diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2002-11-20 09:23:21 +0000 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2002-11-20 09:23:21 +0000 |
commit | dbcb75780a0346b6029f73e4cf77d0ca21efd6db (patch) | |
tree | fb105b96f5ed8d6a954e4c99946807170177c228 | |
parent | 03b65245db3457d7df414ea7b07c56594362c20a (diff) | |
download | newlib-dbcb75780a0346b6029f73e4cf77d0ca21efd6db.zip newlib-dbcb75780a0346b6029f73e4cf77d0ca21efd6db.tar.gz newlib-dbcb75780a0346b6029f73e4cf77d0ca21efd6db.tar.bz2 |
* security.cc (get_attribute_from_acl): Always test "anti",
just in case an access_denied ACE follows an access_allowed.
Handle the case owner_sid == group_sid, with a FIXME.
Remove unnecessary tests for non-NULL PSIDs.
(alloc_sd): Use existing owner and group sids if {ug}id == -1.
Handle case where owner_sid == group_sid.
Do not call is_grp_member. Try to preserve canonical ACE order.
Remove unnecessary tests for non-NULL PSIDs. Reorganize
debug_printf's.
(get_initgroups_sidlist): Put well_known_system_sid on left
side of ==.
(add_access_denied_ace): Only call GetAce if inherit != 0.
(add_access_allowed_ace): Ditto. Use appropriate sizeof.
* syscalls.cc (chown_worker): Pass {ug}id equal to -1 to
alloc_sd, which removes the need to obtain old_{ug}id.
(chmod): Remove call to get_file_attribute (), simply pass
{ug}id equal to -1 to alloc_sd.
-rw-r--r-- | winsup/cygwin/ChangeLog | 20 | ||||
-rw-r--r-- | winsup/cygwin/security.cc | 152 | ||||
-rw-r--r-- | winsup/cygwin/syscalls.cc | 31 |
3 files changed, 107 insertions, 96 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 6bfb81b..7e712d5 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,23 @@ +2002-11-20 Pierre Humblet <pierre.humblet@ieee.org> + + * security.cc (get_attribute_from_acl): Always test "anti", + just in case an access_denied ACE follows an access_allowed. + Handle the case owner_sid == group_sid, with a FIXME. + Remove unnecessary tests for non-NULL PSIDs. + (alloc_sd): Use existing owner and group sids if {ug}id == -1. + Handle case where owner_sid == group_sid. + Do not call is_grp_member. Try to preserve canonical ACE order. + Remove unnecessary tests for non-NULL PSIDs. Reorganize + debug_printf's. + (get_initgroups_sidlist): Put well_known_system_sid on left + side of ==. + (add_access_denied_ace): Only call GetAce if inherit != 0. + (add_access_allowed_ace): Ditto. Use appropriate sizeof. + * syscalls.cc (chown_worker): Pass {ug}id equal to -1 to + alloc_sd, which removes the need to obtain old_{ug}id. + (chmod): Remove call to get_file_attribute (), simply pass + {ug}id equal to -1 to alloc_sd. + 2002-11-20 Corinna Vinschen <corinna@vinschen.de> * poll.cc (poll): Don't set POLLERR if a listening socket has a diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index b7e70cf..37e2e66 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -449,7 +449,7 @@ get_user_primary_group (WCHAR *wlogonserver, const char *user, BOOL retval = FALSE; UCHAR count = 0; - if (pusersid == well_known_system_sid) + if (well_known_system_sid == pusersid) { pgrpsid = well_known_system_sid; return TRUE; @@ -540,7 +540,7 @@ get_initgroups_sidlist (cygsidlist &grp_list, { grp_list += well_known_world_sid; grp_list += well_known_authenticated_users_sid; - if (usersid == well_known_system_sid) + if (well_known_system_sid == usersid) { auth_pos = -1; grp_list += well_known_admins_sid; @@ -1238,19 +1238,17 @@ get_attribute_from_acl (int * attribute, PACL acl, PSID owner_sid, if (ace_sid == well_known_world_sid) { if (ace->Mask & FILE_READ_DATA) - *flags |= S_IROTH + *flags |= ((!