* advapi32.cc: Add comment.

(EqualSid): Remove.
	(CopySid): Remove.
	(AddAccessAllowedAce): Remove.
	(AddAccessDeniedAce): Remove.
	(MakeSelfRelativeSD): Remove.
	* flock.cc: Replace above functions throughout with their ntdll.dll
	equivalent.
	* sec_acl.cc: Ditto.
	* sec_auth.cc: Ditto.
	* sec_helper.cc: Ditto.
	* security.cc: Ditto.
	* security.h: Ditto.
	(RtlEqualSid): Declare.  Explain why.
	(RtlCopySid): Ditto.
This commit is contained in:
Corinna Vinschen 2011-04-29 10:38:12 +00:00
parent 3e8e0c33c0
commit 5735d5f6f4
8 changed files with 97 additions and 80 deletions

View File

@ -1,3 +1,21 @@
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
* advapi32.cc: Add comment.
(EqualSid): Remove.
(CopySid): Remove.
(AddAccessAllowedAce): Remove.
(AddAccessDeniedAce): Remove.
(MakeSelfRelativeSD): Remove.
* flock.cc: Replace above functions throughout with their ntdll.dll
equivalent.
* sec_acl.cc: Ditto.
* sec_auth.cc: Ditto.
* sec_helper.cc: Ditto.
* security.cc: Ditto.
* security.h: Ditto.
(RtlEqualSid): Declare. Explain why.
(RtlCopySid): Ditto.
2011-04-29 Corinna Vinschen <corinna@vinschen.de>
* advapi32.cc (AccessCheck): Remove.

View File

@ -19,40 +19,10 @@ details. */
SetLastError (RtlNtStatusToDosError (status)); \
return NT_SUCCESS (status);
BOOL WINAPI
EqualSid (PSID sid1, PSID sid2)
{
return !!RtlEqualSid (sid1, sid2);
}
BOOL WINAPI
CopySid (DWORD len, PSID dest, PSID src)
{
NTSTATUS status = RtlCopySid (len, dest, src);
DEFAULT_NTSTATUS_TO_BOOL_RETURN
}
BOOL WINAPI
AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
{
NTSTATUS status = RtlAddAccessAllowedAce (acl, revision, mask, sid);
DEFAULT_NTSTATUS_TO_BOOL_RETURN
}
BOOL WINAPI
AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
{
NTSTATUS status = RtlAddAccessDeniedAce (acl, revision, mask, sid);
DEFAULT_NTSTATUS_TO_BOOL_RETURN
}
BOOL WINAPI
MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd,
LPDWORD len)
{
NTSTATUS status = RtlAbsoluteToSelfRelativeSD (abs_sd, rel_sd, len);
DEFAULT_NTSTATUS_TO_BOOL_RETURN
}
/* This file should only contain non-trivial implementations of advapi32
functions, or advapi32 functions for which the ntdll.dll equivalent
is not easy to understand. In all other case, use the ntdll.dll
equivalent. */
BOOL WINAPI
RevertToSelf ()

View File

@ -171,10 +171,11 @@ allow_others_to_sync ()
dacl = (PACL) ((char *) sd + (uintptr_t) sd->Dacl);
dacl->AclSize = NT_MAX_PATH * sizeof (WCHAR) - ((char *) dacl - (char *) sd);
/* Allow everyone to SYNCHRONIZE with this process. */
if (!AddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
well_known_world_sid))
status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
well_known_world_sid);
if (!NT_SUCCESS (status))
{
debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
debug_printf ("RtlAddAccessAllowedAce: %p", status);
return;
}
/* Set the size of the DACL correctly. */

View File

@ -211,7 +211,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
}
/* Make self relative security descriptor in sd_ret. */
DWORD sd_size = 0;
MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (sd_size <= 0)
{
__seterrno ();
@ -222,9 +222,10 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
set_errno (ENOMEM);
return -1;
}
if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (!NT_SUCCESS (status))
{
__seterrno ();
__seterrno_from_nt_status (status);
return -1;
}
debug_printf ("Created SD-Size: %d", sd_ret.size ());

View File

@ -1047,13 +1047,14 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
dacl = (PACL) alloca (dsize);
if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
goto out;
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid))
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
usersid)))
goto out;
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
well_known_admins_sid))
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
well_known_admins_sid)))
goto out;
if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
well_known_system_sid))
if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
well_known_system_sid)))
goto out;
/* Evaluate authinf size and allocate authinf. */
@ -1096,8 +1097,8 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
/* User SID */
authinf->inf.User.User.Sid = offset;
authinf->inf.User.User.Attributes = 0;
CopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
usersid);
RtlCopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
usersid);
offset += RtlLengthSid (usersid);
/* Groups */
authinf->inf.Groups = offset;
@ -1119,16 +1120,16 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
if (wincap.needs_logon_sid_in_sid_list ()
&& tmp_gsids.sids[tmpidx] == fake_logon_sid)
gsids->Groups[i].Attributes += SE_GROUP_LOGON_ID;
CopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
(PSID) ((PBYTE) &authinf->inf + sids_offset),
tmp_gsids.sids[tmpidx]);
RtlCopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
(PSID) ((PBYTE) &authinf->inf + sids_offset),
tmp_gsids.sids[tmpidx]);
sids_offset += RtlLengthSid (tmp_gsids.sids[tmpidx]);
}
offset += gsize;
/* Primary Group SID */
authinf->inf.PrimaryGroup.PrimaryGroup = offset;
CopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
pgrpsid);
RtlCopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
pgrpsid);
offset += RtlLengthSid (pgrpsid);
/* Privileges */
authinf->inf.Privileges = offset;

