* advapi32.cc: Add comment.

(EqualSid): Remove.
	(CopySid): Remove.
	(AddAccessAllowedAce): Remove.
	(AddAccessDeniedAce): Remove.
	(MakeSelfRelativeSD): Remove.
	* flock.cc: Replace above functions throughout with their ntdll.dll
	equivalent.
	* sec_acl.cc: Ditto.
	* sec_auth.cc: Ditto.
	* sec_helper.cc: Ditto.
	* security.cc: Ditto.
	* security.h: Ditto.
	(RtlEqualSid): Declare.  Explain why.
	(RtlCopySid): Ditto.

winsup/cygwin/ChangeLog

@@ -1,3 +1,21 @@
+2011-04-29  Corinna Vinschen  <corinna@vinschen.de>
+
+	* advapi32.cc: Add comment.
+	(EqualSid): Remove.
+	(CopySid): Remove.
+	(AddAccessAllowedAce): Remove.
+	(AddAccessDeniedAce): Remove.
+	(MakeSelfRelativeSD): Remove.
+	* flock.cc: Replace above functions throughout with their ntdll.dll
+	equivalent.
+	* sec_acl.cc: Ditto.
+	* sec_auth.cc: Ditto.
+	* sec_helper.cc: Ditto.
+	* security.cc: Ditto.
+	* security.h: Ditto.
+	(RtlEqualSid): Declare.  Explain why.
+	(RtlCopySid): Ditto.
+
 2011-04-29  Corinna Vinschen  <corinna@vinschen.de>
 
 	* advapi32.cc (AccessCheck): Remove.

winsup/cygwin/advapi32.cc

@@ -19,40 +19,10 @@ details. */
     SetLastError (RtlNtStatusToDosError (status)); \
   return NT_SUCCESS (status);
 
-BOOL WINAPI
-EqualSid (PSID sid1, PSID sid2)
-{
-  return !!RtlEqualSid (sid1, sid2);
-}
-
-BOOL WINAPI
-CopySid (DWORD len, PSID dest, PSID src)
-{
-  NTSTATUS status = RtlCopySid (len, dest, src);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
-{
-  NTSTATUS status = RtlAddAccessAllowedAce (acl, revision, mask, sid);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
-{
-  NTSTATUS status = RtlAddAccessDeniedAce (acl, revision, mask, sid);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd,
-		    LPDWORD len)
-{
-  NTSTATUS status = RtlAbsoluteToSelfRelativeSD (abs_sd, rel_sd, len);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
+/* This file should only contain non-trivial implementations of advapi32
+   functions, or advapi32 functions for which the ntdll.dll equivalent
+   is not easy to understand.  In all other case, use the ntdll.dll
+   equivalent. */
 
 BOOL WINAPI
 RevertToSelf ()

winsup/cygwin/flock.cc

@@ -171,10 +171,11 @@ allow_others_to_sync ()
   dacl = (PACL) ((char *) sd + (uintptr_t) sd->Dacl);
   dacl->AclSize = NT_MAX_PATH * sizeof (WCHAR) - ((char *) dacl - (char *) sd);
   /* Allow everyone to SYNCHRONIZE with this process. */
-  if (!AddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
-			    well_known_world_sid))
+  status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, SYNCHRONIZE,
+				   well_known_world_sid);
+  if (!NT_SUCCESS (status))
     {
-      debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
+      debug_printf ("RtlAddAccessAllowedAce: %p", status);
       return;
     }
   /* Set the size of the DACL correctly. */

winsup/cygwin/sec_acl.cc

@@ -211,7 +211,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
     }
   /* Make self relative security descriptor in sd_ret. */
   DWORD sd_size = 0;
-  MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
+  RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
   if (sd_size <= 0)
     {
       __seterrno ();
@@ -222,9 +222,10 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
       set_errno (ENOMEM);
       return -1;
     }
-  if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
+  status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
+  if (!NT_SUCCESS (status))
     {
-      __seterrno ();
+      __seterrno_from_nt_status (status);
       return -1;
     }
   debug_printf ("Created SD-Size: %d", sd_ret.size ());

winsup/cygwin/sec_auth.cc

@@ -1047,13 +1047,14 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   dacl = (PACL) alloca (dsize);
   if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
     goto out;
-  if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid))
+  if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
+					   usersid)))
     goto out;
-  if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
-			    well_known_admins_sid))
+  if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
+					   well_known_admins_sid)))
     goto out;
-  if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
-			    well_known_system_sid))
+  if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
+					   well_known_system_sid)))
     goto out;
 
