From e2ea143083c2bd2e5142582309ff227bc68bee23 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Mon, 18 Apr 2016 12:07:04 +0200 Subject: [PATCH] Fix attempt to create ACLs without NULL SID Commit f75114fc was supposed to drop NULL SIDs in case the permissions are simple enough not to require mask values or special POSIX bits (S_ISVTX, etc). The check was incorrect. This patch is supposed to fix the problem. * sec_acl.cc (set_posix_access): Fix condition under which we write a NULL SID. Signed-off-by: Corinna Vinschen --- winsup/cygwin/sec_acl.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index 28daadd68..138fd3e59 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -151,6 +151,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, int idx, start_idx, tmp_idx; bool owner_eq_group = false; bool dev_has_admins = false; + bool has_class_obj; /* Initialize local security descriptor. */ RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION); @@ -339,6 +340,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, tmp_idx = searchace (aclbufp, nentries, def | CLASS_OBJ); if (tmp_idx >= 0) { + has_class_obj = true; class_obj = aclbufp[tmp_idx].a_perm; access |= CYG_ACE_MASK_TO_WIN (class_obj); } @@ -346,6 +348,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, { /* Setting class_obj to group_obj allows to write below code without additional checks for existence of a CLASS_OBJ. */ + has_class_obj = false; class_obj = group_obj; } /* Note that Windows filters the ACE Mask value so it only reflects @@ -358,9 +361,9 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, no special bits set. In all other cases we either need the NULL SID ACE or we write it to avoid calls to AuthZ from get_posix_access. */ if (!S_ISCHR (attr) - && access != CYG_ACE_NEW_STYLE - && ((user_obj | group_obj | other_obj) != user_obj - || (group_obj | other_obj) != group_obj) + && (has_class_obj + || ((user_obj | group_obj | other_obj) != user_obj + || (group_obj | other_obj) != group_obj)) && !add_access_denied_ace (acl, access, well_known_null_sid, acl_len, inherit)) return NULL;