View File

@ -504,25 +504,35 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
return false;
}
if (sid1)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, sid1))
debug_printf ("AddAccessAllowedAce(sid1) %E");
{
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1);
if (!NT_SUCCESS (status))
debug_printf ("RtlAddAccessAllowedAce(sid1) %p", status);
}
if (original && (psid = cygheap->user.saved_sid ())
&& psid != sid1 && psid != well_known_system_sid)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, psid))
debug_printf ("AddAccessAllowedAce(original) %E");
{
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, psid);
if (!NT_SUCCESS (status))
debug_printf ("RtlAddAccessAllowedAce(original) %p", status);
}
if (sid2)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
access2, sid2))
debug_printf ("AddAccessAllowedAce(sid2) %E");
{
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, access2, sid2);
if (!NT_SUCCESS (status))
debug_printf ("RtlAddAccessAllowedAce(sid2) %p", status);
}
if (admins)
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, well_known_admins_sid))
debug_printf ("AddAccessAllowedAce(admin) %E");
if (!AddAccessAllowedAce (acl, ACL_REVISION,
GENERIC_ALL, well_known_system_sid))
debug_printf ("AddAccessAllowedAce(system) %E");
{
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
well_known_admins_sid);
if (!NT_SUCCESS (status))
debug_printf ("RtlAddAccessAllowedAce(admin) %p", status);
}
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
well_known_system_sid);
if (!NT_SUCCESS (status))
debug_printf ("RtlAddAccessAllowedAce(system) %p", status);
status = RtlFirstFreeAce (acl, &pAce);
if (NT_SUCCESS (status) && pAce)
acl->AclSize = (char *) pAce - (char *) acl;
@ -574,10 +584,11 @@ _everyone_sd (void *buf, ACCESS_MASK access)
RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
PACL dacl = (PACL) (psd + 1);
RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
if (!AddAccessAllowedAce (dacl, ACL_REVISION, access,
well_known_world_sid))
status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, access,
well_known_world_sid);
if (!NT_SUCCESS (status))
{
debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
debug_printf ("RtlAddAccessAllowedAce: %p", status);
return NULL;
}
LPVOID ace;

View File

@ -316,7 +316,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
}
}
*attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID);
if (owner_sid && group_sid && EqualSid (owner_sid, group_sid)
if (owner_sid && group_sid && RtlEqualSid (owner_sid, group_sid)
/* FIXME: temporary exception for /var/empty */
&& well_known_system_sid != group_sid)
{
@ -469,9 +469,10 @@ bool
add_access_allowed_ace (PACL acl, int offset, DWORD attributes,
PSID sid, size_t &len_add, DWORD inherit)
{
if (!AddAccessAllowedAce (acl, ACL_REVISION, attributes, sid))
NTSTATUS status = RtlAddAccessAllowedAce (acl, ACL_REVISION, attributes, sid);
if (!NT_SUCCESS (status))
{
__seterrno ();
__seterrno_from_nt_status (status);
return false;
}
ACCESS_ALLOWED_ACE *ace;
@ -485,9 +486,10 @@ bool
add_access_denied_ace (PACL acl, int offset, DWORD attributes,
PSID sid, size_t &len_add, DWORD inherit)
{
if (!AddAccessDeniedAce (acl, ACL_REVISION, attributes, sid))
NTSTATUS status = RtlAddAccessDeniedAce (acl, ACL_REVISION, attributes, sid);
if (!NT_SUCCESS (status))
{
__seterrno ();
__seterrno_from_nt_status (status);
return false;
}
ACCESS_DENIED_ACE *ace;
@ -839,7 +841,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
/* Make self relative security descriptor. */
DWORD sd_size = 0;
MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (sd_size <= 0)
{
__seterrno ();
@ -850,9 +852,10 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
set_errno (ENOMEM);
return NULL;
}
if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
if (!NT_SUCCESS (status))
{
__seterrno ();
__seterrno_from_nt_status (status);
return NULL;
}
debug_printf ("Created SD-Size: %u", sd_ret.size ());

View File

@ -95,6 +95,18 @@ cygpsid NO_COPY name = (PSID) &name##_struct;
#define FILE_WRITE_BITS (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL)
#define FILE_EXEC_BITS (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL)
#ifdef __cplusplus
extern "C"
{
#endif
/* We need these declarations, otherwise g++ complains that the below
inline methods use an undefined function, if ntdll.h isn't included. */
BOOLEAN NTAPI RtlEqualSid (PSID, PSID);
NTSTATUS NTAPI RtlCopySid (ULONG, PSID, PSID);
#ifdef __cplusplus
}
#endif
class cygpsid {
protected:
PSID psid;
@ -114,7 +126,7 @@ public:
{
if (!psid || !nsid)
return nsid == psid;
return EqualSid (psid, nsid);
return RtlEqualSid (psid, nsid);
}
bool operator!= (const PSID nsid) const
{ return !(*this == nsid); }
@ -143,7 +155,7 @@ class cygsid : public cygpsid {
else
{
psid = (PSID) sbuf;
CopySid (MAX_SID_LEN, psid, nsid);
RtlCopySid (MAX_SID_LEN, psid, nsid);
well_known_sid = well_known;
}
return psid;