID on error. (cygsid::getfromstr): Ditto. (cygsid::getfrompw): Simplify. (cygsid::getfromgr): Check for gr == NULL. (legal_sid_type): Move to security.h. (set_process_privilege): Return -1 on error, otherwise 0 or 1 related to previous privilege setting. * security.cc (extract_nt_dom_user): Remove `static'. (lsa2wchar): New function. (open_local_policy): Ditto. (close_local_policy): Ditto. (get_lsa_srv_inf): Ditto. (get_logon_server): Ditto. (get_logon_server_and_user_domain): Ditto. (get_user_groups): Ditto. (is_group_member): Ditto. (get_user_local_groups): Ditto. (sid_in_token_groups): Ditto. (get_user_primary_group): Ditto. (get_group_sidlist): Ditto. (get_system_priv_list): Ditto. (get_priv_list): Ditto. (get_dacl): Ditto. (create_token): Ditto. (subauth): Return immediately if SE_TCB_NAME can't be assigned. Change all return statements in case of error to jumps to `out' label. Add `out' label to support cleanup. * security.h: Add extern declarations for `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. Add extern declarations for functions `create_token', `extract_nt_dom_user' and `get_logon_server_and_user_domain'. (class cygsid): Add method `assign'. Change operator= to call new `assign' method. Add `debug_print' method. (class cygsidlist): New class. (legal_sid_type): Moved from sec_helper.cc to here. * spawn.cc (spawn_guts) Revert reversion of previous patch. Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid' again. * syscalls.cc (seteuid): Rearranged. Call `create_token' now when needed. Call `subauth' if `create_token' fails. Try setting token owner and primary group only if token was not explicitely created by `create_token'. * uinfo.cc (internal_getlogin): Try harder to generate correct user information. Especially don't trust return value of `GetUserName'.
2001-05-20 10:10:47 +02:00
{
* ntea.cc (read_ea): Change left-over return to __leave. Fix condition to close handle. Call NtClose rather than CloseHandle. (write_ea): Fix condition to close handle. Call NtClose rather than CloseHandle. * security.cc (get_file_sd): Call pc.init_reopen_attr if a valid incoming handle was given, pc.get_object_attr otherwise. (set_file_sd): Ditto.
2014-08-27 11:39:44 +02:00
NTSTATUS status = STATUS_SUCCESS;
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
ULONG len = SD_MAXIMUM_SIZE, rlen;
* autoload.cc: Add load statements for `LookupAccountNameW', `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory', `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum', `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and `NtCreateToken'. * ntdll.h: Add declaration for `NtCreateToken'. * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. (cygsid::string): Define as const method. (cygsid::get_sid): Set psid to NO_SID on error. (cygsid::getfromstr): Ditto. (cygsid::getfrompw): Simplify. (cygsid::getfromgr): Check for gr == NULL. (legal_sid_type): Move to security.h. (set_process_privilege): Return -1 on error, otherwise 0 or 1 related to previous privilege setting. * security.cc (extract_nt_dom_user): Remove `static'. (lsa2wchar): New function. (open_local_policy): Ditto. (close_local_policy): Ditto. (get_lsa_srv_inf): Ditto. (get_logon_server): Ditto. (get_logon_server_and_user_domain): Ditto. (get_user_groups): Ditto. (is_group_member): Ditto. (get_user_local_groups): Ditto. (sid_in_token_groups): Ditto. (get_user_primary_group): Ditto. (get_group_sidlist): Ditto. (get_system_priv_list): Ditto. (get_priv_list): Ditto. (get_dacl): Ditto. (create_token): Ditto. (subauth): Return immediately if SE_TCB_NAME can't be assigned. Change all return statements in case of error to jumps to `out' label. Add `out' label to support cleanup. * security.h: Add extern declarations for `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. Add extern declarations for functions `create_token', `extract_nt_dom_user' and `get_logon_server_and_user_domain'. (class cygsid): Add method `assign'. Change operator= to call new `assign' method. Add `debug_print' method. (class cygsidlist): New class. (legal_sid_type): Moved from sec_helper.cc to here. * spawn.cc (spawn_guts) Revert reversion of previous patch. Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid' again. * syscalls.cc (seteuid): Rearranged. Call `create_token' now when needed. Call `subauth' if `create_token' fails. Try setting token owner and primary group only if token was not explicitely created by `create_token'. * uinfo.cc (internal_getlogin): Try harder to generate correct user information. Especially don't trust return value of `GetUserName'.
2001-05-20 10:10:47 +02:00
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
/* Allocate space for the security descriptor. */
if (!sd.malloc (len))
* autoload.cc: Add load statements for `LookupAccountNameW', `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory', `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum', `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and `NtCreateToken'. * ntdll.h: Add declaration for `NtCreateToken'. * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. (cygsid::string): Define as const method. (cygsid::get_sid): Set psid to NO_SID on error. (cygsid::getfromstr): Ditto. (cygsid::getfrompw): Simplify. (cygsid::getfromgr): Check for gr == NULL. (legal_sid_type): Move to security.h. (set_process_privilege): Return -1 on error, otherwise 0 or 1 related to previous privilege setting. * security.cc (extract_nt_dom_user): Remove `static'. (lsa2wchar): New function. (open_local_policy): Ditto. (close_local_policy): Ditto. (get_lsa_srv_inf): Ditto. (get_logon_server): Ditto. (get_logon_server_and_user_domain): Ditto. (get_user_groups): Ditto. (is_group_member): Ditto. (get_user_local_groups): Ditto. (sid_in_token_groups): Ditto. (get_user_primary_group): Ditto. (get_group_sidlist): Ditto. (get_system_priv_list): Ditto. (get_priv_list): Ditto. (get_dacl): Ditto. (create_token): Ditto. (subauth): Return immediately if SE_TCB_NAME can't be assigned. Change all return statements in case of error to jumps to `out' label. Add `out' label to support cleanup. * security.h: Add extern declarations for `well_known_local_sid', `well_known_dialup_sid', `well_known_network_sid', `well_known_batch_sid', `well_known_interactive_sid', `well_known_service_sid' and `well_known_authenticated_users_sid'. Add extern declarations for functions `create_token', `extract_nt_dom_user' and `get_logon_server_and_user_domain'. (class cygsid): Add method `assign'. Change operator= to call new `assign' method. Add `debug_print' method. (class cygsidlist): New class. (legal_sid_type): Moved from sec_helper.cc to here. * spawn.cc (spawn_guts) Revert reversion of previous patch. Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid' again. * syscalls.cc (seteuid): Rearranged. Call `create_token' now when needed. Call `subauth' if `create_token' fails. Try setting token owner and primary group only if token was not explicitely created by `create_token'. * uinfo.cc (internal_getlogin): Try harder to generate correct user information. Especially don't trust return value of `GetUserName'.
2001-05-20 10:10:47 +02:00
{
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
set_errno (ENOMEM);
return -1;
}
/* Try to fetch the security descriptor if the handle is valid. */
if (fh)
{
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
sd, len, &rlen);
if (!NT_SUCCESS (status))
* ntea.cc (read_ea): Change left-over return to __leave. Fix condition to close handle. Call NtClose rather than CloseHandle. (write_ea): Fix condition to close handle. Call NtClose rather than CloseHandle. * security.cc (get_file_sd): Call pc.init_reopen_attr if a valid incoming handle was given, pc.get_object_attr otherwise. (set_file_sd): Ditto.
2014-08-27 11:39:44 +02:00
debug_printf ("NtQuerySecurityObject (%S), status %y",
pc.get_nt_native_path (), status);
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
}
/* If the handle was NULL, or fetching with the original handle didn't work,
try to reopen the file with READ_CONTROL and fetch the security descriptor
using that handle. */
* ntea.cc (read_ea): Change left-over return to __leave. Fix condition to close handle. Call NtClose rather than CloseHandle. (write_ea): Fix condition to close handle. Call NtClose rather than CloseHandle. * security.cc (get_file_sd): Call pc.init_reopen_attr if a valid incoming handle was given, pc.get_object_attr otherwise. (set_file_sd): Ditto.
2014-08-27 11:39:44 +02:00
if (!fh || !NT_SUCCESS (status))
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
{
status = NtOpenFile (&fh, READ_CONTROL,
* ntea.cc (read_ea): Change left-over return to __leave. Fix condition to close handle. Call NtClose rather than CloseHandle. (write_ea): Fix condition to close handle. Call NtClose rather than CloseHandle. * security.cc (get_file_sd): Call pc.init_reopen_attr if a valid incoming handle was given, pc.get_object_attr otherwise. (set_file_sd): Ditto.
2014-08-27 11:39:44 +02:00
fh ? pc.init_reopen_attr (attr, fh)
: pc.get_object_attr (attr, sec_none_nih),
&io, FILE_SHARE_VALID_FLAGS,
FILE_OPEN_FOR_BACKUP_INTENT);
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
if (!NT_SUCCESS (status))
whitespace elimination
2011-06-06 07:02:13 +02:00
{
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
sd.free ();
__seterrno_from_nt_status (status);
return -1;
}
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
sd, len, &rlen);
NtClose (fh);
if (!NT_SUCCESS (status))
Perform whitespace cleanup throughout. * dcrt0.cc (signal_shift_subtract): Eliminate ancient backwards compatibility. (check_sanity_and_sync): Ditto. * winsup.h (SIGTOMASK): Ditto. Just use constant in signal calculation. * include/cygwin/version: Remove backwards signal mask compatibility define. * path.cc (symlink_info::check_sysfile): Cosmetic change. * registry.cc (get_registry_hive_path): Remove unneeded variable. * exceptions.cc (handle_sigsuspend): Eliminate thread signal mask and use either main sigmask or current thread sigmask. (set_process_mask): Ditto. (sighold): Ditto. (sigrelse): Ditto. (sigset): Ditto. (set_process_mask_delta): Ditto. (_cygtls::call_signal_handler): Ditto. * fhandler_process.cc (format_process_status): Ditto. * fhandler_termios.cc (fhandler_termios::bg_check): Ditto. * pinfo.h (class pinfo): Ditto. * select.cc (pselect): Ditto. * signal.cc (sigprocmask): Ditto. (abort): Ditto. (sigpause): Ditto. (sigsend): Ditto. (wait_sig): Ditto. * thread.h (pthread::parent_tls): New member. * thread.cc (pthread::pthread): Record parent_tls here. (pthread::thread_init_wrapper): Initialize sigmask from parent thread.
2008-02-15 18:53:11 +01:00
{
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
sd.free ();
__seterrno_from_nt_status (status);
return -1;
* cyglsa.h: New header file. * environ.cc: Disable subauth settings. * grp.cc: Accomodate cygsidlist's count now being a method. * sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove. (mandatory_medium_integrity_sid): Remove. (mandatory_high_integrity_sid): Remove. (mandatory_system_integrity_sid): Remove. (fake_logon_sid): Add. (cygsid::get_sid): Add well_known parameter. Set well_known_sid accordingly. (cygsid::getfromstr): Ditto. (cygsidlist::alloc_sids): Move here from security.cc. (cygsidlist::free_sids): Ditto. (cygsidlist::add): Move here from security.h. Add well_known parameter. Set well_known_sid accordingly. Don't allow duplicate SIDs. * security.cc: Include cyglsa.h and cygwin/version.h. Throughout accomodate cygsidlist's count now being a method. Throughout drop redundant "contains" tests. (get_user_local_groups): Add local groups as well known SIDs. (get_token_group_sidlist): Add well known groups as well known SIDs. (get_server_groups): Ditto. Only call get_unix_group_sidlist after get_user_local_groups to maintain "well_known_sid" attribute. (get_initgroups_sidlist): Add well known groups as well known SIDs. (get_setgroups_sidlist): Add usersid and struct passwd parameter to allow calling get_server_groups from here. (get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES structure. (get_priv_list): Ditto. (create_token): Accomodate above changes. Drop misguided attempt to add MIC SIDs to created user token. Print returned token as hex value. (subauth): Disable. (lsaauth): New function implementing client side of LSA authentication. * security.h (class cygsid): Add well_known_sid attribute. Accomodate throughout. Add *= operator to create a well known SID. (class cygsidlist): Rename count to cnt. Make count a method. (cygsidlist::add): Move to sec_helper.cc. (cygsidlist::operator *=): New method to add well known SID. (cygsidlist::non_well_known_count): New method returning number of non well known SIDs in list. (cygsidlist::next_non_well_known_sid): New method returning next non well known SID by index. (mandatory_medium_integrity_sid): Drop declaration. (mandatory_high_integrity_sid): Drop declaration. (mandatory_system_integrity_sid): Drop declaration. (fake_logon_sid): Add declaration. (subauth): Disable declaration. (lsaauth): Add declaration. * syscalls.cc (seteuid32): Disable subauthentication. Add LSA authentication. * wincap.h: Define needs_logon_sid_in_sid_list throughout. * wincap.cc: Ditto.
2006-11-27 13:59:59 +01:00
}
}
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
/* We have a security descriptor now. Unfortunately, if you want to know
if an ACE is inherited from the parent object, this isn't sufficient.
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
In the simple case, the SDs control word contains one of the
SE_DACL_AUTO_INHERITED or SE_DACL_PROTECTED flags, or at least one of
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
the ACEs has the INHERITED_ACE flag set. In all of these cases we
know the DACL has been inherited.
If none of these flags is set in the SD, the information whether
or not an ACE has been inherited is not available in the DACL of the
object. In this case GetSecurityInfo fetches the SD from the parent
directory and tests if the object's SD contains inherited ACEs from the
parent.
Note that we're not testing the SE_DACL_AUTO_INHERITED and
SE_DACL_PROTECTED flags here because we know the state the file's SD
is in. Since we're creating all files with a NULL descriptor, the DACL
is either inherited from the parent, or it's the default DACL. In
neither case, one of these flags is set.
For speed, we're not calling RtlConvertToAutoInheritSecurityObject
anymore (but keep the code here for reference). Rather we just test
if one of the parent's ACEs is inheritable. If so, we know we inherited
it and set the SE_DACL_AUTO_INHERITED flag. If not, we may assume our
object's DACL is the default DACL.
