diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 08ca56dbc..be061759d 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,21 @@ +2011-04-29 Corinna Vinschen + + * advapi32.cc: Add comment. + (EqualSid): Remove. + (CopySid): Remove. + (AddAccessAllowedAce): Remove. + (AddAccessDeniedAce): Remove. + (MakeSelfRelativeSD): Remove. + * flock.cc: Replace above functions throughout with their ntdll.dll + equivalent. + * sec_acl.cc: Ditto. + * sec_auth.cc: Ditto. + * sec_helper.cc: Ditto. + * security.cc: Ditto. + * security.h: Ditto. + (RtlEqualSid): Declare. Explain why. + (RtlCopySid): Ditto. + 2011-04-29 Corinna Vinschen * advapi32.cc (AccessCheck): Remove. diff --git a/winsup/cygwin/advapi32.cc b/winsup/cygwin/advapi32.cc index fba18baa8..47913a031 100644 --- a/winsup/cygwin/advapi32.cc +++ b/winsup/cygwin/advapi32.cc @@ -19,40 +19,10 @@ details. */ SetLastError (RtlNtStatusToDosError (status)); \ return NT_SUCCESS (status); -BOOL WINAPI -EqualSid (PSID sid1, PSID sid2) -{ - return !!RtlEqualSid (sid1, sid2); -} - -BOOL WINAPI -CopySid (DWORD len, PSID dest, PSID src) -{ - NTSTATUS status = RtlCopySid (len, dest, src); - DEFAULT_NTSTATUS_TO_BOOL_RETURN -} - -BOOL WINAPI -AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid) -{ - NTSTATUS status = RtlAddAccessAllowedAce (acl, revision, mask, sid); - DEFAULT_NTSTATUS_TO_BOOL_RETURN -} - -BOOL WINAPI -AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid) -{ - NTSTATUS status = RtlAddAccessDeniedAce (acl, revision, mask, sid); - DEFAULT_NTSTATUS_TO_BOOL_RETURN -} - -BOOL WINAPI -MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd, - LPDWORD len) -{ - NTSTATUS status = RtlAbsoluteToSelfRelativeSD (abs_sd, rel_sd, len); - DEFAULT_NTSTATUS_TO_BOOL_RETURN -} +/* This file should only contain non-trivial implementations of advapi32 + functions, or advapi32 functions for which the ntdll.dll equivalent + is not easy to understand. In all other case, use the ntdll.dll + equivalent. */ BOOL WINAPI RevertToSelf () diff --git a/winsup/cygwin/flock.cc b/winsup/cygwin/flock.cc index 90128175f..970bde6c1 100644 --- a/winsup/cygwin/flock.cc +++ b/winsup/cygwin/flock.cc @@ -171,10 +171,11 @@ allow_others_to_sync () dacl = (PACL) ((char *) sd + (uintptr_t) sd->Dacl); dacl->AclSize = NT_MAX_PATH * sizeof (WCHAR) - ((char *) dacl - (char *) sd); /* Allow everyone to SYNCHRONIZE with this process. */ - if (!AddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE, - well_known_world_sid)) + status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE, + well_known_world_sid); + if (!NT_SUCCESS (status)) { - debug_printf ("AddAccessAllowedAce: %lu", GetLastError ()); + debug_printf ("RtlAddAccessAllowedAce: %p", status); return; } /* Set the size of the DACL correctly. */ diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index ef5822b73..3499476c3 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -211,7 +211,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp, } /* Make self relative security descriptor in sd_ret. */ DWORD sd_size = 0; - MakeSelfRelativeSD (&sd, sd_ret, &sd_size); + RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size); if (sd_size <= 0) { __seterrno (); @@ -222,9 +222,10 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp, set_errno (ENOMEM); return -1; } - if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size)) + status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size); + if (!NT_SUCCESS (status)) { - __seterrno (); + __seterrno_from_nt_status (status); return -1; } debug_printf ("Created SD-Size: %d", sd_ret.size ()); diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index 575a1d3c1..78fa52767 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -1047,13 +1047,14 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw) dacl = (PACL) alloca (dsize); if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION))) goto out; - if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid)) + if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, + usersid))) goto out; - if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, - well_known_admins_sid)) + if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, + well_known_admins_sid))) goto out; - if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, - well_known_system_sid)) + if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, + well_known_system_sid))) goto out; /* Evaluate authinf size and allocate authinf. */ @@ -1096,8 +1097,8 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw) /* User SID */ authinf->inf.User.User.Sid = offset; authinf->inf.User.User.Attributes = 0; - CopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset), - usersid); + RtlCopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset), + usersid); offset += RtlLengthSid (usersid); /* Groups */ authinf->inf.Groups = offset; @@ -1119,16 +1120,16 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw) if (wincap.needs_logon_sid_in_sid_list () && tmp_gsids.sids[tmpidx] == fake_logon_sid) gsids->Groups[i].Attributes += SE_GROUP_LOGON_ID; - CopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]), - (PSID) ((PBYTE) &authinf->inf + sids_offset), - tmp_gsids.sids[tmpidx]); + RtlCopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]), + (PSID) ((PBYTE) &authinf->inf + sids_offset), + tmp_gsids.sids[tmpidx]); sids_offset += RtlLengthSid (tmp_gsids.sids[tmpidx]); } offset += gsize; /* Primary Group SID */ authinf->inf.PrimaryGroup.PrimaryGroup = offset; - CopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset), - pgrpsid); + RtlCopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset), + pgrpsid); offset += RtlLengthSid (pgrpsid); /* Privileges */ authinf->inf.Privileges = offset; diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 413983889..c3531d321 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -504,25 +504,35 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces return false; } if (sid1) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, sid1)) - debug_printf ("AddAccessAllowedAce(sid1) %E"); + { + status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1); + if (!NT_SUCCESS (status)) + debug_printf ("RtlAddAccessAllowedAce(sid1) %p", status); + } if (original && (psid = cygheap->user.saved_sid ()) && psid != sid1 && psid != well_known_system_sid) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, psid)) - debug_printf ("AddAccessAllowedAce(original) %E"); + { + status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, psid); + if (!NT_SUCCESS (status)) + debug_printf ("RtlAddAccessAllowedAce(original) %p", status); + } if (sid2) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - access2, sid2)) - debug_printf ("AddAccessAllowedAce(sid2) %E"); + { + status = RtlAddAccessAllowedAce (acl, ACL_REVISION, access2, sid2); + if (!NT_SUCCESS (status)) + debug_printf ("RtlAddAccessAllowedAce(sid2) %p", status); + } if (admins) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, well_known_admins_sid)) - debug_printf ("AddAccessAllowedAce(admin) %E"); - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, well_known_system_sid)) - debug_printf ("AddAccessAllowedAce(system) %E"); + { + status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, + well_known_admins_sid); + if (!NT_SUCCESS (status)) + debug_printf ("RtlAddAccessAllowedAce(admin) %p", status); + } + status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, + well_known_system_sid); + if (!NT_SUCCESS (status)) + debug_printf ("RtlAddAccessAllowedAce(system) %p", status); status = RtlFirstFreeAce (acl, &pAce); if (NT_SUCCESS (status) && pAce) acl->AclSize = (char *) pAce - (char *) acl; @@ -574,10 +584,11 @@ _everyone_sd (void *buf, ACCESS_MASK access) RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION); PACL dacl = (PACL) (psd + 1); RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION); - if (!AddAccessAllowedAce (dacl, ACL_REVISION, access, - well_known_world_sid)) + status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, access, + well_known_world_sid); + if (!NT_SUCCESS (status)) { - debug_printf ("AddAccessAllowedAce: %lu", GetLastError ()); + debug_printf ("RtlAddAccessAllowedAce: %p", status); return NULL; } LPVOID ace; diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 7530b703a..a52fc26ac 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -316,7 +316,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid, } } *attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID); - if (owner_sid && group_sid && EqualSid (owner_sid, group_sid) + if (owner_sid && group_sid && RtlEqualSid (owner_sid, group_sid) /* FIXME: temporary exception for /var/empty */ && well_known_system_sid != group_sid) { @@ -469,9 +469,10 @@ bool add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit) { - if (!AddAccessAllowedAce (acl, ACL_REVISION, attributes, sid)) + NTSTATUS status = RtlAddAccessAllowedAce (acl, ACL_REVISION, attributes, sid); + if (!NT_SUCCESS (status)) { - __seterrno (); + __seterrno_from_nt_status (status); return false; } ACCESS_ALLOWED_ACE *ace; @@ -485,9 +486,10 @@ bool add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit) { - if (!AddAccessDeniedAce (acl, ACL_REVISION, attributes, sid)) + NTSTATUS status = RtlAddAccessDeniedAce (acl, ACL_REVISION, attributes, sid); + if (!NT_SUCCESS (status)) { - __seterrno (); + __seterrno_from_nt_status (status); return false; } ACCESS_DENIED_ACE *ace; @@ -839,7 +841,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute, /* Make self relative security descriptor. */ DWORD sd_size = 0; - MakeSelfRelativeSD (&sd, sd_ret, &sd_size); + RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size); if (sd_size <= 0) { __seterrno (); @@ -850,9 +852,10 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute, set_errno (ENOMEM); return NULL; } - if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size)) + status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size); + if (!NT_SUCCESS (status)) { - __seterrno (); + __seterrno_from_nt_status (status); return NULL; } debug_printf ("Created SD-Size: %u", sd_ret.size ()); diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 6bc2a47dd..0a71221e2 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -95,6 +95,18 @@ cygpsid NO_COPY name = (PSID) &name##_struct; #define FILE_WRITE_BITS (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL) #define FILE_EXEC_BITS (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL) +#ifdef __cplusplus +extern "C" +{ +#endif + /* We need these declarations, otherwise g++ complains that the below + inline methods use an undefined function, if ntdll.h isn't included. */ + BOOLEAN NTAPI RtlEqualSid (PSID, PSID); + NTSTATUS NTAPI RtlCopySid (ULONG, PSID, PSID); +#ifdef __cplusplus +} +#endif + class cygpsid { protected: PSID psid; @@ -114,7 +126,7 @@ public: { if (!psid || !nsid) return nsid == psid; - return EqualSid (psid, nsid); + return RtlEqualSid (psid, nsid); } bool operator!= (const PSID nsid) const { return !(*this == nsid); } @@ -143,7 +155,7 @@ class cygsid : public cygpsid { else { psid = (PSID) sbuf; - CopySid (MAX_SID_LEN, psid, nsid); + RtlCopySid (MAX_SID_LEN, psid, nsid); well_known_sid = well_known; } return psid;