(*anti & S_IROTH)) ? S_IROTH : 0) | ((!(*anti & S_IRGRP)) ? S_IRGRP : 0) | ((!(*anti & S_IRUSR)) ? S_IRUSR : 0); if (ace->Mask & FILE_WRITE_DATA) - *flags |= S_IWOTH + *flags |= ((!(*anti & S_IWOTH)) ? S_IWOTH : 0) | ((!(*anti & S_IWGRP)) ? S_IWGRP : 0) | ((!(*anti & S_IWUSR)) ? S_IWUSR : 0); if (ace->Mask & FILE_EXECUTE) - { - *flags |= S_IXOTH - | ((!(*anti & S_IXGRP)) ? S_IXGRP : 0) - | ((!(*anti & S_IXUSR)) ? S_IXUSR : 0); - } + *flags |= ((!(*anti & S_IXOTH)) ? S_IXOTH : 0) + | ((!(*anti & S_IXGRP)) ? S_IXGRP : 0) + | ((!(*anti & S_IXUSR)) ? S_IXUSR : 0); if ((*attribute & S_IFDIR) && (ace->Mask & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD)) == (FILE_WRITE_DATA | FILE_EXECUTE)) @@ -1266,31 +1264,39 @@ get_attribute_from_acl (int * attribute, PACL acl, PSID owner_sid, if (ace->Mask & FILE_APPEND_DATA) *flags |= S_ISUID; } - else if (owner_sid && ace_sid == owner_sid) + else if (ace_sid == owner_sid) { if (ace->Mask & FILE_READ_DATA) - *flags |= S_IRUSR; + *flags |= ((!(*anti & S_IRUSR)) ? S_IRUSR : 0); if (ace->Mask & FILE_WRITE_DATA) - *flags |= S_IWUSR; + *flags |= ((!(*anti & S_IWUSR)) ? S_IWUSR : 0); if (ace->Mask & FILE_EXECUTE) - *flags |= S_IXUSR; + *flags |= ((!(*anti & S_IXUSR)) ? S_IXUSR : 0); } - else if (group_sid && ace_sid == group_sid) + else if (ace_sid == group_sid) { if (ace->Mask & FILE_READ_DATA) - *flags |= S_IRGRP + *flags |= ((!(*anti & S_IRGRP)) ? S_IRGRP : 0) | ((grp_member && !(*anti & S_IRUSR)) ? S_IRUSR : 0); if (ace->Mask & FILE_WRITE_DATA) - *flags |= S_IWGRP + *flags |= ((!(*anti & S_IWGRP)) ? S_IWGRP : 0) | ((grp_member && !(*anti & S_IWUSR)) ? S_IWUSR : 0); if (ace->Mask & FILE_EXECUTE) - *flags |= S_IXGRP + *flags |= ((!(*anti & S_IXGRP)) ? S_IXGRP : 0) | ((grp_member && !(*anti & S_IXUSR)) ? S_IXUSR : 0); } } *attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID); + if (owner_sid && group_sid && EqualSid (owner_sid, group_sid) + /* FIXME: temporary exception for /var/empty */ + && well_known_system_sid != group_sid) + { + allow &= ~(S_IRGRP | S_IWGRP | S_IXGRP); + allow |= (((allow & S_IRUSR) ? S_IRGRP : 0) + | ((allow & S_IWUSR) ? S_IWGRP : 0) + | ((allow & S_IXUSR) ? S_IXGRP : 0)); + } *attribute |= allow; - *attribute &= ~deny; return; } @@ -1494,9 +1500,9 @@ add_access_allowed_ace (PACL acl, int offset, DWORD attributes, return FALSE; } ACCESS_ALLOWED_ACE *ace; - if (GetAce (acl, offset, (PVOID *) &ace)) + if (inherit && GetAce (acl, offset, (PVOID *) &ace)) ace->Header.AceFlags |= inherit; - len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + GetLengthSid (sid); + len_add += sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + GetLengthSid (sid); return TRUE; } @@ -1510,7 +1516,7 @@ add_access_denied_ace (PACL acl, int offset, DWORD attributes, return FALSE; } ACCESS_DENIED_ACE *ace; - if (GetAce (acl, offset, (PVOID *) &ace)) + if (inherit && GetAce (acl, offset, (PVOID *) &ace)) ace->Header.AceFlags |= inherit; len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + GetLengthSid (sid); return TRUE; @@ -1522,36 +1528,32 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, { BOOL dummy; - if (!wincap.has_security ()) - return NULL; - + debug_printf("uid %d, gid %d, attribute %x", uid, gid, attribute); if (!sd_ret || !sd_size_ret) { set_errno (EINVAL); return NULL; } + /* Get owner and group from current security descriptor. */ + PSID cur_owner_sid = NULL; + PSID