This functionality is slow and the extra information is only required
when the file has been created and the permissions are about to be set
to POSIX permissions. Therefore we only use it in case the file just
got created. */
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
if (justcreated)
{
PACL dacl;
BOOLEAN exists, def;
ACCESS_ALLOWED_ACE *ace;
UNICODE_STRING dirname;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
PSECURITY_DESCRIPTOR psd;
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
tmp_pathbuf tp;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
/* Open the parent directory with READ_CONTROL... */
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
RtlSplitUnicodePath (pc.get_nt_native_path (), &dirname, NULL);
InitializeObjectAttributes (&attr, &dirname, pc.objcaseinsensitive (),
NULL, NULL);
status = NtOpenFile (&fh, READ_CONTROL, &attr, &io,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_FOR_BACKUP_INTENT
| FILE_OPEN_REPARSE_POINT);
if (!NT_SUCCESS (status))
{
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
debug_printf ("NtOpenFile (%S), status %y", &dirname, status);
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
return 0;
}
/* ... fetch the parent's security descriptor ... */
psd = (PSECURITY_DESCRIPTOR) tp.w_get ();
status = NtQuerySecurityObject (fh, ALL_SECURITY_INFORMATION,
psd, len, &rlen);
NtClose (fh);
if (!NT_SUCCESS (status))
{
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
debug_printf ("NtQuerySecurityObject (%S), status %y",
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
&dirname, status);
return 0;
}
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
#if 0
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
/* ... and create a new security descriptor in which all inherited ACEs
whitespace elimination
2011-06-06 07:02:13 +02:00
are marked with the INHERITED_ACE flag. For a description of the
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
undocumented RtlConvertToAutoInheritSecurityObject function from
ntdll.dll see the MSDN man page for the advapi32 function
ConvertToAutoInheritPrivateObjectSecurity. Fortunately the latter
is just a shim. */
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
PSECURITY_DESCRIPTOR nsd;
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
status = RtlConvertToAutoInheritSecurityObject (psd, sd, &nsd, NULL,
pc.isdir (),
&file_mapping);
if (!NT_SUCCESS (status))
{
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
debug_printf ("RtlConvertToAutoInheritSecurityObject (%S), status %y",
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
&dirname, status);
return 0;
}
/* Eventually copy the new security descriptor into sd and delete the
whitespace elimination
2011-06-06 07:02:13 +02:00
original one created by RtlConvertToAutoInheritSecurityObject from
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
the heap. */
len = RtlLengthSecurityDescriptor (nsd);
memcpy ((PSECURITY_DESCRIPTOR) sd, nsd, len);
RtlDeleteSecurityObject (&nsd);
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
#else
/* ... and check the parent descriptor for inheritable ACEs matching
our current object type (file/dir). The simple truth in our case
is, either the parent dir had inheritable ACEs and all our ACEs are
inherited, or the parent dir didn't have inheritable ACEs and all
our ACEs are taken from the default DACL. */
bool inherited = false;
BYTE search_flags = pc.isdir () ? SUB_CONTAINERS_AND_OBJECTS_INHERIT
: SUB_OBJECTS_ONLY_INHERIT;
if (NT_SUCCESS (RtlGetDaclSecurityDescriptor (psd, &exists, &dacl, &def))
&& exists && dacl)
for (ULONG idx = 0; idx < dacl->AceCount; ++idx)
if (NT_SUCCESS (RtlGetAce (dacl, idx, (PVOID *) &ace))
&& (ace->Header.AceFlags & search_flags))
{
inherited = true;
break;
}
/* Then, if the parent descriptor contained inheritable ACEs, we mark
the SD as SE_DACL_AUTO_INHERITED. Note that this requires the
matching check in get_posix_access. If we ever revert to
RtlConvertToAutoInheritSecurityObject, the check in get_posix_access
has to test every single ACE for the INHERITED_ACE flag again. */
if (inherited
&& NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd, &exists, &dacl,
&def))
&& exists && dacl)
RtlSetControlSecurityDescriptor (sd, SE_DACL_AUTO_INHERITED,
SE_DACL_AUTO_INHERITED);
#endif
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
}
return 0;
* dir.cc (mkdir): Use local security_descriptor. Call set_security_attribute appropriately. * external.cc (cygwin_internal): Ditto. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_socket.cc (fhandler_socket::bind): Ditto. * path.cc (symlink_worker): Ditto. * sec_acl.cc (setacl): Ditto. Call read_sd appropriately. (getace): Ditto. * sec_helper.cc (security_descriptor::malloc): New method. (security_descriptor::realloc): New method. (security_descriptor::free): New method. * security.cc (read_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. Allocate the security_descriptor buffer according to size returned by a call to GetFileSecurity. Return buffer size on success. (write_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (get_nt_attribute): Use local security_descriptor. (get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY. Allocate security_descriptor buffer according to size returned by a call to RegGetKeySecurity. (alloc_sd): Make static. Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. (set_security_attribute): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (set_nt_attribute): Use local security_descriptor. (check_file_access): Ditto. * security.h: Add class security_descriptor. (read_sd): Change declaration to get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (write_sd): Ditto. (set_security_attribute): Ditto. (alloc_sd): Remove declaration. * thread.cc (semaphore::semaphore): Use local security_descriptor. Call set_security_attribute appropriately.
2003-11-26 14:23:27 +01:00
}
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
* dir.cc (mkdir): Use local security_descriptor. Call set_security_attribute appropriately. * external.cc (cygwin_internal): Ditto. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_socket.cc (fhandler_socket::bind): Ditto. * path.cc (symlink_worker): Ditto. * sec_acl.cc (setacl): Ditto. Call read_sd appropriately. (getace): Ditto. * sec_helper.cc (security_descriptor::malloc): New method. (security_descriptor::realloc): New method. (security_descriptor::free): New method. * security.cc (read_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. Allocate the security_descriptor buffer according to size returned by a call to GetFileSecurity. Return buffer size on success. (write_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (get_nt_attribute): Use local security_descriptor. (get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY. Allocate security_descriptor buffer according to size returned by a call to RegGetKeySecurity. (alloc_sd): Make static. Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. (set_security_attribute): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (set_nt_attribute): Use local security_descriptor. (check_file_access): Ditto. * security.h: Add class security_descriptor. (read_sd): Change declaration to get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (write_sd): Ditto. (set_security_attribute): Ditto. (alloc_sd): Remove declaration. * thread.cc (semaphore::semaphore): Use local security_descriptor. Call set_security_attribute appropriately.
2003-11-26 14:23:27 +01:00
LONG
* fhandler_disk_file.cc (fhandler_disk_file::fchown): Catch an error when changing the user account on a standalone Samba server. Explain why. * sec_acl.cc (setacl): Accommodate additional parameter to set_file_sd. * sec_helper.cc (SECURITY_SAMBA_UNIX_AUTHORITY): Define. (well_known_samba_unix_user_fake_sid): Define. * security.cc (set_file_sd): Take additional parameter if ownership should be changed. Restrict requested permissions accordingly. (set_file_attribute): Accommodate additional parameter to set_file_sd. * security.h (well_known_samba_unix_user_fake_sid): Declare. (set_file_sd): Align declaration to above change.
2009-04-09 11:19:03 +02:00
set_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd, bool is_chown)
* dir.cc (mkdir): Use local security_descriptor. Call set_security_attribute appropriately. * external.cc (cygwin_internal): Ditto. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_socket.cc (fhandler_socket::bind): Ditto. * path.cc (symlink_worker): Ditto. * sec_acl.cc (setacl): Ditto. Call read_sd appropriately. (getace): Ditto. * sec_helper.cc (security_descriptor::malloc): New method. (security_descriptor::realloc): New method. (security_descriptor::free): New method. * security.cc (read_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. Allocate the security_descriptor buffer according to size returned by a call to GetFileSecurity. Return buffer size on success. (write_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (get_nt_attribute): Use local security_descriptor. (get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY. Allocate security_descriptor buffer according to size returned by a call to RegGetKeySecurity. (alloc_sd): Make static. Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. (set_security_attribute): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (set_nt_attribute): Use local security_descriptor. (check_file_access): Ditto. * security.h: Add class security_descriptor. (read_sd): Change declaration to get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (write_sd): Ditto. (set_security_attribute): Ditto. (alloc_sd): Remove declaration. * thread.cc (semaphore::semaphore): Use local security_descriptor. Call set_security_attribute appropriately.
2003-11-26 14:23:27 +01:00
{
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
NTSTATUS status = STATUS_SUCCESS;
* fhandler.cc (fhandler_base::open): Accomodate query_write_control query_state. (fhandler_base::fchown): New method. * fhandler.h: Declare fchown method in fhandler_base, fhandler_disk_file and fhandler_virtual. (enum query_state): Add query_write_control. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Set query_state to query_write_control. Only remove FILE_ATTRIBUTE_READONLY if not setting security descriptor. (fhandler_disk_file::fchown): New method. * fhandler_virtual.cc (fhandler_virtual::fchown): New method. * sec_acl.cc (setacl): Call write_sd with additional handle attribute. * security.cc (write_sd): Take handle argument. Only request owner if getting SE_RESTORE_NAME privilege failed. Only open file if NtSetSecurityObject failed or handle is NULL. (set_nt_attribute): Call write_sd with additional handle attribute. * security.h (write_sd): Declare with additional handle argument.
2004-04-14 15:40:07 +02:00
int retry = 0;
* autoload.cc (NtCreateFile): Add. * dir.cc (mkdir): Change set_file_attribute call to indicate that NT security isn't used. * fhandler.cc (fhandler_base::open_9x): New method, created from fhandler_base::open. (fhandler_base::open): Rearrange to use NtCreateFile instead of CreateFile. * fhandler.h (enum query_state): Redefine query_null_access to query_stat_control. query_null_access isn't allowed in NtCreateFile. (fhandler_base::open_9x): Declare. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Use query_stat_control first, query_read_control if that fails. (fhandler_disk_file::fchmod): Call enable_restore_privilege before trying to open for query_write_control. Don't fall back to opening for query_read_control. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::facl): Only request restore privilege and query access necessary for given cmd. * fhandler_raw.cc (fhandler_dev_raw::open): Call fhandler_base::open instead of opening device here. * ntdll.h (NtCreateFile): Declare. * path.cc (symlink_worker): Change set_file_attribute call to indicate that NT security isn't used. * sec_acl.cc (getacl): Fix bracketing. * sec_helper.cc (enable_restore_privilege): New function. * security.cc (str2buf2uni_cat): New function. (write_sd): Don't request restore permission here. * security.h (set_process_privileges): Drop stale declaration. (str2buf2uni): Declare. (str2buf2uni_cat): Declare. (enable_restore_privilege): Declare. * syscalls.cc (fchown32): Return immediate success on 9x.
2004-04-16 23:22:13 +02:00
int res = -1;
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
* fhandler.cc (fhandler_base::open): Accomodate query_write_control query_state. (fhandler_base::fchown): New method. * fhandler.h: Declare fchown method in fhandler_base, fhandler_disk_file and fhandler_virtual. (enum query_state): Add query_write_control. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Set query_state to query_write_control. Only remove FILE_ATTRIBUTE_READONLY if not setting security descriptor. (fhandler_disk_file::fchown): New method. * fhandler_virtual.cc (fhandler_virtual::fchown): New method. * sec_acl.cc (setacl): Call write_sd with additional handle attribute. * security.cc (write_sd): Take handle argument. Only request owner if getting SE_RESTORE_NAME privilege failed. Only open file if NtSetSecurityObject failed or handle is NULL. (set_nt_attribute): Call write_sd with additional handle attribute. * security.h (write_sd): Declare with additional handle argument.
2004-04-14 15:40:07 +02:00
for (; retry < 2; ++retry)
{
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
if (fh)
Perform whitespace cleanup throughout. * dcrt0.cc (signal_shift_subtract): Eliminate ancient backwards compatibility. (check_sanity_and_sync): Ditto. * winsup.h (SIGTOMASK): Ditto. Just use constant in signal calculation. * include/cygwin/version: Remove backwards signal mask compatibility define. * path.cc (symlink_info::check_sysfile): Cosmetic change. * registry.cc (get_registry_hive_path): Remove unneeded variable. * exceptions.cc (handle_sigsuspend): Eliminate thread signal mask and use either main sigmask or current thread sigmask. (set_process_mask): Ditto. (sighold): Ditto. (sigrelse): Ditto. (sigset): Ditto. (set_process_mask_delta): Ditto. (_cygtls::call_signal_handler): Ditto. * fhandler_process.cc (format_process_status): Ditto. * fhandler_termios.cc (fhandler_termios::bg_check): Ditto. * pinfo.h (class pinfo): Ditto. * select.cc (pselect): Ditto. * signal.cc (sigprocmask): Ditto. (abort): Ditto. (sigpause): Ditto. (sigsend): Ditto. (wait_sig): Ditto. * thread.h (pthread::parent_tls): New member. * thread.cc (pthread::pthread): Record parent_tls here. (pthread::thread_init_wrapper): Initialize sigmask from parent thread.
2008-02-15 18:53:11 +01:00
{
* fhandler_disk_file.cc (fhandler_disk_file::fchown): Catch an error when changing the user account on a standalone Samba server. Explain why. * sec_acl.cc (setacl): Accommodate additional parameter to set_file_sd. * sec_helper.cc (SECURITY_SAMBA_UNIX_AUTHORITY): Define. (well_known_samba_unix_user_fake_sid): Define. * security.cc (set_file_sd): Take additional parameter if ownership should be changed. Restrict requested permissions accordingly. (set_file_attribute): Accommodate additional parameter to set_file_sd. * security.h (well_known_samba_unix_user_fake_sid): Declare. (set_file_sd): Align declaration to above change.
2009-04-09 11:19:03 +02:00
status = NtSetSecurityObject (fh,
is_chown ? ALL_SECURITY_INFORMATION
: DACL_SECURITY_INFORMATION,
sd);
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
if (NT_SUCCESS (status))
{
res = 0;
break;
}
}
if (!retry)
Perform whitespace cleanup throughout. * dcrt0.cc (signal_shift_subtract): Eliminate ancient backwards compatibility. (check_sanity_and_sync): Ditto. * winsup.h (SIGTOMASK): Ditto. Just use constant in signal calculation. * include/cygwin/version: Remove backwards signal mask compatibility define. * path.cc (symlink_info::check_sysfile): Cosmetic change. * registry.cc (get_registry_hive_path): Remove unneeded variable. * exceptions.cc (handle_sigsuspend): Eliminate thread signal mask and use either main sigmask or current thread sigmask. (set_process_mask): Ditto. (sighold): Ditto. (sigrelse): Ditto. (sigset): Ditto. (set_process_mask_delta): Ditto. (_cygtls::call_signal_handler): Ditto. * fhandler_process.cc (format_process_status): Ditto. * fhandler_termios.cc (fhandler_termios::bg_check): Ditto. * pinfo.h (class pinfo): Ditto. * select.cc (pselect): Ditto. * signal.cc (sigprocmask): Ditto. (abort): Ditto. (sigpause): Ditto. (sigsend): Ditto. (wait_sig): Ditto. * thread.h (pthread::parent_tls): New member. * thread.cc (pthread::pthread): Record parent_tls here. (pthread::thread_init_wrapper): Initialize sigmask from parent thread.