   /* Evaluate authinf size and allocate authinf. */
@@ -1096,8 +1097,8 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   /* User SID */
   authinf->inf.User.User.Sid = offset;
   authinf->inf.User.User.Attributes = 0;
-  CopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
-	   usersid);
+  RtlCopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
+	      usersid);
   offset += RtlLengthSid (usersid);
   /* Groups */
   authinf->inf.Groups = offset;
@@ -1119,16 +1120,16 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
       if (wincap.needs_logon_sid_in_sid_list ()
 	  && tmp_gsids.sids[tmpidx] == fake_logon_sid)
 	gsids->Groups[i].Attributes += SE_GROUP_LOGON_ID;
-      CopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
-	       (PSID) ((PBYTE) &authinf->inf + sids_offset),
-	       tmp_gsids.sids[tmpidx]);
+      RtlCopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
+		  (PSID) ((PBYTE) &authinf->inf + sids_offset),
+		  tmp_gsids.sids[tmpidx]);
       sids_offset += RtlLengthSid (tmp_gsids.sids[tmpidx]);
     }
   offset += gsize;
   /* Primary Group SID */
   authinf->inf.PrimaryGroup.PrimaryGroup = offset;
-  CopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
-	   pgrpsid);
+  RtlCopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
+	      pgrpsid);
   offset += RtlLengthSid (pgrpsid);
   /* Privileges */
   authinf->inf.Privileges = offset;

winsup/cygwin/sec_helper.cc

@@ -504,25 +504,35 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
       return false;
     }
   if (sid1)
-    if (!AddAccessAllowedAce (acl, ACL_REVISION,
-			      GENERIC_ALL, sid1))
-      debug_printf ("AddAccessAllowedAce(sid1) %E");
+    {
+      status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1);
+      if (!NT_SUCCESS (status))
+	debug_printf ("RtlAddAccessAllowedAce(sid1) %p", status);
+    }
   if (original && (psid = cygheap->user.saved_sid ())
       && psid != sid1 && psid != well_known_system_sid)
-    if (!AddAccessAllowedAce (acl, ACL_REVISION,
-			      GENERIC_ALL, psid))
-      debug_printf ("AddAccessAllowedAce(original) %E");
+    {
+      status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, psid);
+      if (!NT_SUCCESS (status))
+	debug_printf ("RtlAddAccessAllowedAce(original) %p", status);
+    }
   if (sid2)
-    if (!AddAccessAllowedAce (acl, ACL_REVISION,
-			      access2, sid2))
-      debug_printf ("AddAccessAllowedAce(sid2) %E");
+    {
+      status = RtlAddAccessAllowedAce (acl, ACL_REVISION, access2, sid2);
+      if (!NT_SUCCESS (status))
+	debug_printf ("RtlAddAccessAllowedAce(sid2) %p", status);
+    }
   if (admins)
-    if (!AddAccessAllowedAce (acl, ACL_REVISION,
-			      GENERIC_ALL, well_known_admins_sid))
-      debug_printf ("AddAccessAllowedAce(admin) %E");
-  if (!AddAccessAllowedAce (acl, ACL_REVISION,
-			    GENERIC_ALL, well_known_system_sid))
-    debug_printf ("AddAccessAllowedAce(system) %E");
+    {
+      status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
+				       well_known_admins_sid);
+      if (!NT_SUCCESS (status))
+	debug_printf ("RtlAddAccessAllowedAce(admin) %p", status);
+    }
+  status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
+				   well_known_system_sid);
+  if (!NT_SUCCESS (status))
+    debug_printf ("RtlAddAccessAllowedAce(system) %p", status);
   status = RtlFirstFreeAce (acl, &pAce);
   if (NT_SUCCESS (status) && pAce)
     acl->AclSize = (char *) pAce - (char *) acl;
@@ -574,10 +584,11 @@ _everyone_sd (void *buf, ACCESS_MASK access)
       RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
       PACL dacl = (PACL) (psd + 1);
       RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
-      if (!AddAccessAllowedAce (dacl, ACL_REVISION, access,
-				well_known_world_sid))
+      status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, access,
+				       well_known_world_sid);
+      if (!NT_SUCCESS (status))
 	{
-	  debug_printf ("AddAccessAllowedAce: %lu", GetLastError ());
+	  debug_printf ("RtlAddAccessAllowedAce: %p", status);
 	  return NULL;
 	}
       LPVOID ace;

