From a8716448cecc1c09f1ee8896d1b148c5bdda8fca Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Fri, 19 Aug 2016 16:50:04 +0200 Subject: [PATCH] Simplify "Windows-standard-like" permissions Commit 97d0449 left a bit to be desired. First, the fact that any new-style ACL couldn't be "standard ACL" anymore was very much over the top. On one hand Admins and SYSTEM ACEs are not supposed to be masked, but on the other hand we *must* create the CLASS_OBJ because otherwise we don't have information about masking the execute perms for both groups. The ACL would also fail aclcheck. And while get_posix_access now returns the "is standard acl" flag, it hasn't been utilized by set_created_file_access. Rather, set_created_file_access has simply continued to check for nentries > MIN_ACL_ENTRIES, which led to all kinds of weird group and CLASS_OBJ perms. The new code now always manipulates CLASS_OBJ perms if a CLASS_OBJ is present, and it always manipulates group perms if the ACL has been marked as "standard" ACL. Another problem (not related to commit 97d0449) is the order get_posix_access adds missing perms. CLASS_OBJ perms are computed *before* missing GROUP_OBJ perms have been added. Thus the CLASS_OBJ perms could be too tight and led to additional, buggy DENY ACEs. Signed-off-by: Corinna Vinschen --- winsup/cygwin/sec_acl.cc | 31 +++++++++++++++---------------- winsup/cygwin/security.cc | 14 +++++++------- 2 files changed, 22 insertions(+), 23 deletions(-) diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index 64d183c48..4a47d22b1 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -809,7 +809,6 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, aclsid[pos] = well_known_null_sid; } has_class_perm = true; - standard_ACEs_only = false; class_perm = lacl[pos].a_perm; } if (ace->Header.AceFlags & SUB_CONTAINERS_AND_OBJECTS_INHERIT) @@ -1013,6 +1012,21 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, } } } + /* If this is a just created file, and this is an ACL with only standard + entries, or if standard POSIX permissions are missing (probably no + inherited ACEs so created from a default DACL), assign the permissions + specified by the file creation mask. The values get masked by the + actually requested permissions by the caller per POSIX 1003.1e draft 17. */ + if (just_created) + { + mode_t perms = (S_IRWXU | S_IRWXG | S_IRWXO) & ~cygheap->umask; + if (standard_ACEs_only || !saw_user_obj) + lacl[0].a_perm = (perms >> 6) & S_IRWXO; + if (standard_ACEs_only || !saw_group_obj) + lacl[1].a_perm = (perms >> 3) & S_IRWXO; + if (standard_ACEs_only || !saw_other_obj) + lacl[2].a_perm = perms & S_IRWXO; + } /* If this is an old-style or non-Cygwin ACL, and secondary user and group entries exist in the ACL, fake a matching CLASS_OBJ entry. The CLASS_OBJ permissions are the or'ed permissions of the primary group permissions @@ -1041,21 +1055,6 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, lacl[pos].a_perm = lacl[1].a_perm; /* == group perms */ aclsid[pos] = well_known_null_sid; } - /* If this is a just created file, and this is an ACL with only standard - entries, or if standard POSIX permissions are missing (probably no - inherited ACEs so created from a default DACL), assign the permissions - specified by the file creation mask. The values get masked by the - actually requested permissions by the caller per POSIX 1003.1e draft 17. */ - if (just_created) - { - mode_t perms = (S_IRWXU | S_IRWXG | S_IRWXO) & ~cygheap->umask; - if (standard_ACEs_only || !saw_user_obj) - lacl[0].a_perm = (perms >> 6) & S_IRWXO; - if (standard_ACEs_only || !saw_group_obj) - lacl[1].a_perm = (perms >> 3) & S_IRWXO; - if (standard_ACEs_only || !saw_other_obj) - lacl[2].a_perm = perms & S_IRWXO; - } /* Ensure that the default acl contains at least DEF_(USER|GROUP|OTHER)_OBJ entries. */ if (types_def && (pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) >= 0) diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 7894a6038..819e43d86 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -449,6 +449,7 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr) tmp_pathbuf tp; aclent_t *aclp; int nentries, idx; + bool std_acl; if (!get_file_sd (handle, pc, sd, true)) { @@ -457,8 +458,8 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr) attr |= S_IFDIR; attr_rd = attr; aclp = (aclent_t *) tp.c_get (); - if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid, - aclp, MAX_ACL_ENTRIES)) >= 0) + if ((nentries = get_posix_access (sd, &attr_rd, &uid, &gid, aclp, + MAX_ACL_ENTRIES, &std_acl)) >= 0) { if (S_ISLNK (attr)) { @@ -466,8 +467,7 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr) aclp[0].a_perm = (attr >> 6) & S_IRWXO; if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0) aclp[idx].a_perm = (attr >> 3) & S_IRWXO; - if (nentries > MIN_ACL_ENTRIES - && (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0) + if ((idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0) aclp[idx].a_perm = (attr >> 3) & S_IRWXO; if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0) aclp[idx].a_perm = attr & S_IRWXO; @@ -477,10 +477,10 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr) /* Overwrite ACL permissions as required by POSIX 1003.1e draft 17. */ aclp[0].a_perm &= (attr >> 6) & S_IRWXO; - if (nentries > MIN_ACL_ENTRIES - && (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0) + if ((idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0) aclp[idx].a_perm &= (attr >> 3) & S_IRWXO; - else if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0) + if (std_acl + && (idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0) aclp[idx].a_perm &= (attr >> 3) & S_IRWXO; if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0) aclp[idx].a_perm &= attr & S_IRWXO;