2008-02-15 18:53:11 +01:00
{
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
* fhandler_disk_file.cc (fhandler_disk_file::fchown): Catch an error when changing the user account on a standalone Samba server. Explain why. * sec_acl.cc (setacl): Accommodate additional parameter to set_file_sd. * sec_helper.cc (SECURITY_SAMBA_UNIX_AUTHORITY): Define. (well_known_samba_unix_user_fake_sid): Define. * security.cc (set_file_sd): Take additional parameter if ownership should be changed. Restrict requested permissions accordingly. (set_file_attribute): Accommodate additional parameter to set_file_sd. * security.h (well_known_samba_unix_user_fake_sid): Declare. (set_file_sd): Align declaration to above change.
2009-04-09 11:19:03 +02:00
status = NtOpenFile (&fh, (is_chown ? WRITE_OWNER : 0) | WRITE_DAC,
* ntea.cc (read_ea): Change left-over return to __leave. Fix condition to close handle. Call NtClose rather than CloseHandle. (write_ea): Fix condition to close handle. Call NtClose rather than CloseHandle. * security.cc (get_file_sd): Call pc.init_reopen_attr if a valid incoming handle was given, pc.get_object_attr otherwise. (set_file_sd): Ditto.
2014-08-27 11:39:44 +02:00
fh ? pc.init_reopen_attr (attr, fh)
: pc.get_object_attr (attr, sec_none_nih),
&io,
* path.h (path_conv::init_reopen_attr): Change from void to returning POBJECT_ATTRIBUTES. Take OBJECT_ATTRIBUTES reference as argument, not pointer. * fhandler_disk_file.cc: Throughout accommodate above change. * syscalls.cc: Ditto. * ntea.cc (read_ea): Don't set hdl to NULL if it's already NULL. Set attr with pc.init_reopen_attr before trying to reopen file. (write_ea): Ditto. * security.cc (get_file_sd): Use pc.init_reopen_attr rather than pc.get_object_attr when trying to reopen file. (set_file_sd): Ditto.
2014-08-26 22:47:46 +02:00
FILE_SHARE_VALID_FLAGS,
* security.cc (set_file_sd): Drop using FILE_OPEN_FOR_RECOVERY flag in call to NtOpenFile. * exceptions.cc (open_stackdumpfile): Ditto in call to NtCreateFile. * fhandler.cc (fhandler_base::open): Ditto. Simplify setting create_options. * mount.cc (fs_info::update): Recognize offline storage. (fillout_mntent): Report UDF and offline storage. * mount.h (class fs_info): Add is_csc_cache status flag.
2009-05-04 11:16:42 +02:00
FILE_OPEN_FOR_BACKUP_INTENT);
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
if (!NT_SUCCESS (status))
{
fh = NULL;
break;
}
}
* fhandler.cc (fhandler_base::open): Accomodate query_write_control query_state. (fhandler_base::fchown): New method. * fhandler.h: Declare fchown method in fhandler_base, fhandler_disk_file and fhandler_virtual. (enum query_state): Add query_write_control. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Set query_state to query_write_control. Only remove FILE_ATTRIBUTE_READONLY if not setting security descriptor. (fhandler_disk_file::fchown): New method. * fhandler_virtual.cc (fhandler_virtual::fchown): New method. * sec_acl.cc (setacl): Call write_sd with additional handle attribute. * security.cc (write_sd): Take handle argument. Only request owner if getting SE_RESTORE_NAME privilege failed. Only open file if NtSetSecurityObject failed or handle is NULL. (set_nt_attribute): Call write_sd with additional handle attribute. * security.h (write_sd): Declare with additional handle argument.
2004-04-14 15:40:07 +02:00
}
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
if (retry && fh)
NtClose (fh);
if (!NT_SUCCESS (status))
__seterrno_from_nt_status (status);
* sec_acl.cc (getacl): Avoid compiler warning. * security.cc (write_sd): Ditto. Fix error handling.
2004-04-14 22:16:29 +02:00
return res;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
static int
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
get_reg_sd (HANDLE handle, security_descriptor &sd_ret)
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
{
LONG ret;
DWORD len = 0;
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
ret = RegGetKeySecurity ((HKEY) handle, ALL_SECURITY_INFORMATION,
Remove extraneous whitespace. * pinfo.cc (commune_process): Use default argument to lock_process. * sigproc.cc: Update copyright. * select.cc: Ditto.
2007-02-20 01:16:18 +01:00
sd_ret, &len);
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
if (ret == ERROR_INSUFFICIENT_BUFFER)
Remove extraneous whitespace. * pinfo.cc (commune_process): Use default argument to lock_process. * sigproc.cc: Update copyright. * select.cc: Ditto.
2007-02-20 01:16:18 +01:00
{
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
if (!sd_ret.malloc (len))
Remove extraneous whitespace. * pinfo.cc (commune_process): Use default argument to lock_process. * sigproc.cc: Update copyright. * select.cc: Ditto.
2007-02-20 01:16:18 +01:00
set_errno (ENOMEM);
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
else
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
ret = RegGetKeySecurity ((HKEY) handle, ALL_SECURITY_INFORMATION,
Remove extraneous whitespace. * pinfo.cc (commune_process): Use default argument to lock_process. * sigproc.cc: Update copyright. * select.cc: Ditto.
2007-02-20 01:16:18 +01:00
sd_ret, &len);
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
}
if (ret != ERROR_SUCCESS)
{
__seterrno ();
return -1;
Remove extraneous whitespace. * pinfo.cc (commune_process): Use default argument to lock_process. * sigproc.cc: Update copyright. * select.cc: Ditto.
2007-02-20 01:16:18 +01:00
}
Partially revert change from 2006-10-22. GetSecurityInfo messes up user information on NT4. * sec_helper.cc (security_descriptor::malloc): Drop LocalAlloc considerations. (security_descriptor::realloc): Ditto. (security_descriptor::free): Ditto. * security.cc (get_reg_security): Reinstantiate. (get_nt_object_security): Revert to using NtQuerySecurityObject. * security.h (class security_descriptor): Drop type member. Accommodate throughout. (security_descriptor::size): Constify. (security_descriptor::copy): Ditto.
2006-12-20 18:14:23 +01:00
return 0;
}
* fhandler.cc (fhandler_base::open): Simplify access evaluation expression. (fhandler_base::facl): New method. * fhandler.h: Declare facl method in fhandler_base, fhandler_disk_file and fhandler_virtual. * fhandler_disk_file.cc (fhandler_disk_file::facl): New method. * fhandler_virtual.cc (fhandler_virtual::facl): New method. * sec_acl.cc: Remove forward declaration for aclsort32 and acl32. (setacl): Remove static. Add and use handle parameter. (getacl): Ditto. (acl_worker): Reorganize to call fhandler's facl method eventually. (facl32): Ditto. * security.cc (get_nt_object_security): Remove static. * security.h: Add extern declarations for get_nt_object_security, aclsort32, acl32, getacl and setacl. Apply missing syscalls.cc patch and ChangeLog of previous check in. * syscalls.cc (chown_worker): Reorganize to call fhandler's fchown method eventually. (fchown): Ditto.
2004-04-14 18:36:26 +02:00
int
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
get_reg_attribute (HKEY hkey, mode_t *attribute, uid_t *uidret,
gid_t *gidret)
* autoload.cc (GetSecurityInfo): Define new autoload function. (RegQueryInfoKeyA): Ditto. * fhandler.h (fhandler_virtual::fill_filebuf): Change return type to bool. (fhandler_proc::fill_filebuf): Ditto. (fhandler_registry::fill_filebuf): Ditto. (fhandler_process::fill_filebuf): Ditto. (fhandler_registry::value_name): Add new member. (fhandler_registry::close): Add new method. (fhandler_process::p): Remove member. * fhandler_proc.cc (fhandler_proc::open): Add set_nohandle after calling superclass method. Check return value of fill_filebuf. (fhandler_proc::fill_filebuf): Change return type to bool. Add return statement. * fhandler_process.cc (fhandler_process::open): Add set_nohandle after calling superclass method. Remove references to p. Check return value of fill_filebuf. (fhandler_process::fill_filebuf): Change return type to bool. Don't use dereference operator on p. Add return statement. (fhandler_process::format_process_stat): Fix typo. * fhandler_registry.cc: Add static open_key declaration. (fhandler_registry::exists): Assume path is already normalised. Try opening the path as a key in its own right first, before reverting to enumerating subkeys and values of the parent key. (fhandler_registry::fstat): Add additional code to return more relevant information about the registry key/value. (fhandler_registry::readdir): Explicitly set desired access when opening registry key. Remove output of buf from debug_printf format string. (fhandler_registry::open): Use set_io_handle to store registry key handle. Set value_name member. Move code to read a value from the registry to fill_filebuf. Add call to fill_filebuf. (fhandler_registry::close): New method. (fhandler_registry::fill_filebuf): Change return type to bool. Add code to read a value from registry. (fhandler_registry::open_key): Make function static. Use KEY_READ as desired access unless this is the last path component. Check the return value of RegOpenKeyEx for an error instead of hKey. * fhandler_virtual.cc (fhandler_virtual::lseek): Check the return value of fill_filebuf. (fhandler_virtual::open): Remove call to set_nohandle. (fhandler_virtual::fill_filebuf): Change return type to bool. Add return statement. * security.cc (get_nt_object_attribute): New function. (get_object_attribute): New function. * security.h (get_object_attribute): New function declaration.
2002-07-02 03:36:15 +02:00
{
Throughout drop allow_ntsec and allow_smbntsec handling. * environ.cc (set_ntsec): Remove. (set_smbntsec): Remove. (known): Remove ntsec and smbntsec options. * external.cc (check_ntsec): Return true if no filename is given. * mount.cc (oopts): Add "acl" and "noacl" options. Set MOUNT_NOACL flag accordingly. (fillout_mntent): Handle MOUNT_NOACL flag. * path.h (enum path_types): Add PATH_NOACL. * security.cc (allow_ntsec): Remove. (allow_smbntsec): Remove. * security.h (allow_ntsec): Drop declaration. (allow_smbntsec): Drop declaration. * include/sys/mount.h (MOUNT_NOACL): Define.
2008-07-14 22:22:03 +02:00
security_descriptor sd;
* external.cc (cygwin_internal): Use security_descriptor::copy method. * sec_helper.cc (security_descriptor::malloc): Use own free method. Set type. (security_descriptor::realloc): Handle the case that psd has been allocated using LocalAlloc. Set type. (security_descriptor::free): Ditto. * security.cc (get_nt_attribute): Remove. (get_reg_security): Remove. (get_nt_object_security): Use GetSecurityInfo which handles all securable objects. (get_nt_object_attribute): Remove. (get_object_attribute): Call get_nt_object_security instead of get_nt_object_attribute. (get_file_attribute): Ditto. (check_registry_access): Call get_nt_object_security instead of get_reg_security. * security.h (cygpsid::operator PSID): Make method const, not the result. (class security_descriptor): Add type member. Accomodate throughout. (security_descriptor::copy): New method. (security_descriptor::operator PSECURITY_DESCRIPTOR *): New operator.
2006-10-22 16:57:43 +02:00
Throughout drop allow_ntsec and allow_smbntsec handling. * environ.cc (set_ntsec): Remove. (set_smbntsec): Remove. (known): Remove ntsec and smbntsec options. * external.cc (check_ntsec): Return true if no filename is given. * mount.cc (oopts): Add "acl" and "noacl" options. Set MOUNT_NOACL flag accordingly. (fillout_mntent): Handle MOUNT_NOACL flag. * path.h (enum path_types): Add PATH_NOACL. * security.cc (allow_ntsec): Remove. (allow_smbntsec): Remove. * security.h (allow_ntsec): Drop declaration. (allow_smbntsec): Drop declaration. * include/sys/mount.h (MOUNT_NOACL): Define.
2008-07-14 22:22:03 +02:00
if (!get_reg_sd (hkey, sd))
{
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
get_posix_access (sd, attribute, uidret, gidret, NULL, 0);
Throughout drop allow_ntsec and allow_smbntsec handling. * environ.cc (set_ntsec): Remove. (set_smbntsec): Remove. (known): Remove ntsec and smbntsec options. * external.cc (check_ntsec): Return true if no filename is given. * mount.cc (oopts): Add "acl" and "noacl" options. Set MOUNT_NOACL flag accordingly. (fillout_mntent): Handle MOUNT_NOACL flag. * path.h (enum path_types): Add PATH_NOACL. * security.cc (allow_ntsec): Remove. (allow_smbntsec): Remove. * security.h (allow_ntsec): Drop declaration. (allow_smbntsec): Drop declaration. * include/sys/mount.h (MOUNT_NOACL): Define.
2008-07-14 22:22:03 +02:00
return 0;
* autoload.cc (GetSecurityInfo): Define new autoload function. (RegQueryInfoKeyA): Ditto. * fhandler.h (fhandler_virtual::fill_filebuf): Change return type to bool. (fhandler_proc::fill_filebuf): Ditto. (fhandler_registry::fill_filebuf): Ditto. (fhandler_process::fill_filebuf): Ditto. (fhandler_registry::value_name): Add new member. (fhandler_registry::close): Add new method. (fhandler_process::p): Remove member. * fhandler_proc.cc (fhandler_proc::open): Add set_nohandle after calling superclass method. Check return value of fill_filebuf. (fhandler_proc::fill_filebuf): Change return type to bool. Add return statement. * fhandler_process.cc (fhandler_process::open): Add set_nohandle after calling superclass method. Remove references to p. Check return value of fill_filebuf. (fhandler_process::fill_filebuf): Change return type to bool. Don't use dereference operator on p. Add return statement. (fhandler_process::format_process_stat): Fix typo. * fhandler_registry.cc: Add static open_key declaration. (fhandler_registry::exists): Assume path is already normalised. Try opening the path as a key in its own right first, before reverting to enumerating subkeys and values of the parent key. (fhandler_registry::fstat): Add additional code to return more relevant information about the registry key/value. (fhandler_registry::readdir): Explicitly set desired access when opening registry key. Remove output of buf from debug_printf format string. (fhandler_registry::open): Use set_io_handle to store registry key handle. Set value_name member. Move code to read a value from the registry to fill_filebuf. Add call to fill_filebuf. (fhandler_registry::close): New method. (fhandler_registry::fill_filebuf): Change return type to bool. Add code to read a value from registry. (fhandler_registry::open_key): Make function static. Use KEY_READ as desired access unless this is the last path component. Check the return value of RegOpenKeyEx for an error instead of hKey. * fhandler_virtual.cc (fhandler_virtual::lseek): Check the return value of fill_filebuf. (fhandler_virtual::open): Remove call to set_nohandle. (fhandler_virtual::fill_filebuf): Change return type to bool. Add return statement. * security.cc (get_nt_object_attribute): New function. (get_object_attribute): New function. * security.h (get_object_attribute): New function declaration.