cur_group_sid = NULL; + if (!GetSecurityDescriptorOwner (sd_ret, &cur_owner_sid, &dummy)) + debug_printf ("GetSecurityDescriptorOwner %E"); + if (!GetSecurityDescriptorGroup (sd_ret, &cur_group_sid, &dummy)) + debug_printf ("GetSecurityDescriptorGroup %E"); + /* Get SID of owner. */ cygsid owner_sid (NO_SID); /* Check for current user first */ if (uid == myself->uid) owner_sid = cygheap->user.sid (); - else + else if (uid == ILLEGAL_UID) + owner_sid = cur_owner_sid; + else if (!owner_sid.getfrompw (getpwuid32 (uid))) { - /* Otherwise retrieve user data from /etc/passwd */ - struct passwd *pw = getpwuid32 (uid); - if (!pw) - { - debug_printf ("no /etc/passwd entry for %d", uid); - set_errno (EINVAL); - return NULL; - } - else if (!owner_sid.getfrompw (pw)) - { - debug_printf ("no SID for user %d", uid); - set_errno (EINVAL); - return NULL; - } + set_errno (EINVAL); + return NULL; } owner_sid.debug_print ("alloc_sd: owner SID ="); @@ -1560,14 +1562,15 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, /* Check for current user first */ if (gid == myself->gid) group_sid = cygheap->user.groups.pgsid; - else - { - struct __group32 *grp = getgrgid32 (gid); - if (!grp) - debug_printf ("no /etc/group entry for %d", gid); - else if (!group_sid.getfromgr (grp)) - debug_printf ("no SID for group %d", gid); - } + else if (gid == ILLEGAL_GID) + group_sid = cur_group_sid; + else if (!group_sid.getfromgr (getgrgid32 (gid))) + { + set_errno (EINVAL); + return NULL; + } + group_sid.debug_print ("alloc_sd: group SID ="); + /* Initialize local security descriptor. */ SECURITY_DESCRIPTOR sd; PSECURITY_DESCRIPTOR psd = NULL; @@ -1594,7 +1597,7 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, } /* Create group for local security descriptor. */ - if (group_sid && !SetSecurityDescriptorGroup (&sd, group_sid, FALSE)) + if (!SetSecurityDescriptorGroup (&sd, group_sid, FALSE)) { __seterrno (); return NULL; @@ -1665,17 +1668,24 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, null_allow |= FILE_READ_DATA; } - /* Construct deny attributes for owner and group. */ - DWORD owner_deny = 0; - if (is_grp_member (uid, gid)) - owner_deny = ~owner_allow & (group_allow | other_allow); + /* Add owner and group permissions if SIDs are equal + and construct deny attributes for group and owner. */ + DWORD group_deny; + if (owner_sid == group_sid) + { + owner_allow |= group_allow; + group_allow = group_deny = 0L; + } else - owner_deny = ~owner_allow & other_allow; + { + group_deny = ~group_allow & other_allow; + group_deny &= ~(STANDARD_RIGHTS_READ + | FILE_READ_ATTRIBUTES | FILE_READ_EA); + } + DWORD owner_deny = ~owner_allow & (group_allow | other_allow); owner_deny &= ~(STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | FILE_READ_EA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA); - DWORD group_deny = ~group_allow & other_allow; - group_deny &= ~(STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | FILE_READ_EA); /* Construct appropriate inherit attribute. */ DWORD inherit = (attribute & S_IFDIR) ? SUB_CONTAINERS_AND_OBJECTS_INHERIT @@ -1686,18 +1696,28 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, && !add_access_denied_ace (acl, ace_off++, owner_deny, owner_sid, acl_len, inherit)) return NULL; + /* Set deny ACE for group here to respect the canonical order, + if this does not impact owner */ + if (group_deny && !