diff options
| author | Pierre Humblet <phumblet@phumblet.no-ip.org> | 2003-09-16 00:45:50 +0000 |
|---|---|---|
| committer | Pierre Humblet <phumblet@phumblet.no-ip.org> | 2003-09-16 00:45:50 +0000 |
| commit | c61ada9bd3d29734cce244a5cd39ec2cc5882454 (patch) | |
| tree | bb2c018a739c09593a939283b29cb410ddc82b18 /winsup/cygwin/sec_helper.cc | |
| parent | a9993197f2d23aeb89a9546a5051addd37e1563c (diff) | |
| download | cygnal-c61ada9bd3d29734cce244a5cd39ec2cc5882454.tar.gz cygnal-c61ada9bd3d29734cce244a5cd39ec2cc5882454.tar.bz2 cygnal-c61ada9bd3d29734cce244a5cd39ec2cc5882454.zip | |
2003-09-15 Pierre Humblet <pierre.humblet@ieee.org>
* security.h (__sec_user): Add "access2" argument.
(sec_acl): Add "original" and "access2" arguments.
(sec_user): Add "sid2" and "access2" argument. Remove dependence on
allow_ntsec.
(sec_user_nih): Ditto.
* sec_helper.cc (__sec_user): Add "has_security" test.
Call sec_acl with new arguments, letting it handle original_sid.
(sec_acl): Add "original" and "access2" arguments. Handle original_sid
depending on flag but avoiding duplicates. Use "access2" for sid2.
* pinfo.cc (pinfo::init): Use security attributes created by sec_user
when creating the mapping.
* security.cc (create_token): Adjust arguments in call to sec_acl.
Call sec_user instead of __sec_user.
* syscall.cc (seteuid32): Adjust arguments in call to sec_acl. Remove
now unnecessary test. Remove useless conversions to psid.
* dcrt0.cc (dll_crt0_1): Call cygsid::init before pinfo_init.
Diffstat (limited to 'winsup/cygwin/sec_helper.cc')
| -rw-r--r-- | winsup/cygwin/sec_helper.cc | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index c8c627ae1..70817c5c5 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -372,23 +372,29 @@ get_null_sd () } BOOL -sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2) +sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2) { size_t acl_len = MAX_DACL_LEN(5); + cygpsid psid; if (!InitializeAcl (acl, acl_len, ACL_REVISION)) { debug_printf ("InitializeAcl %E"); return FALSE; } - if (sid2) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, sid2)) - debug_printf ("AddAccessAllowedAce(sid2) %E"); if (sid1) if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1)) debug_printf ("AddAccessAllowedAce(sid1) %E"); + if (original && (psid = cygheap->user.orig_sid ()) + && psid != sid1 && psid != well_known_system_sid) + if (!AddAccessAllowedAce (acl, ACL_REVISION, + GENERIC_ALL, psid)) + debug_printf ("AddAccessAllowedAce(original) %E"); + if (sid2) + if (!AddAccessAllowedAce (acl, ACL_REVISION, + access2, sid2)) + debug_printf ("AddAccessAllowedAce(sid2) %E"); if (admins) if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, well_known_admins_sid)) @@ -396,26 +402,18 @@ sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2) if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, well_known_system_sid)) debug_printf ("AddAccessAllowedAce(system) %E"); -#if 0 /* Does not seem to help */ - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, well_known_creator_owner_sid)) - debug_printf ("AddAccessAllowedAce(creator_owner) %E"); -#endif return TRUE; } PSECURITY_ATTRIBUTES __stdcall -__sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) +__sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit) { PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf; PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) ((char *) sa_buf + sizeof (*psa)); PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd)); - cygsid sid; - - if (!(sid = cygheap->user.orig_sid ()) || - (!sec_acl (acl, TRUE, sid, sid2))) + if (!wincap.has_security () || !sec_acl (acl, true, true, sid1, sid2, access2)) return inherit ? &sec_none : &sec_none_nih; if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION)) |