2002-07-02 03:36:15 +02:00
}
* security.cc (get_info_from_sd): New function. (get_nt_attribute): Only call read_sd and get_info_from_sd. Return void. (get_file_attribute): Move sd error handling to get_info_from_sd. and symlink handling to fhandler_disk_file::fstat_helper. (get_nt_object_attribute): Only call read_sd and get_info_from_sd. Return void. (get_object_attribute): Remove symlink handling and simply return -1 when ntsec is off. * fhandler_disk_file.cc (fhandler_disk_file::fstat_helper): For symlinks set the attribute, call get_file_attribute to get the ids and return. In the normal case call get_file_attribute with the addresses of the buffer ids and do not recheck if the file is a socket.
2003-04-11 11:38:07 +02:00
/* The entries are already set to default values */
return -1;
* autoload.cc (GetSecurityInfo): Define new autoload function. (RegQueryInfoKeyA): Ditto. * fhandler.h (fhandler_virtual::fill_filebuf): Change return type to bool. (fhandler_proc::fill_filebuf): Ditto. (fhandler_registry::fill_filebuf): Ditto. (fhandler_process::fill_filebuf): Ditto. (fhandler_registry::value_name): Add new member. (fhandler_registry::close): Add new method. (fhandler_process::p): Remove member. * fhandler_proc.cc (fhandler_proc::open): Add set_nohandle after calling superclass method. Check return value of fill_filebuf. (fhandler_proc::fill_filebuf): Change return type to bool. Add return statement. * fhandler_process.cc (fhandler_process::open): Add set_nohandle after calling superclass method. Remove references to p. Check return value of fill_filebuf. (fhandler_process::fill_filebuf): Change return type to bool. Don't use dereference operator on p. Add return statement. (fhandler_process::format_process_stat): Fix typo. * fhandler_registry.cc: Add static open_key declaration. (fhandler_registry::exists): Assume path is already normalised. Try opening the path as a key in its own right first, before reverting to enumerating subkeys and values of the parent key. (fhandler_registry::fstat): Add additional code to return more relevant information about the registry key/value. (fhandler_registry::readdir): Explicitly set desired access when opening registry key. Remove output of buf from debug_printf format string. (fhandler_registry::open): Use set_io_handle to store registry key handle. Set value_name member. Move code to read a value from the registry to fill_filebuf. Add call to fill_filebuf. (fhandler_registry::close): New method. (fhandler_registry::fill_filebuf): Change return type to bool. Add code to read a value from registry. (fhandler_registry::open_key): Make function static. Use KEY_READ as desired access unless this is the last path component. Check the return value of RegOpenKeyEx for an error instead of hKey. * fhandler_virtual.cc (fhandler_virtual::lseek): Check the return value of fill_filebuf. (fhandler_virtual::open): Remove call to set_nohandle. (fhandler_virtual::fill_filebuf): Change return type to bool. Add return statement. * security.cc (get_nt_object_attribute): New function. (get_object_attribute): New function. * security.h (get_object_attribute): New function declaration.
2002-07-02 03:36:15 +02:00
}
* fhandler.cc (fhandler_base::open): Set query access mode according to query_open setting. (fhandler_base::fhandler_base): Initialize query_open. * fhandler.h (FH_QUERYOPEN): Drop. (enum query_state): Add. (class fhandler_base): Add query_open member. (fhandler_base::get_query_open): Redefine to use query_open. (fhandler_base::set_query_open): Ditto. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Remove O_DIROPEN from open_flags since it's added in open_fs anyway. Remove query_open_already. Use new query_open settings. Rearrange slightly. (fhandler_base::fstat_helper): Add get_io_handle as parameter to get_file_attribute. * security.cc (get_nt_object_attribute): Make returning an int. Return -1 on error, 0 otherwise. (get_file_attribute): Take an object handle as argument. Move down to allow calling get_nt_object_attribute in case a non-NULL handle is given. * security.h (get_file_attribute): Add handle to argument list. * syscalls.cc (chown_worker): Accomodate new definition of get_file_attribute.
2004-04-08 09:57:28 +02:00
int
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
get_file_attribute (HANDLE handle, path_conv &pc,
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
mode_t *attribute, uid_t *uidret, gid_t *gidret)
* fhandler.cc (fhandler_base::open): Set query access mode according to query_open setting. (fhandler_base::fhandler_base): Initialize query_open. * fhandler.h (FH_QUERYOPEN): Drop. (enum query_state): Add. (class fhandler_base): Add query_open member. (fhandler_base::get_query_open): Redefine to use query_open. (fhandler_base::set_query_open): Ditto. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Remove O_DIROPEN from open_flags since it's added in open_fs anyway. Remove query_open_already. Use new query_open settings. Rearrange slightly. (fhandler_base::fstat_helper): Add get_io_handle as parameter to get_file_attribute. * security.cc (get_nt_object_attribute): Make returning an int. Return -1 on error, 0 otherwise. (get_file_attribute): Take an object handle as argument. Move down to allow calling get_nt_object_attribute in case a non-NULL handle is given. * security.h (get_file_attribute): Add handle to argument list. * syscalls.cc (chown_worker): Accomodate new definition of get_file_attribute.
2004-04-08 09:57:28 +02:00
{
Throughout drop allow_ntsec and allow_smbntsec handling. * environ.cc (set_ntsec): Remove. (set_smbntsec): Remove. (known): Remove ntsec and smbntsec options. * external.cc (check_ntsec): Return true if no filename is given. * mount.cc (oopts): Add "acl" and "noacl" options. Set MOUNT_NOACL flag accordingly. (fillout_mntent): Handle MOUNT_NOACL flag. * path.h (enum path_types): Add PATH_NOACL. * security.cc (allow_ntsec): Remove. (allow_smbntsec): Remove. * security.h (allow_ntsec): Drop declaration. (allow_smbntsec): Drop declaration. * include/sys/mount.h (MOUNT_NOACL): Define.
2008-07-14 22:22:03 +02:00
if (pc.has_acls ())
* fhandler.cc (fhandler_base::open): Set query access mode according to query_open setting. (fhandler_base::fhandler_base): Initialize query_open. * fhandler.h (FH_QUERYOPEN): Drop. (enum query_state): Add. (class fhandler_base): Add query_open member. (fhandler_base::get_query_open): Redefine to use query_open. (fhandler_base::set_query_open): Ditto. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Remove O_DIROPEN from open_flags since it's added in open_fs anyway. Remove query_open_already. Use new query_open settings. Rearrange slightly. (fhandler_base::fstat_helper): Add get_io_handle as parameter to get_file_attribute. * security.cc (get_nt_object_attribute): Make returning an int. Return -1 on error, 0 otherwise. (get_file_attribute): Take an object handle as argument. Move down to allow calling get_nt_object_attribute in case a non-NULL handle is given. * security.h (get_file_attribute): Add handle to argument list. * syscalls.cc (chown_worker): Accomodate new definition of get_file_attribute.
2004-04-08 09:57:28 +02:00
{
* external.cc (cygwin_internal): Use security_descriptor::copy method. * sec_helper.cc (security_descriptor::malloc): Use own free method. Set type. (security_descriptor::realloc): Handle the case that psd has been allocated using LocalAlloc. Set type. (security_descriptor::free): Ditto. * security.cc (get_nt_attribute): Remove. (get_reg_security): Remove. (get_nt_object_security): Use GetSecurityInfo which handles all securable objects. (get_nt_object_attribute): Remove. (get_object_attribute): Call get_nt_object_security instead of get_nt_object_attribute. (get_file_attribute): Ditto. (check_registry_access): Call get_nt_object_security instead of get_reg_security. * security.h (cygpsid::operator PSID): Make method const, not the result. (class security_descriptor): Add type member. Accomodate throughout. (security_descriptor::copy): New method. (security_descriptor::operator PSECURITY_DESCRIPTOR *): New operator.
2006-10-22 16:57:43 +02:00
security_descriptor sd;
* security.cc (get_file_sd): Add bool parameter justcreated. Use GetSecurityInfo only if justcreated is true, NtQuerySecurityObject otherwise. Add comment to explain why. Don't waste time to call NtQuerySecurityObject twice, just allocate big enough area. (get_file_attribute): Call get_file_sd with justcreated set to false. (set_file_attribute): Call get_file_sd with justcreated depending on S_JUSTCREATED pseudo file attribute. (check_file_access): Call get_file_sd with justcreated set to false. * sec_acl.cc (setacl): Ditto. (getacl): Ditto. * security.h: Convert many functions to regparm functions. (get_file_sd): Declare with extra bool parameter.
2010-09-10 11:32:13 +02:00
if (!get_file_sd (handle, pc, sd, false))
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
{
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
get_posix_access (sd, attribute, uidret, gidret, NULL, 0);
* fhandler.cc (fhandler_base::fhaccess): Accommodate interface changes of access control functions throughout. * fhandler_disk_file.cc: Ditto. * fhandler_registry.cc: Ditto. * sec_acl.cc: Drop unnecessary includes. (setacl): Take path_conv instead of file name as parameter. Accommodate interface changes of access control functions. (getacl): Ditto. * sec_auth.cc: New file, taking over all authentication related functions from security.cc. * sec_helper.cc: Drop unnecessary includes. * security.cc: Ditto. Move all authentication related functions to sec_auth.cc. (ALL_SECURITY_INFORMATION): New define. Use throughout. (set_file_sd): New function, replacing read_sd and the file related part of get_nt_object_security. (get_reg_sd): Rename from get_reg_security. Drop type parameter. (get_reg_attribute): New function, replacing the registry related part of get_nt_object_security. (get_file_attribute): Take path_conv instead of file name as parameter. Use new get_file_sd call. (set_file_attribute): Ditto plus new set_file_sd. Drop unnecessary implementation without uid/gid parameters. (check_file_access): Take path_conv instead of file name as parameter. Use new get_file_sd call. (check_registry_access): Use new get_reg_sd call. * security.h: Accommodate above interface changes.
2007-07-20 16:29:43 +02:00
return 0;
}
* errno.cc (errmap): Map ERROR_BAD_NET_RESP to ENOSYS. * fhandler_disk_file.cc (fhandler_disk_file::facl): Handle ENOSYS and point to the explanation. * ntdll.h (STATUS_NOT_IMPLEMENTED): Define. * path.cc (symlink_info::check): Handle the inability of NT4 to use FileNetworkOpenInformation on share root dirs in either direction. * path.h (slash_unc_prefix_p): Remove unused declaration. * security.cc (get_info_from_sd): Handle ENOSYS from get_file_sd. Explain when this happens.
2010-09-24 14:41:33 +02:00
/* ENOSYS is returned by get_file_sd if fetching the DACL from a remote
share returns STATUS_INVALID_NETWORK_RESPONSE, which in turn is
converted to ERROR_BAD_NET_RESP. This potentially occurs when trying
to fetch DACLs from a NT4 machine which is not part of the domain of
the requesting machine. */
else if (get_errno () != ENOSYS)
Perform whitespace cleanup throughout. * dcrt0.cc (signal_shift_subtract): Eliminate ancient backwards compatibility. (check_sanity_and_sync): Ditto. * winsup.h (SIGTOMASK): Ditto. Just use constant in signal calculation. * include/cygwin/version: Remove backwards signal mask compatibility define. * path.cc (symlink_info::check_sysfile): Cosmetic change. * registry.cc (get_registry_hive_path): Remove unneeded variable. * exceptions.cc (handle_sigsuspend): Eliminate thread signal mask and use either main sigmask or current thread sigmask. (set_process_mask): Ditto. (sighold): Ditto. (sigrelse): Ditto. (sigset): Ditto. (set_process_mask_delta): Ditto. (_cygtls::call_signal_handler): Ditto. * fhandler_process.cc (format_process_status): Ditto. * fhandler_termios.cc (fhandler_termios::bg_check): Ditto. * pinfo.h (class pinfo): Ditto. * select.cc (pselect): Ditto. * signal.cc (sigprocmask): Ditto. (abort): Ditto. (sigpause): Ditto. (sigsend): Ditto. (wait_sig): Ditto. * thread.h (pthread::parent_tls): New member. * thread.cc (pthread::pthread): Record parent_tls here. (pthread::thread_init_wrapper): Initialize sigmask from parent thread.
2008-02-15 18:53:11 +01:00
{
* fhandler_disk_file.cc (fhandler_disk_file::facl): If file can't be opened for reading the ACLs, fall back to faking them. * sec_acl.cc (acl_worker): Handle non-existing files. * security.cc (get_file_attribute): Return ILLEGAL_UID/ILLEGAL_GID as owner/group for non-readable ACLs on file systems supporting them.
2007-07-30 12:58:16 +02:00
if (uidret)
*uidret = ILLEGAL_UID;
if (gidret)
*gidret = ILLEGAL_GID;
return -1;
}
* fhandler.cc (fhandler_base::open): Set query access mode according to query_open setting. (fhandler_base::fhandler_base): Initialize query_open. * fhandler.h (FH_QUERYOPEN): Drop. (enum query_state): Add. (class fhandler_base): Add query_open member. (fhandler_base::get_query_open): Redefine to use query_open. (fhandler_base::set_query_open): Ditto. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Remove O_DIROPEN from open_flags since it's added in open_fs anyway. Remove query_open_already. Use new query_open settings. Rearrange slightly. (fhandler_base::fstat_helper): Add get_io_handle as parameter to get_file_attribute. * security.cc (get_nt_object_attribute): Make returning an int. Return -1 on error, 0 otherwise. (get_file_attribute): Take an object handle as argument. Move down to allow calling get_nt_object_attribute in case a non-NULL handle is given. * security.h (get_file_attribute): Add handle to argument list. * syscalls.cc (chown_worker): Accomodate new definition of get_file_attribute.
2004-04-08 09:57:28 +02:00
}
if (uidret)
*uidret = myself->uid;
if (gidret)
*gidret = myself->gid;
* Makefile (DLL_OFILES): Remove ntea.o * environ.cc (set_ntea): Delete. (parse_thing): Delete "ntea" setting. * fhandler.cc (fhandler_base::open): Remove allow_ntea considerations. (check_posix_perm): Ditto. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Ditto. (fhandler_base::open_fs): Ditto. (fhandler_disk_file::mkdir): Ditto. * path.cc (symlink_worker): Ditto. * security.cc (get_file_attribute): Ditto. (set_file_attribute): Ditto. * security.h: Remove allow_ntea declaration.
2007-03-01 16:13:47 +01:00
return -1;
* fhandler.cc (fhandler_base::open): Set query access mode according to query_open setting. (fhandler_base::fhandler_base): Initialize query_open. * fhandler.h (FH_QUERYOPEN): Drop. (enum query_state): Add. (class fhandler_base): Add query_open member. (fhandler_base::get_query_open): Redefine to use query_open. (fhandler_base::set_query_open): Ditto. * fhandler_disk_file.cc (fhandler_base::fstat_fs): Remove O_DIROPEN from open_flags since it's added in open_fs anyway. Remove query_open_already. Use new query_open settings. Rearrange slightly. (fhandler_base::fstat_helper): Add get_io_handle as parameter to get_file_attribute. * security.cc (get_nt_object_attribute): Make returning an int. Return -1 on error, 0 otherwise. (get_file_attribute): Take an object handle as argument. Move down to allow calling get_nt_object_attribute in case a non-NULL handle is given. * security.h (get_file_attribute): Add handle to argument list. * syscalls.cc (chown_worker): Accomodate new definition of get_file_attribute.
