diff options
| -rw-r--r-- | winsup/cygwin/sec_acl.cc | 13 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 7 |
2 files changed, 10 insertions, 10 deletions
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index c8de174e0..8dd73b195 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -323,12 +323,12 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, /* To check if the NULL SID deny ACE is required we need user_obj. */ tmp_idx = searchace (aclbufp, nentries, def | USER_OBJ); - user_obj = aclbufp[tmp_idx].a_perm; - /* To compute deny access masks, we need group_obj, other_obj and... */ - tmp_idx = searchace (aclbufp, nentries, def | GROUP_OBJ); /* No default entries present? */ if (tmp_idx < 0) break; + user_obj = aclbufp[tmp_idx].a_perm; + /* To compute deny access masks, we need group_obj, other_obj and... */ + tmp_idx = searchace (aclbufp, nentries, def | GROUP_OBJ); group_obj = aclbufp[tmp_idx].a_perm; tmp_idx = searchace (aclbufp, nentries, def | OTHER_OBJ); other_obj = aclbufp[tmp_idx].a_perm; @@ -800,6 +800,7 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, aclsid[pos] = well_known_null_sid; } has_class_perm = true; + standard_ACEs_only = false; class_perm = lacl[pos].a_perm; } if (ace->Header.AceFlags & SUB_CONTAINERS_AND_OBJECTS_INHERIT) @@ -867,7 +868,8 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, { type = GROUP_OBJ; lacl[1].a_id = gid = id; - owner_eq_group = true; + if (type == USER_OBJ) + owner_eq_group = true; } if (!(ace->Header.AceFlags & INHERIT_ONLY || type & ACL_DEFAULT)) { @@ -933,7 +935,8 @@ get_posix_access (PSECURITY_DESCRIPTOR psd, with a standard ACL, one only consisting of POSIX perms, plus SYSTEM and Admins as maximum non-POSIX perms entries. If it's a standard ACL, we apply umask. That's not entirely correct, - but it's probably the best we can do. */ + but it's probably the best we can do. Chmod also wants to + know this. See there for the details. */ else if (type & (USER | GROUP) && standard_ACEs_only && ace_sid != well_known_system_sid diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index b7330717a..ed8f9ac95 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -480,14 +480,11 @@ set_created_file_access (HANDLE handle, path_conv &pc, mode_t attr) /* Overwrite ACL permissions as required by POSIX 1003.1e draft 17. */ aclp[0].a_perm &= (attr >> 6) & S_IRWXO; - /* Deliberate deviation from POSIX 1003.1e here. We're not - writing CLASS_OBJ *or* GROUP_OBJ, but both. Otherwise we're - going to be in constant trouble with user expectations. */ - if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0) - aclp[idx].a_perm &= (attr >> 3) & S_IRWXO; if (nentries > MIN_ACL_ENTRIES && (idx = searchace (aclp, nentries, CLASS_OBJ)) >= 0) aclp[idx].a_perm &= (attr >> 3) & S_IRWXO; + else if ((idx = searchace (aclp, nentries, GROUP_OBJ)) >= 0) + aclp[idx].a_perm &= (attr >> 3) & S_IRWXO; if ((idx = searchace (aclp, nentries, OTHER_OBJ)) >= 0) aclp[idx].a_perm &= attr & S_IRWXO; } |