Fix attempt to create ACLs without NULL SID

Commit f75114fc was supposed to drop NULL SIDs in case the permissions
are simple enough not to require mask values or special POSIX bits
(S_ISVTX, etc).  The check was incorrect.  This patch is supposed to
fix the problem.

	* sec_acl.cc (set_posix_access): Fix condition under which we
	write a NULL SID.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This commit is contained in:
Corinna Vinschen 2016-04-18 12:07:04 +02:00
parent 85ae35fdb7
commit e2ea143083
1 changed files with 6 additions and 3 deletions

View File

@ -151,6 +151,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
int idx, start_idx, tmp_idx;
bool owner_eq_group = false;
bool dev_has_admins = false;
bool has_class_obj;
/* Initialize local security descriptor. */
RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
@ -339,6 +340,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
tmp_idx = searchace (aclbufp, nentries, def | CLASS_OBJ);
if (tmp_idx >= 0)
{
has_class_obj = true;
class_obj = aclbufp[tmp_idx].a_perm;
access |= CYG_ACE_MASK_TO_WIN (class_obj);
}
@ -346,6 +348,7 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
{
/* Setting class_obj to group_obj allows to write below code without
additional checks for existence of a CLASS_OBJ. */
has_class_obj = false;
class_obj = group_obj;
}
/* Note that Windows filters the ACE Mask value so it only reflects
@ -358,9 +361,9 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
no special bits set. In all other cases we either need the NULL SID
ACE or we write it to avoid calls to AuthZ from get_posix_access. */
if (!S_ISCHR (attr)
&& access != CYG_ACE_NEW_STYLE
&& ((user_obj | group_obj | other_obj) != user_obj
|| (group_obj | other_obj) != group_obj)
&& (has_class_obj
|| ((user_obj | group_obj | other_obj) != user_obj
|| (group_obj | other_obj) != group_obj))
&& !add_access_denied_ace (acl, access, well_known_null_sid, acl_len,
inherit))
return NULL;