2004-04-08 09:57:28 +02:00
}
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
bool
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
add_access_allowed_ace (PACL acl, DWORD attributes, PSID sid, size_t &len_add,
DWORD inherit)
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
{
* globals.cc (ro_u_refs): New R/O unicode string. * mount.cc (fs_info::update): Recognize ReFS. * mount.h (enum fs_info_type): Add refs. (class fs_info): Add refs flag and accessor methods. * ntdll.h (RtlAddAccessAllowedAceEx): Declare. (RtlAddAccessDeniedAceEx): Declare. * path.h (path_conv::fs_is_refs): Define. * sec_helper.cc (_recycler_sd): New function to create security descriptors suitable for the recycler bin starting with Vista. * security.cc (add_access_allowed_ace): Use RtlAddAccessAllowedAceEx and drop code to set AceFlags explicitely. (add_access_denied_ace): Use RtlAddAccessDeniedAceEx and drop code to set AceFlags explicitely. * security.h (_recycler_sd): Declare. (recycler_sd): Define. * syscalls.cc (desktop_ini): Change formatting. (desktop_ini_ext): Define third line of recycler desktop.ini file since Vista, (try_to_bin): Handle ReFS just like NTFS. Write Vista and later Recycler in all uppercase, just like shell32 does when recreating it. Fix comments to include ReFS. Don't implicitely reuse object attributes from earlier NtOpenFile call, rather recreate it for safety. Use recycler_sd call when creating security descriptor for Recycler dirs and files on Vista and later. Write third line of desktop.ini when on Vista and later.
2012-06-03 18:46:53 +02:00
NTSTATUS status = RtlAddAccessAllowedAceEx (acl, ACL_REVISION, inherit,
attributes, sid);
* advapi32.cc: Add comment. (EqualSid): Remove. (CopySid): Remove. (AddAccessAllowedAce): Remove. (AddAccessDeniedAce): Remove. (MakeSelfRelativeSD): Remove. * flock.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto. * security.h: Ditto. (RtlEqualSid): Declare. Explain why. (RtlCopySid): Ditto.
2011-04-29 12:38:12 +02:00
if (!NT_SUCCESS (status))
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
{
* advapi32.cc: Add comment. (EqualSid): Remove. (CopySid): Remove. (AddAccessAllowedAce): Remove. (AddAccessDeniedAce): Remove. (MakeSelfRelativeSD): Remove. * flock.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto. * security.h: Ditto. (RtlEqualSid): Declare. Explain why. (RtlCopySid): Ditto.
2011-04-29 12:38:12 +02:00
__seterrno_from_nt_status (status);
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
return false;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
* advapi32.cc (InitializeSid): Remove. (EqualPrefixSid): Remove. (GetLengthSid): Remove. (GetSidSubAuthority): Remove. (GetSidSubAuthorityCount): Remove. (GetSidIdentifierAuthority): Remove. * fhandler_disk_file.cc: Remove above functions throughout with their ntdll.dll equivalent. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto.
2011-04-28 10:34:49 +02:00
len_add += sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
return true;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
bool
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
add_access_denied_ace (PACL acl, DWORD attributes, PSID sid, size_t &len_add,
DWORD inherit)
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
{
* globals.cc (ro_u_refs): New R/O unicode string. * mount.cc (fs_info::update): Recognize ReFS. * mount.h (enum fs_info_type): Add refs. (class fs_info): Add refs flag and accessor methods. * ntdll.h (RtlAddAccessAllowedAceEx): Declare. (RtlAddAccessDeniedAceEx): Declare. * path.h (path_conv::fs_is_refs): Define. * sec_helper.cc (_recycler_sd): New function to create security descriptors suitable for the recycler bin starting with Vista. * security.cc (add_access_allowed_ace): Use RtlAddAccessAllowedAceEx and drop code to set AceFlags explicitely. (add_access_denied_ace): Use RtlAddAccessDeniedAceEx and drop code to set AceFlags explicitely. * security.h (_recycler_sd): Declare. (recycler_sd): Define. * syscalls.cc (desktop_ini): Change formatting. (desktop_ini_ext): Define third line of recycler desktop.ini file since Vista, (try_to_bin): Handle ReFS just like NTFS. Write Vista and later Recycler in all uppercase, just like shell32 does when recreating it. Fix comments to include ReFS. Don't implicitely reuse object attributes from earlier NtOpenFile call, rather recreate it for safety. Use recycler_sd call when creating security descriptor for Recycler dirs and files on Vista and later. Write third line of desktop.ini when on Vista and later.
2012-06-03 18:46:53 +02:00
NTSTATUS status = RtlAddAccessDeniedAceEx (acl, ACL_REVISION, inherit,
attributes, sid);
* advapi32.cc: Add comment. (EqualSid): Remove. (CopySid): Remove. (AddAccessAllowedAce): Remove. (AddAccessDeniedAce): Remove. (MakeSelfRelativeSD): Remove. * flock.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto. * security.h: Ditto. (RtlEqualSid): Declare. Explain why. (RtlCopySid): Ditto.
2011-04-29 12:38:12 +02:00
if (!NT_SUCCESS (status))
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
{
* advapi32.cc: Add comment. (EqualSid): Remove. (CopySid): Remove. (AddAccessAllowedAce): Remove. (AddAccessDeniedAce): Remove. (MakeSelfRelativeSD): Remove. * flock.cc: Replace above functions throughout with their ntdll.dll equivalent. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto. * security.h: Ditto. (RtlEqualSid): Declare. Explain why. (RtlCopySid): Ditto.
2011-04-29 12:38:12 +02:00
__seterrno_from_nt_status (status);
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
return false;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
* advapi32.cc (InitializeSid): Remove. (EqualPrefixSid): Remove. (GetLengthSid): Remove. (GetSidSubAuthority): Remove. (GetSidSubAuthorityCount): Remove. (GetSidIdentifierAuthority): Remove. * fhandler_disk_file.cc: Remove above functions throughout with their ntdll.dll equivalent. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto.
2011-04-28 10:34:49 +02:00
len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
Change use of BOOL, TRUE, FALSE to bool, true, false, as appropriate, throughout. * tty.cc (tty::common_init): Remove call to SetKernelObjectSecurity and edit some comments. * cygheap.h (init_cygheap::ctty): Add new element. * devices.in (device::parse): Remove special handling for /dev/tty. * devices.cc: Regenerate. * dtable.cc (build_fh_pc): Don't reset /dev/tty device. Let the device opener do that. * fhandler_termios.cc (tty_min::set_ctty): Redefine to _pinfo class. * fhandler_tty.cc (fhandler_tty_common::set_close_on_exec): Avoid setting noninherit flag for ctty. * tty.h: Move BOOLs to bools. (tty_min::set_ctty): Redeclare to _pinfo class. * pinfo.cc (_pinfo::set_ctty): Define new function based on tty_min::set_ctty. Change first argument from tty number to tty_min class. * pinfo.h (_pinfo::set_ctty): Declare. * fhandler_console.cc (fhandler_console::get_tty_stuff): Reflect move of set_ctty to _pinfo class. * fhandler_tty.cc (fhandler_tty_slave::open): Treat FH_TTY specially. Use saved cygheap value if it exists. Otherwise convert to real device and save on first time open. (fhandler_tty_common::dup): Potentially set controlling tty if duping a slave tty. * syscalls.cc (setsid): Close controlling tty in cygheap. * tty.cc: Change some BOOLs to bools.
2003-12-07 23:37:12 +01:00
return true;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
* dir.cc (mkdir): Set security attributes correctly for CreateDirectoryA () call if ntsec is on. Don't call set_file_attributes () then. * fhandler.cc (fhandler_base::open): Ditto for CreateFileA () call. * path.cc (symlink): Ditto. * security.cc (set_security_attribute): New function. * security.h: Add declaration for `allow_ntea' and `set_security_attribute'.
2001-08-07 17:09:54 +02:00
void
* external.cc (cygwin_internal): Call set_security_attribute with additional path_conv argument. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Never set DOS R/O attribute when using ACLs. (fhandler_disk_file::mkdir): Ditto. Set security descriptor on remote dirs after creating the dir, same as in fhandler_base::open. * fhandler_socket.cc (fhandler_socket::bind): Ditto for remote AF_LOCAL socket files. * path.cc (symlink_worker): Ditto. for remote symlinks. * security.cc (alloc_sd): Take additional path_conv argument. Accommodate throughout. Drop setting FILE_WRITE_EA/FILE_READ_EA flags unconditionally (was only necessary for "ntea"). Don't set FILE_READ_ATTRIBUTES and FILE_WRITE_ATTRIBUTES unconditionally on Samba. Add comment to explain. Drop useless setting of STANDARD_RIGHTS_WRITE, it's in FILE_GENERIC_WRITE anyway. Remove FILE_READ_ATTRIBUTES bit from FILE_GENERIC_EXECUTE so as not to enforce read permissions on Samba. (set_security_attribute): Take additional path_conv argument. * security.h (set_security_attribute): Change prototype accordingly.
2008-08-14 16:05:04 +02:00
set_security_attribute (path_conv &pc, int attribute, PSECURITY_ATTRIBUTES psa,
* dir.cc (mkdir): Use local security_descriptor. Call set_security_attribute appropriately. * external.cc (cygwin_internal): Ditto. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_socket.cc (fhandler_socket::bind): Ditto. * path.cc (symlink_worker): Ditto. * sec_acl.cc (setacl): Ditto. Call read_sd appropriately. (getace): Ditto. * sec_helper.cc (security_descriptor::malloc): New method. (security_descriptor::realloc): New method. (security_descriptor::free): New method. * security.cc (read_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. Allocate the security_descriptor buffer according to size returned by a call to GetFileSecurity. Return buffer size on success. (write_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (get_nt_attribute): Use local security_descriptor. (get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY. Allocate security_descriptor buffer according to size returned by a call to RegGetKeySecurity. (alloc_sd): Make static. Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. (set_security_attribute): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (set_nt_attribute): Use local security_descriptor. (check_file_access): Ditto. * security.h: Add class security_descriptor. (read_sd): Change declaration to get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (write_sd): Ditto. (set_security_attribute): Ditto. (alloc_sd): Remove declaration. * thread.cc (semaphore::semaphore): Use local security_descriptor. Call set_security_attribute appropriately.
2003-11-26 14:23:27 +01:00
security_descriptor &sd)
* dir.cc (mkdir): Set security attributes correctly for CreateDirectoryA () call if ntsec is on. Don't call set_file_attributes () then. * fhandler.cc (fhandler_base::open): Ditto for CreateFileA () call. * path.cc (symlink): Ditto. * security.cc (set_security_attribute): New function. * security.h: Add declaration for `allow_ntea' and `set_security_attribute'.
2001-08-07 17:09:54 +02:00
{
* dir.cc (mkdir): Use local security_descriptor. Call set_security_attribute appropriately. * external.cc (cygwin_internal): Ditto. * fhandler.cc (fhandler_base::open): Ditto. * fhandler_socket.cc (fhandler_socket::bind): Ditto. * path.cc (symlink_worker): Ditto. * sec_acl.cc (setacl): Ditto. Call read_sd appropriately. (getace): Ditto. * sec_helper.cc (security_descriptor::malloc): New method. (security_descriptor::realloc): New method. (security_descriptor::free): New method. * security.cc (read_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. Allocate the security_descriptor buffer according to size returned by a call to GetFileSecurity. Return buffer size on success. (write_sd): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (get_nt_attribute): Use local security_descriptor. (get_nt_object_attribute): Ditto in case of type == SE_REGISTRY_KEY. Allocate security_descriptor buffer according to size returned by a call to RegGetKeySecurity. (alloc_sd): Make static. Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. Drop unnecessary parameter check. (set_security_attribute): Get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (set_nt_attribute): Use local security_descriptor. (check_file_access): Ditto. * security.h: Add class security_descriptor. (read_sd): Change declaration to get security_descriptor as parameter instead of PSECURITY_DESCRIPTOR and a size. (write_sd): Ditto. (set_security_attribute): Ditto. (alloc_sd): Remove declaration. * thread.cc (semaphore::semaphore): Use local security_descriptor. Call set_security_attribute appropriately.
2003-11-26 14:23:27 +01:00
psa->lpSecurityDescriptor = sd.malloc (SECURITY_DESCRIPTOR_MIN_LENGTH);
* advapi32.cc (InitializeAcl): Remove. (AddAce): Remove. (FindFirstFreeAce): Remove. (GetAce): Remove. (InitializeSecurityDescriptor): Remove. (OpenProcessToken): Remove. * dcrt0.cc: Replace above functions throughout with their ntdll.dll equivalent. * fhandler_tty.cc: Ditto. * flock.cc: Ditto. * pinfo.cc: Ditto. Drop unnecessary error handling. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto.
2011-04-28 11:30:36 +02:00
RtlCreateSecurityDescriptor ((PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor,
* cygheap.h (init_cygheap): Move heap pointers here. * include/sys/cygwin.h (perprocess): Remove heap pointers. * dcrt0.cc (__cygwin_user_data): Reflect obsolete perprocess stuff. (_dll_crt0): Don't initialize heap pointers. (cygwin_dll_init): Ditto. (release_upto): Use heap pointers from cygheap. * heap.h: Ditto. * fork.cc (fork_parent): Ditto. Don't set heap pointers in ch. (fork_child): Remove obsolete sigproc_fixup_after_fork. * shared.cc (memory_init): Reorganize so that cygheap initialization is called prior to regular heap since regular heap uses cygheap now. * sigproc.cc (proc_subproc): Eliminate zombies allocation. (sigproc_init): Move zombies alloation here. Don't free up array on fork, just reuse it. (sigproc_fixup_after_fork): Eliminate. * sigproc.h: Ditto. * include/cygwin/version.h: Reflect change to perprocess structure.
2001-09-07 23:32:07 +02:00
SECURITY_DESCRIPTOR_REVISION);
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
psa->lpSecurityDescriptor = set_posix_access (attribute, geteuid32 (),
getegid32 (), NULL, 0,
sd, false);
* dir.cc (mkdir): Set security attributes correctly for CreateDirectoryA () call if ntsec is on. Don't call set_file_attributes () then. * fhandler.cc (fhandler_base::open): Ditto for CreateFileA () call. * path.cc (symlink): Ditto. * security.cc (set_security_attribute): New function. * security.h: Add declaration for `allow_ntea' and `set_security_attribute'.
