diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index a19a9e9e5..dda1a9563 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,8 @@ +2015-04-20 Corinna Vinschen + + * sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit + for SYSTEM and Admins group. + 2015-04-17 Corinna Vinschen * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc index 65b31315c..bddd21c54 100644 --- a/winsup/cygwin/sec_acl.cc +++ b/winsup/cygwin/sec_acl.cc @@ -329,16 +329,18 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid, else if (aclbufp[idx].a_type & USER) deny = (aclbufp[idx].a_perm ^ class_obj) | (~aclbufp[idx].a_perm & other_obj); + /* Accommodate Windows: Only generate deny masks for SYSTEM + and the Administrators group in terms of the execute bit, + if they are not the primary group. */ + else if (aclbufp[idx].a_type & GROUP + && (aclsid[idx] == well_known_system_sid + || aclsid[idx] == well_known_admins_sid)) + deny = aclbufp[idx].a_perm & ~(class_obj | S_IROTH | S_IWOTH); else deny = (aclbufp[idx].a_perm & ~class_obj) | (~aclbufp[idx].a_perm & other_obj); if (!deny) continue; - /* Accommodate Windows: Never generate deny masks for SYSTEM - and the Administrators group. */ - if (aclsid[idx] == well_known_system_sid - || aclsid[idx] == well_known_admins_sid) - continue; access = 0; if (deny & S_IROTH) access |= FILE_DENY_READ; diff --git a/winsup/utils/ChangeLog b/winsup/utils/ChangeLog index a48f8693f..b37792ab3 100644 --- a/winsup/utils/ChangeLog +++ b/winsup/utils/ChangeLog @@ -1,3 +1,7 @@ +2015-04-20 Corinna Vinschen + + * getfacl.c (main): Special-case SYSTEM and Admins group. Add comments. + 2015-04-16 Corinna Vinschen * setfacl.c: Align more to Linux tool. diff --git a/winsup/utils/getfacl.c b/winsup/utils/getfacl.c index 07d8a8a9f..45e5e2090 100644 --- a/winsup/utils/getfacl.c +++ b/winsup/utils/getfacl.c @@ -279,16 +279,32 @@ main (int argc, char **argv) { case USER: case GROUP_OBJ: - case GROUP: effective = acls[i].a_perm & mask; print_effective = 1; break; + case GROUP: + /* Special case SYSTEM and Admins group: The mask only + applies to them as far as the execute bit is concerned. */ + if (acls[i].a_id == 18 || acls[i].a_id == 544) + effective = acls[i].a_perm & (mask | S_IROTH | S_IWOTH); + else + effective = acls[i].a_perm & mask; + print_effective = 1; + break; case DEF_USER: case DEF_GROUP_OBJ: - case DEF_GROUP: effective = acls[i].a_perm & def_mask; print_effective = 1; break; + case DEF_GROUP: + /* Special case SYSTEM and Admins group: The mask only + applies to them as far as the execute bit is concerned. */ + if (acls[i].a_id == 18 || acls[i].a_id == 544) + effective = acls[i].a_perm & (def_mask | S_IROTH | S_IWOTH); + else + effective = acls[i].a_perm & def_mask; + print_effective = 1; + break; } if (print_effective && eopt >= 0 && (eopt > 0 || effective != acls[i].a_perm))