aboutsummaryrefslogtreecommitdiff
path: root/winsup/cygwin/sec/acl.cc
diff options
context:
space:
mode:
Diffstat (limited to 'winsup/cygwin/sec/acl.cc')
-rw-r--r--winsup/cygwin/sec/acl.cc20
1 files changed, 17 insertions, 3 deletions
diff --git a/winsup/cygwin/sec/acl.cc b/winsup/cygwin/sec/acl.cc
index fa4ea4c..129fe9a 100644
--- a/winsup/cygwin/sec/acl.cc
+++ b/winsup/cygwin/sec/acl.cc
@@ -219,10 +219,10 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
aclbufp[3].a_type = DEF_USER_OBJ;
aclbufp[3].a_id = ACL_UNDEFINED_ID;
aclbufp[3].a_perm = (attr >> 6) & S_IRWXO;
- aclbufp[4].a_type = GROUP_OBJ;
+ aclbufp[4].a_type = DEF_GROUP_OBJ;
aclbufp[4].a_id = ACL_UNDEFINED_ID;
aclbufp[4].a_perm = (attr >> 3) & S_IRWXO;
- aclbufp[5].a_type = OTHER_OBJ;
+ aclbufp[5].a_type = DEF_OTHER_OBJ;
aclbufp[5].a_id = ACL_UNDEFINED_ID;
aclbufp[5].a_perm = attr & S_IRWXO;
nentries += MIN_ACL_ENTRIES;
@@ -256,7 +256,21 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
}
}
if (!aclsid[idx])
- aclsid[idx] = sidfromuid (aclbufp[idx].a_id, &cldap);
+ {
+ struct passwd *pw = internal_getpwuid (aclbufp[idx].a_id, &cldap);
+ if (pw)
+ {
+ /* Don't allow to pass special accounts as USER, only as
+ USER_OBJ, GROUP_OBJ, or GROUP */
+#define BUILTIN "U-BUILTIN\\"
+#define NT_AUTH "U-NT AUTHORITY\\"
+#define NT_SVC "U-NT SERVICE\\"
+ if (strncmp (pw->pw_gecos, BUILTIN, strlen (BUILTIN)) != 0
+ && strncmp (pw->pw_gecos, NT_AUTH, strlen (NT_AUTH)) != 0
+ && strncmp (pw->pw_gecos, NT_SVC, strlen (NT_SVC)) != 0)
+ aclsid[idx] = (PSID) ((pg_pwd *) pw)->sid;
+ }
+ }
break;
case GROUP_OBJ:
aclsid[idx] = group;
generated by cgit v1.1 at 2025-04-07 02:33:41 +0000