2001-08-07 17:09:54 +02:00
}
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
int
get_object_sd (HANDLE handle, security_descriptor &sd)
{
ULONG len = 0;
NTSTATUS status;
status = NtQuerySecurityObject (handle, ALL_SECURITY_INFORMATION,
sd, len, &len);
if (status != STATUS_BUFFER_TOO_SMALL)
{
__seterrno_from_nt_status (status);
return -1;
}
if (!sd.malloc (len))
{
set_errno (ENOMEM);
return -1;
}
status = NtQuerySecurityObject (handle, ALL_SECURITY_INFORMATION,
sd, len, &len);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return -1;
}
return 0;
}
int
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
get_object_attribute (HANDLE handle, uid_t *uidret, gid_t *gidret,
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
mode_t *attribute)
{
security_descriptor sd;
if (get_object_sd (handle, sd))
return -1;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
return get_posix_access (sd, attribute, uidret, gidret, NULL, 0)
>= 0 ? 0 : -1;
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
}
int
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
create_object_sd_from_attribute (uid_t uid, gid_t gid, mode_t attribute,
security_descriptor &sd)
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
{
Fix file type mode bit handling on object security. * fhandler_tty.cc (fhandler_pty_slave::open): Add S_IFCHR flag in call to create_object_sd_from_attribute. (fhandler_pty_slave::fstat): Ditto in call to get_object_attribute. (fhandler_pty_slave::fchmod): Add an orig_mode flag and ditto for both calls. (fhandler_pty_master::setup): Ditto in call to create_object_sd_from_attribute. * security.cc (get_object_attribute): Never add S_IFCHR to mode here. Let the caller decide. (create_object_sd_from_attribute): Ditto. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-09-03 19:29:55 +02:00
return set_posix_access (attribute, uid, gid, NULL, 0, sd, false)
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
? 0 : -1;
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
}
int
set_object_sd (HANDLE handle, security_descriptor &sd, bool chown)
{
NTSTATUS status;
status = NtSetSecurityObject (handle, chown ? ALL_SECURITY_INFORMATION
: DACL_SECURITY_INFORMATION, sd);
if (!NT_SUCCESS (status))
{
__seterrno_from_nt_status (status);
return -1;
}
return 0;
}
int
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
set_object_attribute (HANDLE handle, uid_t uid, gid_t gid, mode_t attribute)
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
{
security_descriptor sd;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
if (create_object_sd_from_attribute (uid, gid, attribute, sd)
* autoload.cc (GetNamedPipeClientProcessId): Define. * fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private. (fhandler_tty_slave::fch_close_handles): Ditto. (fhandler_tty_slave::cygserver_attach_tty): Drop declaration. (fhandler_tty_slave::fstat): Declare public. (fhandler_tty_slave::fchmod): Declare public. (fhandler_tty_slave::fchown): Declare public. (class fhandler_pty_master): Add master_ctl handle. (fhandler_pty_master::pty_master_thread): Declare public. * fhandler_termios.cc (fhandler_termios::tcinit): If the process is started from a non-Cygwin process, make it tty process group leader. * fhandler_tty.cc: Throughout accommodate additional security related arguments in calls to functions creating or opening objects. (close_maybe): Move to start of file to reuse it in other methods. (struct pipe_request): Define. (struct pipe_reply): Define. (fhandler_tty_slave::open): Throughout, try to open synchronization objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver. Try to duplicate pipe handles via master_ctl pipe if duplicating directly doesn't work. (fhandler_tty_slave::cygserver_attach_tty): Remove. (fhandler_tty_slave::init): Close unused incoming pipe handle. (fhandler_pty_master::close): Send exit message to master control thread and close master_ctl handle. (fhandler_pty_master::pty_master_thread): New method, implementing the master control thread. (pty_master_thread): Static helper to start master control thread. (fhandler_pty_master::setup): Simplify creating pipe inheritance. Make sure we're the one creating the input_available_event. Add comment to explain why. Create master_ctl pipe and start master control thread. Close master_ctl handle in case of error. * security.cc (alloc_sd): Add code to handle tty objects. Add comments to explain what exactly is required. (get_object_sd): New function. (get_object_attribute): New function. (create_object_sd_from_attribute): New function. (set_object_sd): New function. (set_object_attribute): New function. (set_file_attribute): Change attribute type to mode_t. * security.h (set_file_attribute): Change attribute type to mode_t. (get_object_sd): Declare. (get_object_attribute): Declare. (create_object_sd_from_attribute): Declare. (set_object_sd): Declare. (set_object_attribute): Declare. * tty.cc (tty::slave_alive): Implement directly instead of via alive. (tty::exists): Open mutex handle with READ_CONTROL access. (tty::alive): Remove. (tty::open_output_mutex): Convert to inline method. (tty::open_input_mutex): Ditto. (tty::open_mutex): Take additional ACCESS_MASK parameter for the mutex open access mask. (tty::open_inuse): New method. (tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt name parameter. Always create TTY_SLAVE_ALIVE event. (tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for CreateEvent. * tty.h (class tty): Change declarations according to aforementioned changes. (tty::open_output_mutex): Implement as inline method. (tty::open_input_mutex): Ditto.
2010-04-19 21:52:43 +02:00
|| set_object_sd (handle, sd, uid != ILLEGAL_UID || gid != ILLEGAL_GID))
return -1;
return 0;
}
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
int
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr)
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
{
* security.cc (set_nt_attribute): Remove. (set_file_attribute): Do it yourself instead of calling set_nt_attribute.
2007-07-19 19:42:11 +02:00
int ret = -1;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
security_descriptor sd, sd_ret;
mode_t attr_rd;
uid_t uid;
gid_t gid;
tmp_pathbuf tp;
aclent_t *aclp;
int nentries, idx;
if (!get_file_sd (handle, pc, sd, true))
{
attr |= S_JUSTCREATED;
if (pc.isdir ())
attr |= S_IFDIR;
attr_rd = attr;
aclp = (aclent_t *) tp.c_get ();
if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid,
aclp, MAX_ACL_ENTRIES)) >= 0)
{
if (S_ISLNK (attr))
{
/* Symlinks always get the request POSIX perms. */
aclp[0].a_perm = (attr >> 6) & S_IRWXO;
if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
if (nentries > MIN_ACL_ENTRIES
&& (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
aclp[idx].a_perm = (attr >> 3) & S_IRWXO;
if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
aclp[idx].a_perm = attr & S_IRWXO;
}
else
{
/* Overwrite ACL permissions as required by POSIX 1003.1e
draft 17. */
aclp[0].a_perm &= (attr >> 6) & S_IRWXO;
if (nentries > MIN_ACL_ENTRIES
&& (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0)
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
Handle permissions a bit closer to POSIX 1003.1e So far we tweaked ACL_GROUP_OBJ and ACL_MASK values the same way when creating a file. We now do what POSIX requires, namely just change ACL_MASK if it's present, otherwise ACL_GROUP_OBJ. Note that we only do this at creation time. Chmod still tweaks both to create less surprising results for the unsuspecting user. Additionally make sure to take umask only into account if no ACL_MASK value is present. That has been missed so far. * sec_acl.cc (set_posix_access): Perform check for non-existant default ACEs earlier. Ignore umask also if ACL_MASK is present. Only set owner_eq_group if we're actually handling a user entry. Mention chmod in a comment. * security.cc (set_created_file_access): Perform group/mask permission setting as required by POSIX 1003.1e. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2016-04-18 20:43:00 +02:00
else if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0)
aclp[idx].a_perm &= (attr >> 3) & S_IRWXO;
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0)
aclp[idx].a_perm &= attr & S_IRWXO;
}
/* Construct appropriate inherit attribute for new directories.
Basically we do this only for the sake of non-Cygwin applications.
Cygwin applications don't need these. Additionally, if the
S_ISGID bit is set, propagate it. */
if (S_ISDIR (attr))
{
if (searchace (aclp, nentries, DEF_USER_OBJ) < 0)
{
aclp[nentries].a_type = DEF_USER_OBJ;
aclp[nentries].a_id = ILLEGAL_UID;
aclp[nentries++].a_perm = (attr >> 6) & S_IRWXO;
}
if (searchace (aclp, nentries, DEF_GROUP_OBJ) < 0)
{
aclp[nentries].a_type = DEF_GROUP_OBJ;
aclp[nentries].a_id = ILLEGAL_GID;
aclp[nentries++].a_perm = (attr >> 3) & S_IRWXO;
}
if (searchace (aclp, nentries, DEF_OTHER_OBJ) < 0)
{
aclp[nentries].a_type = DEF_OTHER_OBJ;
aclp[nentries].a_id = ILLEGAL_UID;
aclp[nentries++].a_perm = attr & S_IRWXO;
}
if (attr_rd & S_ISGID)
attr |= S_ISGID;
}
if (set_posix_access (attr, uid, gid, aclp, nentries, sd_ret,
pc.fs_is_samba ()))
ret = set_file_sd (handle, pc, sd_ret, attr_rd & S_ISGID);
}
* security.cc (set_nt_attribute): Remove. (set_file_attribute): Do it yourself instead of calling set_nt_attribute.
2007-07-19 19:42:11 +02:00
}
* security.cc (set_process_privileges): Removed `static'. (get_nt_attribute): Returns uid and gid additionally. Removed call to set_process_privileges(). (get_file_attribute): Returns uid and gid additionally. Don't call ntea if ntsec is ON. (set_nt_attribute): Removed call to set_process_privileges(). Don't call ntea if ntsec is ON. (acl): Removed call to set_process_privileges(). * dcrt0.cc (dll_crt0_1): Calls set_process_privileges() now. * winsup.h: New prototype for set_process_privileges(), changed prototype for get_file_attribute(). * fhandler.cc (get_file_owner): Discarded. (get_file_group): Ditto. (fhandler_disk_file::fstat): Discard calls to get_file_owner() and get_file_group(). * path.cc (path_conv::path_conv): Added debugging output for result of GetVolumeInformation(). (mount_info::conv_to_win32_path): Call backslashify() with pathbuf instead of src_path. * syscalls.cc (chown): Reformatted. (chmod): Replace get_file_owner() and get_file_group() calls by a call to get_file_attribute(). Discard local variable has_acls. Slightly reformatted. (stat_worker): Replaced idiot's (it's me) root dir check by call to rootdir(). Don't call num_entries() on remote drives. Discard local variable has_acls.
2000-03-16 20:35:18 +01:00
return ret;
import winsup-2000-02-17 snapshot
2000-02-17 20:38:33 +01:00
}
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
static int
check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
ACCESS_MASK desired, int flags, bool effective)
* dtable.cc (dtable::build_fhandler_from_name): Set some fhandler data on sockets to evaluate AF_LOCAL sockets correctly. (dtable::build_fhandler): Set unit number on sockets. * fhandler.h (fhandler_socket): Add unit number. (fhandler_socket::get_unit): New method. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Set unit number. (fhandler_socket::fstat): Reorganize to return more Linux-like values. * net.cc: include ctype.h. (fdsock): Set unit number when building fhandler. * path.cc (path_conv::check): Set device type to FH_SOCKET if file is a AF_UNIX socket. (get_devn): Evaluate unit for virtual socket devices. (win32_device_name): Set windows path for sockets to unix_path with just backslashes to keep the different names. * syscalls.cc (fstat64): Don't override st_ino, st_dev and st_rdev for sockets. (stat_worker): Ditto. From Pierre Humblet: * autoload.cc (AccessCheck): Add. (DuplicateToken): Add. * security.h (check_file_access): Declare. * syscalls.cc (access): Convert path to Windows, check existence and readonly attribute. Call check_file_access instead of acl_access. * security.cc (check_file_access): Create. * sec_acl (acl_access): Delete.
2003-02-21 15:29:18 +01:00
{
int ret = -1;
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
NTSTATUS status, allow;
ACCESS_MASK granted;
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
DWORD plen = sizeof (PRIVILEGE_SET) + 3 * sizeof (LUID_AND_ATTRIBUTES);
PPRIVILEGE_SET pset = (PPRIVILEGE_SET) alloca (plen);
Fix faccessat(,0) and access() semantics. * fhandler.h (fhandler_base::fhaccess): Add parameter. * security.h (check_file_access, check_registry_access): Likewise. * security.cc (check_file_access, check_registry_access) (check_access): Implement new parameter. * fhandler.cc (fhandler_base::fhaccess): Likewise. (device_access_denied): Update caller. * syscalls.cc (access, faccessat): Update callers. * spawn.cc (find_exec, fixup): Likewise.
2009-09-25 15:44:45 +02:00
HANDLE tok = ((effective && cygheap->user.issetuid ())
? cygheap->user.imp_token ()
: hProcImpToken);
* dtable.cc (dtable::build_fhandler_from_name): Set some fhandler data on sockets to evaluate AF_LOCAL sockets correctly. (dtable::build_fhandler): Set unit number on sockets. * fhandler.h (fhandler_socket): Add unit number. (fhandler_socket::get_unit): New method. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Set unit number. (fhandler_socket::fstat): Reorganize to return more Linux-like values. * net.cc: include ctype.h. (fdsock): Set unit number when building fhandler. * path.cc (path_conv::check): Set device type to FH_SOCKET if file is a AF_UNIX socket. (get_devn): Evaluate unit for virtual socket devices. (win32_device_name): Set windows path for sockets to unix_path with just backslashes to keep the different names. * syscalls.cc (fstat64): Don't override st_ino, st_dev and st_rdev for sockets. (stat_worker): Ditto. From Pierre Humblet: * autoload.cc (AccessCheck): Add. (DuplicateToken): Add. * security.h (check_file_access): Declare. * syscalls.cc (access): Convert path to Windows, check existence and readonly attribute. Call check_file_access instead of acl_access. * security.cc (check_file_access): Create. * sec_acl (acl_access): Delete.
2003-02-21 15:29:18 +01:00
2010-02-26 Pierre Humblet <Pierre.Humblet@ieee.org> * security.cc (check_access): Use user.imp_token if appropriate. Set errno and return if DuplicateTokenEx fails .
2010-02-26 15:51:59 +01:00
if (!tok)
{
if (!DuplicateTokenEx (hProcToken, MAXIMUM_ALLOWED, NULL,
whitespace elimination
2011-06-06 07:02:13 +02:00
SecurityImpersonation, TokenImpersonation,
2010-02-26 Pierre Humblet <Pierre.Humblet@ieee.org> * security.cc (check_access): Use user.imp_token if appropriate. Set errno and return if DuplicateTokenEx fails .
2010-02-26 15:51:59 +01:00
&hProcImpToken))
whitespace elimination
2011-06-06 07:02:13 +02:00
{
__seterrno ();
return ret;
}
2010-02-26 Pierre Humblet <Pierre.Humblet@ieee.org> * security.cc (check_access): Use user.imp_token if appropriate. Set errno and return if DuplicateTokenEx fails .
