Cygwin: ACLs: don't allow special accounts as USER entry

While accounts from the BUILTIN, NT AUTHORITY, and NT SERVICE domains
can be owner of a file, they are always treated as group entries if they
show up as additional entrys in a Windows ACL.  Consequentially, it
shouldn't be possible to add or remove them as USER entry, for instance,
via setfacl.

Add a check to disallow BUILTIN, NT AUTHORITY, and NT SERVICE accounts
as USER entries in a POSIX ACL.

Fixes: bc444e5aa4ca ("Reapply POSIX ACL changes.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

2 files changed, 18 insertions, 1 deletions

diff --git a/winsup/cygwin/release/3.6.1 b/winsup/cygwin/release/3.6.1
index c1dbbfb..7a6afe6 100644
--- a/winsup/cygwin/release/3.6.1
+++ b/winsup/cygwin/release/3.6.1
@@ -20,3 +20,6 @@ Fixes:
   Addresses: https://cygwin.com/pipermail/cygwin/2025-March/257783.html
 
 - Fix reference counting when dlopen/dlclose a DLL with RTLD_NODELETE.
+
+- Disallow accounts from the BUILTIN, NT AUTHORITY, NT SERVICE domains
+  as USER entry in a POSIX ACL.  Only allow USER_OBJ, GROUP_OBJ and GROUP.
diff --git a/winsup/cygwin/sec/acl.cc b/winsup/cygwin/sec/acl.cc
index 5d27a91..129fe9a 100644
--- a/winsup/cygwin/sec/acl.cc
+++ b/winsup/cygwin/sec/acl.cc
@@ -256,7 +256,21 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
 	      }
 	  }
 	if (!aclsid[idx])
-	  aclsid[idx] = sidfromuid (aclbufp[idx].a_id, &cldap);
+	  {
+	    struct passwd *pw = internal_getpwuid (aclbufp[idx].a_id, &cldap);
+	    if (pw)
+	      {
+		/* Don't allow to pass special accounts as USER, only as
+		   USER_OBJ, GROUP_OBJ, or GROUP */
+#define BUILTIN	"U-BUILTIN\\"
+#define NT_AUTH "U-NT AUTHORITY\\"
+#define NT_SVC  "U-NT SERVICE\\"
+		if (strncmp (pw->pw_gecos, BUILTIN, strlen (BUILTIN)) != 0
+		    && strncmp (pw->pw_gecos, NT_AUTH, strlen (NT_AUTH)) != 0
+		    && strncmp (pw->pw_gecos, NT_SVC, strlen (NT_SVC)) != 0)
+		  aclsid[idx] = (PSID) ((pg_pwd *) pw)->sid;
+	      }
+	  }
 	break;
       case GROUP_OBJ:
 	aclsid[idx] = group;