(owner_allow & group_deny)) + { + if (!add_access_denied_ace (acl, ace_off++, group_deny, + group_sid, acl_len, inherit)) + return NULL; + group_deny = 0; + } /* Set allow ACE for owner. */ if (!add_access_allowed_ace (acl, ace_off++, owner_allow, owner_sid, acl_len, inherit)) return NULL; - /* Set deny ACE for group. */ + /* Set deny ACE for group, if still needed. */ if (group_deny && !add_access_denied_ace (acl, ace_off++, group_deny, group_sid, acl_len, inherit)) return NULL; /* Set allow ACE for group. */ - if (!add_access_allowed_ace (acl, ace_off++, group_allow, - group_sid, acl_len, inherit)) + if (group_allow + && !add_access_allowed_ace (acl, ace_off++, group_allow, + group_sid, acl_len, inherit)) return NULL; /* Set allow ACE for everyone. */ @@ -1710,14 +1730,6 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, well_known_null_sid, acl_len, NO_INHERITANCE)) return NULL; - /* Get owner and group from current security descriptor. */ - PSID cur_owner_sid = NULL; - PSID cur_group_sid = NULL; - if (!GetSecurityDescriptorOwner (sd_ret, &cur_owner_sid, &dummy)) - debug_printf ("GetSecurityDescriptorOwner %E"); - if (!GetSecurityDescriptorGroup (sd_ret, &cur_group_sid, &dummy)) - debug_printf ("GetSecurityDescriptorGroup %E"); - /* Fill ACL with unrelated ACEs from current security descriptor. */ PACL oacl; BOOL acl_exists; @@ -1729,10 +1741,10 @@ alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, { cygsid ace_sid ((PSID) &ace->SidStart); /* Check for related ACEs. */ - if ((cur_owner_sid && ace_sid == cur_owner_sid) - || (owner_sid && ace_sid == owner_sid) - || (cur_group_sid && ace_sid == cur_group_sid) - || (group_sid && ace_sid == group_sid) + if ((ace_sid == cur_owner_sid) + || (ace_sid == owner_sid) + || (ace_sid == cur_group_sid) + || (ace_sid == group_sid) || (ace_sid == well_known_world_sid) || (ace_sid == well_known_null_sid)) continue; diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index 1c2a18b..94c4b08 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -773,8 +773,6 @@ static int chown_worker (const char *name, unsigned fmode, __uid32_t uid, __gid32_t gid) { int res; - __uid32_t old_uid; - __gid32_t old_gid; if (check_null_empty_str_errno (name)) return -1; @@ -806,20 +804,10 @@ chown_worker (const char *name, unsigned fmode, __uid32_t uid, __gid32_t gid) attrib |= S_IFDIR; res = get_file_attribute (win32_path.has_acls (), win32_path.get_win32 (), - (int *) &attrib, - &old_uid, - &old_gid); + (int *) &attrib); if (!res) - { - if (uid == ILLEGAL_UID) - uid = old_uid; - if (gid == ILLEGAL_GID) - gid = old_gid; - if (win32_path.isdir ()) - attrib |= S_IFDIR; - res = set_file_attribute (win32_path.has_acls (), win32_path, uid, - gid, attrib); - } + res = set_file_attribute (win32_path.has_acls (), win32_path, uid, + gid, attrib); if (res != 0 && (!win32_path.has_acls () || !allow_ntsec)) { /* fake - if not supported, pretend we're like win95 @@ -936,19 +924,10 @@ chmod (const char *path, mode_t mode) /* temporary erase read only bit, to be able to set file security */ SetFileAttributes (win32_path, (DWORD) win32_path & ~FILE_ATTRIBUTE_READONLY); - __uid32_t uid; - __gid32_t gid; - - if (win32_path.isdir ()) - mode |= S_IFDIR; - get_file_attribute (win32_path.has_acls (), - win32_path.get_win32 (), - NULL, &uid, &gid); - /* FIXME: Do we really need this to be specified twice? */ if (win32_path.isdir ()) mode |= S_IFDIR; - if (!set_file_attribute (win32_path.has_acls (), win32_path, uid, gid, - mode) + if (!set_file_attribute (win32_path.has_acls (), win32_path, + ILLEGAL_UID, ILLEGAL_GID, mode) && allow_ntsec) res = 0; |