winsup/cygwin/security.cc

@@ -316,7 +316,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
 	}
     }
   *attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID);
-  if (owner_sid && group_sid && EqualSid (owner_sid, group_sid)
+  if (owner_sid && group_sid && RtlEqualSid (owner_sid, group_sid)
       /* FIXME: temporary exception for /var/empty */
       && well_known_system_sid != group_sid)
     {
@@ -469,9 +469,10 @@ bool
 add_access_allowed_ace (PACL acl, int offset, DWORD attributes,
 			PSID sid, size_t &len_add, DWORD inherit)
 {
-  if (!AddAccessAllowedAce (acl, ACL_REVISION, attributes, sid))
+  NTSTATUS status = RtlAddAccessAllowedAce (acl, ACL_REVISION, attributes, sid);
+  if (!NT_SUCCESS (status))
     {
-      __seterrno ();
+      __seterrno_from_nt_status (status);
       return false;
     }
   ACCESS_ALLOWED_ACE *ace;
@@ -485,9 +486,10 @@ bool
 add_access_denied_ace (PACL acl, int offset, DWORD attributes,
 		       PSID sid, size_t &len_add, DWORD inherit)
 {
-  if (!AddAccessDeniedAce (acl, ACL_REVISION, attributes, sid))
+  NTSTATUS status = RtlAddAccessDeniedAce (acl, ACL_REVISION, attributes, sid);
+  if (!NT_SUCCESS (status))
     {
-      __seterrno ();
+      __seterrno_from_nt_status (status);
       return false;
     }
   ACCESS_DENIED_ACE *ace;
@@ -839,7 +841,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 
   /* Make self relative security descriptor. */
   DWORD sd_size = 0;
-  MakeSelfRelativeSD (&sd, sd_ret, &sd_size);
+  RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
   if (sd_size <= 0)
     {
       __seterrno ();
@@ -850,9 +852,10 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
       set_errno (ENOMEM);
       return NULL;
     }
-  if (!MakeSelfRelativeSD (&sd, sd_ret, &sd_size))
+  status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
+  if (!NT_SUCCESS (status))
     {
-      __seterrno ();
+      __seterrno_from_nt_status (status);
       return NULL;
     }
   debug_printf ("Created SD-Size: %u", sd_ret.size ());

winsup/cygwin/security.h

@@ -95,6 +95,18 @@ cygpsid NO_COPY name = (PSID) &name##_struct;
 #define FILE_WRITE_BITS  (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL)
 #define FILE_EXEC_BITS   (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL)
 
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+  /* We need these declarations, otherwise g++ complains that the below
+     inline methods use an undefined function, if ntdll.h isn't included. */
+  BOOLEAN NTAPI RtlEqualSid (PSID, PSID);
+  NTSTATUS NTAPI RtlCopySid (ULONG, PSID, PSID);
+#ifdef __cplusplus
+}
+#endif
+
 class cygpsid {
 protected:
   PSID psid;
@@ -114,7 +126,7 @@ public:
     {
       if (!psid || !nsid)
 	return nsid == psid;
-      return EqualSid (psid, nsid);
+      return RtlEqualSid (psid, nsid);
     }
   bool operator!= (const PSID nsid) const
     { return !(*this == nsid); }
@@ -143,7 +155,7 @@ class cygsid : public cygpsid {
       else
 	{
 	  psid = (PSID) sbuf;
-	  CopySid (MAX_SID_LEN, psid, nsid);
+	  RtlCopySid (MAX_SID_LEN, psid, nsid);
 	  well_known_sid = well_known;
 	}
       return psid;