2010-02-26 15:51:59 +01:00
tok = hProcImpToken;
whitespace elimination
2011-06-06 07:02:13 +02:00
}
Partially revert change from 2005-04-03, always running under an impersonation token, which collides with Vista UAC. * cygheap.h (deimpersonate): revert to self instead of impersonating hProcImpToken. (reimpersonate): Only impersonate if setuid. * dcrt0.cc (dll_crt0_0): Don't initialize hProcImpToken here. (dll_crt0_1): Set privileges on hProcToken. * fork.cc (frok::child): Set privileges on hProcToken. Close handle to hProcImpToken. * grp.cc (internal_getgroups): Use hProcToken instead of hProcImpToken. * security.cc (check_access): Create hProcImpToken on demand here. * security.h (set_process_privilege): Set privileges on hProcToken. (_push_thread_privilege): Use hProcToken instead of hProcImpToken. (pop_thread_privilege): If not setuid'ed, revert to self. * syscalls.cc (setegid32): Drop setting primary group on hProcImpToken. Close handle to hProcImpToken. * uinfo.cc (internal_getlogin): Ditto. * winsup.h (clear_procimptoken): New inline function.
2006-12-12 17:27:32 +01:00
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
status = NtAccessCheck (sd, tok, desired, &mapping, pset, &plen, &granted,
&allow);
if (!NT_SUCCESS (status))
* dtable.cc (dtable::build_fhandler_from_name): Set some fhandler data on sockets to evaluate AF_LOCAL sockets correctly. (dtable::build_fhandler): Set unit number on sockets. * fhandler.h (fhandler_socket): Add unit number. (fhandler_socket::get_unit): New method. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Set unit number. (fhandler_socket::fstat): Reorganize to return more Linux-like values. * net.cc: include ctype.h. (fdsock): Set unit number when building fhandler. * path.cc (path_conv::check): Set device type to FH_SOCKET if file is a AF_UNIX socket. (get_devn): Evaluate unit for virtual socket devices. (win32_device_name): Set windows path for sockets to unix_path with just backslashes to keep the different names. * syscalls.cc (fstat64): Don't override st_ino, st_dev and st_rdev for sockets. (stat_worker): Ditto. From Pierre Humblet: * autoload.cc (AccessCheck): Add. (DuplicateToken): Add. * security.h (check_file_access): Declare. * syscalls.cc (access): Convert path to Windows, check existence and readonly attribute. Call check_file_access instead of acl_access. * security.cc (check_file_access): Create. * sec_acl (acl_access): Delete.
2003-02-21 15:29:18 +01:00
__seterrno ();
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
else if (!NT_SUCCESS (allow))
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
{
/* CV, 2006-10-16: Now, that's really weird. Imagine a user who has no
standard access to a file, but who has backup and restore privileges
and these privileges are enabled in the access token. One would
expect that the AccessCheck function takes this into consideration
when returning the access status. Otherwise, why bother with the
pset parameter, right?
But not so. AccessCheck actually returns a status of "false" here,
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
even though opening a file with backup resp. restore intent
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
naturally succeeds for this user. This definitely spoils the results
of access(2) for administrative users or the SYSTEM account. So, in
case the access check fails, another check against the user's
backup/restore privileges has to be made. Sigh. */
int granted_flags = 0;
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
BOOLEAN has_priv;
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
if (flags & R_OK)
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
{
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
pset->PrivilegeCount = 1;
pset->Control = 0;
* cygheap.h (init_cygheap::luid): Remove. * mmap.cc (mlock): Accommodate parameter change in call to push_thread_privilege. (munlock): Ditto. * ntdll.h (STATUS_NOT_ALL_ASSIGNED): Define. (NtAdjustPrivilegesToken): Declare. * sec_helper.cc (cygpriv): Reorder to match numerical privilege order. (privilege_luid): Take job of privilege_luid_by_name, using new cygpriv. (privilege_luid_by_name): Remove. (privilege_name): Accommodate new cygpriv array. (set_privilege): Call NtAdjustPrivilegesToken to avoid using advapi32. Accommodate changes to privilege_name. (set_cygwin_privileges): Simplify. Don't try to set SE_CREATE_GLOBAL_PRIVILEGE on systems not supporting it. * security.cc (sys_privs): Reorder to match numerical privilege order. Use real privilege values as defined in security.h. (get_system_priv_list): Drop unused grp_list argument. Create list of privileges according to new wincapc::max_sys_priv value. (get_priv_list): Call privilege_luid instead of privilege_luid_by_name. Make priv a local value instead of a pointer. (create_token): Accommodate parameter change in call to push_self_privilege. (lsaauth): Ditto. (check_access): Use privilege values directly instead of calling privilege_luid. * security.h: Define real privilege values. (cygpriv_idx): Remove. (privilege_luid): Change declaration. (privilege_luid_by_name): Drop declaration. (set_privilege): Change declaration. (set_process_privilege): Drop definition. (_push_thread_privilege): Accomodate new set_privilege parameters. * wincap.h (wincapc::max_sys_priv): New element. * wincap.cc: Implement above element throughout. (wincap_2000sp4): New wincaps structure. (wincap_xpsp1): Ditto. (wincap_xpsp2): Ditto. (wincapc::init): Use new wincaps. (wincapc::max_sys_priv): New element.
2007-07-19 10:33:22 +02:00
pset->Privilege[0].Luid.HighPart = 0L;
pset->Privilege[0].Luid.LowPart = SE_BACKUP_PRIVILEGE;
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
pset->Privilege[0].Attributes = 0;
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
status = NtPrivilegeCheck (tok, pset, &has_priv);
if (NT_SUCCESS (status) && has_priv)
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
granted_flags |= R_OK;
}
if (flags & W_OK)
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
{
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
pset->PrivilegeCount = 1;
pset->Control = 0;
* cygheap.h (init_cygheap::luid): Remove. * mmap.cc (mlock): Accommodate parameter change in call to push_thread_privilege. (munlock): Ditto. * ntdll.h (STATUS_NOT_ALL_ASSIGNED): Define. (NtAdjustPrivilegesToken): Declare. * sec_helper.cc (cygpriv): Reorder to match numerical privilege order. (privilege_luid): Take job of privilege_luid_by_name, using new cygpriv. (privilege_luid_by_name): Remove. (privilege_name): Accommodate new cygpriv array. (set_privilege): Call NtAdjustPrivilegesToken to avoid using advapi32. Accommodate changes to privilege_name. (set_cygwin_privileges): Simplify. Don't try to set SE_CREATE_GLOBAL_PRIVILEGE on systems not supporting it. * security.cc (sys_privs): Reorder to match numerical privilege order. Use real privilege values as defined in security.h. (get_system_priv_list): Drop unused grp_list argument. Create list of privileges according to new wincapc::max_sys_priv value. (get_priv_list): Call privilege_luid instead of privilege_luid_by_name. Make priv a local value instead of a pointer. (create_token): Accommodate parameter change in call to push_self_privilege. (lsaauth): Ditto. (check_access): Use privilege values directly instead of calling privilege_luid. * security.h: Define real privilege values. (cygpriv_idx): Remove. (privilege_luid): Change declaration. (privilege_luid_by_name): Drop declaration. (set_privilege): Change declaration. (set_process_privilege): Drop definition. (_push_thread_privilege): Accomodate new set_privilege parameters. * wincap.h (wincapc::max_sys_priv): New element. * wincap.cc: Implement above element throughout. (wincap_2000sp4): New wincaps structure. (wincap_xpsp1): Ditto. (wincap_xpsp2): Ditto. (wincapc::init): Use new wincaps. (wincapc::max_sys_priv): New element.
2007-07-19 10:33:22 +02:00
pset->Privilege[0].Luid.HighPart = 0L;
pset->Privilege[0].Luid.LowPart = SE_RESTORE_PRIVILEGE;
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
pset->Privilege[0].Attributes = 0;
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
status = NtPrivilegeCheck (tok, pset, &has_priv);
if (NT_SUCCESS (status) && has_priv)
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
granted_flags |= W_OK;
}
if (granted_flags == flags)
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
ret = 0;
* autoload.cc (PrivilegeCheck): Define. * fhandler.cc (fhandler_base::open): Always try opening with backup resp. restore intent. * fhandler_disk_file.cc (fhandler_disk_file::opendir): Always try opening with backup intent. (fhandler_disk_file::readdir): Ditto when trying to retrieve file id explicitely. * security.cc (check_file_access): Replace pbuf with correctly PPRIVILEGE_SET typed pset. Check explicitely for backup and/or restore privileges when AccessCheck fails, to circumvent AccessCheck shortcoming. Add comment to explain.
2006-10-16 14:26:59 +02:00
else
set_errno (EACCES);
}
* dtable.cc (dtable::build_fhandler_from_name): Set some fhandler data on sockets to evaluate AF_LOCAL sockets correctly. (dtable::build_fhandler): Set unit number on sockets. * fhandler.h (fhandler_socket): Add unit number. (fhandler_socket::get_unit): New method. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Set unit number. (fhandler_socket::fstat): Reorganize to return more Linux-like values. * net.cc: include ctype.h. (fdsock): Set unit number when building fhandler. * path.cc (path_conv::check): Set device type to FH_SOCKET if file is a AF_UNIX socket. (get_devn): Evaluate unit for virtual socket devices. (win32_device_name): Set windows path for sockets to unix_path with just backslashes to keep the different names. * syscalls.cc (fstat64): Don't override st_ino, st_dev and st_rdev for sockets. (stat_worker): Ditto. From Pierre Humblet: * autoload.cc (AccessCheck): Add. (DuplicateToken): Add. * security.h (check_file_access): Declare. * syscalls.cc (access): Convert path to Windows, check existence and readonly attribute. Call check_file_access instead of acl_access. * security.cc (check_file_access): Create. * sec_acl (acl_access): Delete.
2003-02-21 15:29:18 +01:00
else
ret = 0;
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
return ret;
}
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
/* Samba override. Check security descriptor for Samba UNIX user and group
accounts and check if we have an RFC 2307 mapping to a Windows account.
* fhandler.cc (fhandler_base::facl): Drop CLASS_OBJ entry. * fhandler_disk_file.cc (fhandler_disk_file::facl): Ditto in noacl case. * sec_acl.cc (getacl): Compute useful fake CLASS_OBJ and DEF_CLASS_OBJ permission bits based on how these values are generated on Linux. Add commants to explain what the code is doing. * security.cc (get_attribute_from_acl): Compute group permission based on the actual primary group permissions and all secondary user and group ACCESS_ALLOWED_ACEs to emulate Linux' behaviour more closely. (check_access): Fix typos im comment. * include/cygwin/acl.h (MIN_ACL_ENTRIES): Redefine as 3.
