* security.cc (get_attribute_from_acl): Don't spill Everyone permissions

into group permissions if owner SID == group SID. (alloc_sd): Add parenthesis for clarity.
2015-03-02 10:52:07 +00:00 · 2015-03-02 10:52:07 +00:00 · f9f1fbe47e
parent 583d56ee20
commit f9f1fbe47e
2 changed files with 12 additions and 5 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,9 @@
+2015-03-02  Corinna Vinschen  <corinna@vinschen.de>
+
+	* security.cc (get_attribute_from_acl): Don't spill Everyone permissions
+	into group permissions if owner SID == group SID.
+	(alloc_sd): Add parenthesis for clarity.
+
 2015-02-28  Corinna Vinschen  <corinna@vinschen.de>

 	* uinfo.cc (pwdgrp::add_line): Return NULL if parsing a line failed.
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@ -242,6 +242,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
  mode_t allow = 0;
  mode_t deny = 0;
  mode_t *flags, *anti;
+  bool isownergroup = RtlEqualSid (owner_sid, group_sid);

  for (DWORD i = 0; i < acl->AceCount; ++i)
    {
@ -268,15 +269,15 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
 	{
 	  if (ace->Mask & FILE_READ_BITS)
 	    *flags |= ((!(*anti & S_IROTH)) ? S_IROTH : 0)
-		      | ((!(*anti & S_IRGRP)) ? S_IRGRP : 0)
+		      | ((!isownergroup && !(*anti & S_IRGRP)) ? S_IRGRP : 0)
 		      | ((!(*anti & S_IRUSR)) ? S_IRUSR : 0);
 	  if (ace->Mask & FILE_WRITE_BITS)
 	    *flags |= ((!(*anti & S_IWOTH)) ? S_IWOTH : 0)
-		      | ((!(*anti & S_IWGRP)) ? S_IWGRP : 0)
+		      | ((!isownergroup && !(*anti & S_IWGRP)) ? S_IWGRP : 0)
 		      | ((!(*anti & S_IWUSR)) ? S_IWUSR : 0);
 	  if (ace->Mask & FILE_EXEC_BITS)
 	    *flags |= ((!(*anti & S_IXOTH)) ? S_IXOTH : 0)
-		      | ((!(*anti & S_IXGRP)) ? S_IXGRP : 0)
+		      | ((!isownergroup && !(*anti & S_IXGRP)) ? S_IXGRP : 0)
 		      | ((!(*anti & S_IXUSR)) ? S_IXUSR : 0);
 	  if ((S_ISDIR (*attribute)) &&
 	      (ace->Mask & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD))
@ -302,7 +303,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
 	  if (ace->Mask & FILE_EXEC_BITS)
 	    *flags |= ((!(*anti & S_IXUSR)) ? S_IXUSR : 0);
 	  /* Apply deny mask to group if group SID == owner SID. */
-	  if (group_sid && RtlEqualSid (owner_sid, group_sid)
+	  if (group_sid && isownergroup
 	      && ace->Header.AceType == ACCESS_DENIED_ACE_TYPE)
 	    {
 	      if (ace->Mask & FILE_READ_BITS)
@ -708,7 +709,7 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute,
 			       owner_sid, acl_len, NO_INHERITANCE))
    return NULL;
  /* Set deny ACE for group, if still needed. */
-  if (group_deny & owner_allow && !isownergroup
+  if ((group_deny & owner_allow) && !isownergroup
      && !add_access_denied_ace (acl, ace_off++, group_deny,
 				 group_sid, acl_len, NO_INHERITANCE))
    return NULL;