2014-08-28 14:38:52 +02:00
Create a new security descriptor with all of the UNIX accounts with
valid mapping replaced with their Windows counterpart. */
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
static void
convert_samba_sd (security_descriptor &sd_ret)
{
NTSTATUS status;
BOOLEAN dummy;
PSID sid;
cygsid owner;
cygsid group;
SECURITY_DESCRIPTOR sd;
cyg_ldap cldap;
tmp_pathbuf tp;
PACL acl, oacl;
size_t acl_len;
PACCESS_ALLOWED_ACE ace;
if (!NT_SUCCESS (RtlGetOwnerSecurityDescriptor (sd_ret, &sid, &dummy)))
return;
owner = sid;
if (!NT_SUCCESS (RtlGetGroupSecurityDescriptor (sd_ret, &sid, &dummy)))
return;
group = sid;
Try harder to avoid LDAP access for RFC2307 mapping * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange to fall back to myself uid/gid in case we don't utilize Windows account DBs, just as prior to 1.7.34. * sec_helper.cc (cygpsid::get_id): Disable Samba user/group mapping per RFC2307 if we're not utilizing Windows account DBs. * security.cc (convert_samba_sd): Revert previous patch. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-17 20:24:49 +02:00
if (sid_id_auth (owner) == 22)
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
{
struct passwd *pwd;
uid_t uid = owner.get_uid (&cldap);
if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
Don't perform RFC2307 account mapping without account DB * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Only try to map user and group info per RFC2307 if account info is fetched from Windows account DB. (convert_samba_sd): Ditto. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-14 21:41:37 +02:00
owner.getfrompw (pwd);
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
}
Try harder to avoid LDAP access for RFC2307 mapping * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange to fall back to myself uid/gid in case we don't utilize Windows account DBs, just as prior to 1.7.34. * sec_helper.cc (cygpsid::get_id): Disable Samba user/group mapping per RFC2307 if we're not utilizing Windows account DBs. * security.cc (convert_samba_sd): Revert previous patch. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-17 20:24:49 +02:00
if (sid_id_auth (group) == 22)
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
{
struct group *grp;
gid_t gid = group.get_gid (&cldap);
if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
Don't perform RFC2307 account mapping without account DB * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Only try to map user and group info per RFC2307 if account info is fetched from Windows account DB. (convert_samba_sd): Ditto. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-14 21:41:37 +02:00
group.getfromgr (grp);
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
}
if (!NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd_ret, &dummy,
&oacl, &dummy)))
return;
acl = (PACL) tp.w_get ();
RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
acl_len = sizeof (ACL);
for (DWORD i = 0; i < oacl->AceCount; ++i)
if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
{
cygsid ace_sid ((PSID) &ace->SidStart);
if (sid_id_auth (ace_sid) == 22)
{
Try harder to avoid LDAP access for RFC2307 mapping * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange to fall back to myself uid/gid in case we don't utilize Windows account DBs, just as prior to 1.7.34. * sec_helper.cc (cygpsid::get_id): Disable Samba user/group mapping per RFC2307 if we're not utilizing Windows account DBs. * security.cc (convert_samba_sd): Revert previous patch. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-17 20:24:49 +02:00
if (sid_sub_auth (ace_sid, 0) == 1) /* user */
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
{
struct passwd *pwd;
uid_t uid = ace_sid.get_uid (&cldap);
if (uid < UNIX_POSIX_OFFSET && (pwd = internal_getpwuid (uid)))
ace_sid.getfrompw (pwd);
}
Try harder to avoid LDAP access for RFC2307 mapping * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange to fall back to myself uid/gid in case we don't utilize Windows account DBs, just as prior to 1.7.34. * sec_helper.cc (cygpsid::get_id): Disable Samba user/group mapping per RFC2307 if we're not utilizing Windows account DBs. * security.cc (convert_samba_sd): Revert previous patch. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-08-17 20:24:49 +02:00
else if (sid_sub_auth (ace_sid, 0) == 2) /* group */
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
{
struct group *grp;
gid_t gid = ace_sid.get_gid (&cldap);
if (gid < UNIX_POSIX_OFFSET && (grp = internal_getgrgid (gid)))
ace_sid.getfromgr (grp);
}
}
Reapply POSIX ACL changes. - New, unified implementation of POSIX permission and ACL handling. The new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and they allow to inherit the S_ISGID bit. ACL inheritance now really works as desired, in a limited, but theoretically equivalent fashion even for non-Cygwin processes. To accommodate Windows default ACLs, the new code ignores SYSTEM and Administrators group permissions when computing the MASK/CLASS_OBJ permission mask on old ACLs, and it doesn't deny access to SYSTEM and Administrators group based on the value of MASK/CLASS_OBJ when creating the new ACLs. The new code now handles the S_ISGID bit on directories as on Linux: Setting S_ISGID on a directory causes new files and subdirs created within to inherit its group, rather than the primary group of the user who created the file. This only works for files and directories created by Cygwin processes. 2015-05-29 Corinna Vinschen <corinna@vinschen.de> Reapply POSIX ACL changes. * utils.xml (setfacl): Show new option output. (getfacl): Show new option output. * sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL. Apply umask, if so. Align comments. * security.cc (set_created_file_access): Fix permission masking by incoming requested file mode. * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit for SYSTEM and Admins group. * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and GROUP entries if they are the same as USER_OBJ or GROUP_OBJ. * fhandler.h (fhandler_pty_slave::facl): Add prototype. * fhandler_tty.cc (fhandler_pty_slave::facl): New method. (fhandler_pty_slave::fchown): Fix uid/gid handling. * sec_acl.cc (set_posix_access): Drop superfluous class_idx variable. Simplify and move around code in a few places. To improve ACL readability, add r/w permissions to Admins ACE appended to pty ACL. Add comment to explain Windows ACE Mask filtering being in the way of creating a real CLASS_OBJ. (get_posix_access): Fake CLASS_OBJ for ptys. Explain why. * security.cc (get_object_attribute): Add S_IFCHR flag to attributes when calling get_posix_access. * sec_acl.cc (set_posix_access): Move merging group perms into owner perms in case of owner == group after mask has been computed. Take mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE. * sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw the ACCESS_ALLOWED_ACE. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment to explain why. * security.cc (set_created_file_access): Ditto. * sec_acl.cc (set_posix_access): Replace previous patch. Return EINVAL if uid and/or guid is invalid and not backed by an actual Windows account. * sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL. * sec_acl.cc (set_posix_access): Handle files with owner == group. Rephrase switch statement checking against unfiltered a_type value. (get_posix_access): Handle files with owner == group. * sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up CLASS_OBJ mask on old-style ACLs. Fix a comment. * sec_acl.cc (set_posix_access): Always make sure Admins have WRITE_DAC and WRITE_OWNER permissions. * security.h (create_object_sd_from_attribute): Drop handle parameter from prototype. * security.cc (create_object_sd_from_attribute): Drop handle parameter. Just create the standard POSIXy security descriptor. (set_object_attribute): Accommodate dropped paramter in call to create_object_sd_from_attribute. * fhandler_tty.cc: Ditto, throughout. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in mask computation. * fhandler.cc (fhandler_base::open_with_arch): Call open with mode not umasked. (fhandler_base::open): Explicitely umask mode on NFS here. Call new set_created_file_access rather than set_file_attribute. * fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement setting permissions on filesystems supporting ACLs using the new set_posix_access call. (fhandler_disk_file::fchown): Ditto. (fhandler_disk_file::mkdir): Call new set_created_file_access rather than set_file_attribute. * fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add WRITE_OWNER access to allow writing group in case of SGID bit set. Call new set_created_file_access rather than set_file_attribute. * path.cc (symlink_worker): Call new set_created_file_access rather than set_file_attribute. * sec_acl.cc (searchace): Un-staticize. (set_posix_access): New, complementary functionality to get_posix_access. (setacl): Implement in terms of get_posix_access/set_posix_access. (get_posix_access): Add handling for just created files requiring their first Cygwin ACL. Fix new_style recognition. Handle SGID bit. For old-style ACLs, ignore SYSTEM and Administrators when computing the {DEF_}CLASS_OBJ perms. * security.cc (get_file_sd): Revamp comment. Change and (hopefully) speed up inheritance processing for just created files. (alloc_sd): Remove. (set_security_attribute): Call set_posix_access instead of alloc_sd. (get_object_attribute): Fix return value. (create_object_sd_from_attribute): Call set_posix_access instead of alloc_sd. (set_file_attribute): Remove. (set_created_file_access): New function implemented in terms of get_posix_access/set_posix_access. * security.h (set_file_attribute): Remove prototype. (set_created_file_access): Add prototype. (searchace): Ditto. (set_posix_access): Ditto. * syscalls.cc (open): Call open_with_arch with mode not umasked. * sec_acl.cc: Change preceeding comment explaining new-style ACLs. Describe how to generate deny ACEs in more detail. Accommodate the fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than a special Cygwin ACE. Improve further comments. (CYG_ACE_NEW_STYLE): Define. (get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single NULL deny ACE if the inheritance flags say so. * sec_helper.cc (well_known_cygwin_sid): Remove. * security.h (well_known_cygwin_sid): Drop declaration. * sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo. (get_posix_access): Rename index variable from i to idx. Define only once at top level. * security.cc (add_access_allowed_ace): Drop unused parameter "offset". Accommodate throughout. (add_access_denied_ace): Ditto. * sec_acl.cc: Accommodate above change throughout. * security.h (add_access_allowed_ace): Adjust prototype to above change. (add_access_denied_ace): Ditto. * sec_acl.cc (get_posix_access): Handle multiple ACEs for the owner and primary group of the file. Handle the default primary group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit set. Add comments. Minor code rearrangements. Preliminary read side implementation of new permission handling. * acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain. * sec_acl.cc: Add leading comment to explain new ACL style. Add definitions and macros to use for bits in new Cygwin ACL. (DENY_RWX): New mask value for all temporary deny bits. (getace): Add bool parameter to decide when leaving all bits intact, rather than filtering them per the already set bits. (get_posix_access): New function, taking over functionality to read POSIX ACL from SECURITY_DESCRIPTOR. (getacl): Just call get_posix_access. * sec_helper.cc (well_known_cygwin_sid): Define. * security.cc (get_attribute_from_acl): Remove. (get_info_from_sd): Remove. (get_reg_sd): Call get_posix_access instead of get_info_from_sd. (get_file_attribute): Ditto. (get_object_attribute): Ditto. * security.h (well_known_cygwin_sid): Declare. (get_posix_access): Add prototype. * Throughout, use simpler ACE macros from Windows' accctrl.h. * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. * setfacl.c: Align more to Linux tool. (delacl): New function to delete acl entries only. (modacl): Drop delete functionality. Add handling of recomputing the mask and default mask values. (delallacl): Rename from delacl. (setfacl): Call delacl in Delete case. Call delallacl in DeleteAll and DeleteDef case. (usage): Accommodate new options. Rearrange and rephrase slightly. (longopts): Emit 'x' in --delete case. Add --no-mask and --mask options. (opts): Add -x and -n options. (main): Handle -d and -x the same. Handle -n and --mask options. Drop handling for -r option. * getfacl.c (usage): Align more closely to Linux version. Add new options -c, -e, -E. Change formatting to accommodate longer options. (longopts): Rename --noname to --numeric. Keep --noname for backward compatibility. Add --omit-header, --all-effective and --no-effective options. (opts): Add -c, -e and -E option. (main): Handle new -c, -e, and -E options. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 11:52:29 +02:00
if (!add_access_allowed_ace (acl, ace->Mask, ace_sid, acl_len,
Use all ACEs from original ACL on Samba share * security.cc (convert_samba_sd): Fix accidental dropping of all non-Unix User, non-Unix Group accounts. Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-04-30 17:26:55 +02:00
ace->Header.AceFlags))
return;
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
}
acl->AclSize = acl_len;
RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
if (!NT_SUCCESS (status))
return;
DWORD sd_size = 0;
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (sd_size > 0 && sd_ret.malloc (sd_size))
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
}
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
int
Fix faccessat(,0) and access() semantics. * fhandler.h (fhandler_base::fhaccess): Add parameter. * security.h (check_file_access, check_registry_access): Likewise. * security.cc (check_file_access, check_registry_access) (check_access): Implement new parameter. * fhandler.cc (fhandler_base::fhaccess): Likewise. (device_access_denied): Update caller. * syscalls.cc (access, faccessat): Update callers. * spawn.cc (find_exec, fixup): Likewise.
2009-09-25 15:44:45 +02:00
check_file_access (path_conv &pc, int flags, bool effective)
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
{
security_descriptor sd;
int ret = -1;
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
ACCESS_MASK desired = 0;
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
if (flags & R_OK)
desired |= FILE_READ_DATA;
if (flags & W_OK)
desired |= FILE_WRITE_DATA;
if (flags & X_OK)
desired |= FILE_EXECUTE;
* fhandler_disk_file.cc (__DIR_mounts::eval_ino): Create path_conv with PC_KEEP_HANDLE flag. * path.h (path_conv::operator =): Duplicate UNICODE path as well. * security.cc (check_file_access): Use path_conv handle if available. * syscalls.cc (access): Create fhandler with PC_KEEP_HANDLE flag set. (euidaccess): Ditto. (faccessat): Ditto.
2011-07-26 15:30:41 +02:00
if (!get_file_sd (pc.handle (), pc, sd, false))
* sec_helper.cc (cygpsid::get_id): Move Samba SID->uid/gid mapping from get_sids_info here. (get_sids_info): Vice versa. * security.cc (convert_samba_sd): New static function to map a Samba security descriptor to a security descriptor with UNIX users and groups converted to Windows SIDs per RFC 2307 mapping. (check_file_access): Call convert_samba_sd on Samba security descriptors.
2014-03-03 13:03:47 +01:00
{
/* Tweak Samba security descriptor as necessary. */
if (pc.fs_is_samba ())
convert_samba_sd (sd);
ret = check_access (sd, file_mapping, desired, flags, effective);
}
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
debug_printf ("flags %y, ret %d", flags, ret);
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
return ret;
}
int
Fix faccessat(,0) and access() semantics. * fhandler.h (fhandler_base::fhaccess): Add parameter. * security.h (check_file_access, check_registry_access): Likewise. * security.cc (check_file_access, check_registry_access) (check_access): Implement new parameter. * fhandler.cc (fhandler_base::fhaccess): Likewise. (device_access_denied): Update caller. * syscalls.cc (access, faccessat): Update callers. * spawn.cc (find_exec, fixup): Likewise.
2009-09-25 15:44:45 +02:00
check_registry_access (HANDLE hdl, int flags, bool effective)
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
{
security_descriptor sd;
int ret = -1;
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
static GENERIC_MAPPING NO_COPY_RO reg_mapping = { KEY_READ,
KEY_WRITE,
KEY_EXECUTE,
KEY_ALL_ACCESS };
* advapi32.cc (AccessCheck): Remove. (PrivilegeCheck): Remove. (OpenThreadToken): Remove. * fhandler_tty.cc: Replace above functions throughout with their ntdll.dll equivalent. * security.cc: Ditto.
2011-04-29 11:48:25 +02:00
ACCESS_MASK desired = 0;
* fhandler.cc (fhandler_base::fhaccess): Call check_registry_access for registry keys/values if ntsec is on. * security.cc (check_access): New static function derived from check_file_access, but object type agnostic. (check_file_access): Only do file specific stuff. Call check_access. (check_registry_access): New access check function for registry keys/ values. * security.h (check_registry_access): Declare.
2006-10-21 13:05:32 +02:00
if (flags & R_OK)
desired |= KEY_ENUMERATE_SUB_KEYS;
if (flags & W_OK)
desired |= KEY_SET_VALUE;
if (flags & X_OK)
desired |= KEY_QUERY_VALUE;
* security.cc (check_registry_access): Handle missing security descriptor of HKEY_PERFORMANCE_DATA.
2011-05-10 19:19:37 +02:00
if ((HKEY) hdl == HKEY_PERFORMANCE_DATA)
/* RegGetKeySecurity() always fails with ERROR_INVALID_HANDLE. */
ret = 0;
else if (!get_reg_sd (hdl, sd))
* autoload.cc (GetSecurityInfo): Remove. * ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare. (RtlDeleteSecurityObject): Declare. (RtlGetControlSecurityDescriptor): Declare. (RtlLengthSecurityDescriptor): Declare. * security.cc (file_mapping): New global variable. (get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo call. (alloc_sd): Call RtlSetControlSecurityDescriptor to set SE_DACL_PROTECTED flag. (check_file_access): Remove mapping. Use file_mapping instead. (check_registry_access): Rename mapping to reg_mapping. * wincap.cc: Througout, drop use_get_sec_info_on_dirs, * wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
2011-04-28 09:27:51 +02:00
ret = check_access (sd, reg_mapping, desired, flags, effective);
* security.cc (check_registry_access): Handle missing security descriptor of HKEY_PERFORMANCE_DATA.
2011-05-10 19:19:37 +02:00
* fhandler_disk_file.cc (fhandler_disk_file::facl): Fix whitespace. * external.cc: Update copyright. * fhandler.cc: Ditto. * sec_helper.cc: Ditto. * security.h: Ditto. * security.cc: Ditto. (check_registry_access): Return -1 if W_OK is requested.
2006-10-22 21:31:33 +02:00
/* As long as we can't write the registry... */
if (flags & W_OK)
* fhandler.cc (fhandler_base::fhaccess): Add check for R/O file system. * security.cc (check_registry_access): Set errno to EROFS when checking for W_OK.
2007-07-17 16:39:02 +02:00
{
set_errno (EROFS);
ret = -1;
}
* Merge in cygwin-64bit-branch.
2013-04-23 11:44:36 +02:00
debug_printf ("flags %y, ret %d", flags, ret);
* dtable.cc (dtable::build_fhandler_from_name): Set some fhandler data on sockets to evaluate AF_LOCAL sockets correctly. (dtable::build_fhandler): Set unit number on sockets. * fhandler.h (fhandler_socket): Add unit number. (fhandler_socket::get_unit): New method. * fhandler_socket.cc (fhandler_socket::fhandler_socket): Set unit number. (fhandler_socket::fstat): Reorganize to return more Linux-like values. * net.cc: include ctype.h. (fdsock): Set unit number when building fhandler. * path.cc (path_conv::check): Set device type to FH_SOCKET if file is a AF_UNIX socket. (get_devn): Evaluate unit for virtual socket devices. (win32_device_name): Set windows path for sockets to unix_path with just backslashes to keep the different names. * syscalls.cc (fstat64): Don't override st_ino, st_dev and st_rdev for sockets. (stat_worker): Ditto. From Pierre Humblet: * autoload.cc (AccessCheck): Add. (DuplicateToken): Add. * security.h (check_file_access): Declare. * syscalls.cc (access): Convert path to Windows, check existence and readonly attribute. Call check_file_access instead of acl_access. * security.cc (check_file_access): Create. * sec_acl (acl_access): Delete.
2003-02-21 15:29:18 +01:00
return ret;
}