- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Rearrange
to fall back to myself uid/gid in case we don't utilize Windows
account DBs, just as prior to 1.7.34.
* sec_helper.cc (cygpsid::get_id): Disable Samba user/group mapping per
RFC2307 if we're not utilizing Windows account DBs.
* security.cc (convert_samba_sd): Revert previous patch.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Only try
to map user and group info per RFC2307 if account info is fetched
from Windows account DB.
(convert_samba_sd): Ditto.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* security,cc (get_attribute_from_acl): Merge all group perms into
user perms if user is member of group.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
case owner SID == group SID.
(getacl): Reverse order of SID test against group or owner sid to
prefer owner attributes over group attributes. Disable setting group
permissions equivalent to owner permissions if owner == group. Add
comment to explain why. Fix indentation.
* security.cc (get_attribute_from_acl): Change type of local variables
containing permission to mode_t. Apply deny mask to group if group SID
== owner SID to avoid Everyone permissions to spill over into group
permissions. Disable setting group permissions equivalent to owner
permissions if owner == group. Add comment to explain why.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Allow user SID as
group account if user is a "Microsoft Account". Explain why. Drop
workaround enforcing primary group "Users" for "Microsoft Accounts".
* fhandler_disk_file.cc (fhandler_disk_file::facl): Ditto in noacl case.
* sec_acl.cc (getacl): Compute useful fake CLASS_OBJ and DEF_CLASS_OBJ
permission bits based on how these values are generated on Linux.
Add commants to explain what the code is doing.
* security.cc (get_attribute_from_acl): Compute group permission based
on the actual primary group permissions and all secondary user and group
ACCESS_ALLOWED_ACEs to emulate Linux' behaviour more closely.
(check_access): Fix typos im comment.
* include/cygwin/acl.h (MIN_ACL_ENTRIES): Redefine as 3.
to declaration.
* fhandler_tty.cc (fhandler_pty_slave::fch_open_handles): Add bool
parameter "chown". Only request WRITE_OWNER access when opening pty
synchronization objects if "chown" is set.
(fhandler_pty_slave::fchmod): Call fch_open_handles with new bool
parameter set to false.
(fhandler_pty_slave::fchown): Call fch_open_handles with new bool
parameter set to true.
* kernel32.cc (CreateFileMappingW): Fix default standard rights for
file mappings from READ_CONTROL to STANDARD_RIGHTS_REQUIRED to allow
changing the DACL (fixes "access denied" error in pinfo::set_acl).
* fhandler_disk_file.cc (fhandler_base::fstat_helper): Change debug
output to print mode bits in octal.
* security.cc (alloc_sd): Ditto.
(set_file_attribute): Ditto.
condition to close handle. Call NtClose rather than CloseHandle.
(write_ea): Fix condition to close handle. Call NtClose rather than
CloseHandle.
* security.cc (get_file_sd): Call pc.init_reopen_attr if a valid
incoming handle was given, pc.get_object_attr otherwise.
(set_file_sd): Ditto.
POBJECT_ATTRIBUTES. Take OBJECT_ATTRIBUTES reference as argument, not
pointer.
* fhandler_disk_file.cc: Throughout accommodate above change.
* syscalls.cc: Ditto.
* ntea.cc (read_ea): Don't set hdl to NULL if it's already NULL. Set
attr with pc.init_reopen_attr before trying to reopen file.
(write_ea): Ditto.
* security.cc (get_file_sd): Use pc.init_reopen_attr rather than
pc.get_object_attr when trying to reopen file.
(set_file_sd): Ditto.
from get_sids_info here.
(get_sids_info): Vice versa.
* security.cc (convert_samba_sd): New static function to map a Samba
security descriptor to a security descriptor with UNIX users and groups
converted to Windows SIDs per RFC 2307 mapping.
(check_file_access): Call convert_samba_sd on Samba security
descriptors.
/etc/nsswitch.conf file to configure it.
* Makefile.in (DLL_OFILES): Add ldap.o.
* autoload.cc: Import ldap functions from wldap32.dll.
(DsEnumerateDomainTrustsW): Import.
(NetGroupGetInfo): Import.
* cygheap.h (class cygheap_domain_info): New class to keep global
domain info.
(class cygheap_pwdgrp): New class to keep passwd/group caches and
configuration info from /etc/nssswitch.conf.
(struct init_cygheap): Add cygheap_domain_info member "dom" and
cygheap_pwdgrp member "pg".
* cygtls.h (struct _local_storage): Remove unused member "res".
Rearrange slightly, Add members pwbuf and grbuf to implement non-caching
passwd/group fetching from SAM/AD. Make pw_pos and pw_pos unsigned.
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Add RFC 2307
uid/gid mapping.
* fhandler_process.cc: Drop including pwdgrp.h.
* fhandler_procsysvipc.cc: Ditto.
* fhandler_registry.cc (fhandler_registry::fstat): Set key uid/gid
to ILLEGAL_UID/ILLEGAL_GID rather than UNKNOWN_UID/UNKNOWN_GID.
* grp.cc (group_buf): Drop.
(gr): Drop.
(pwdgrp::parse_group): Fill pg_grp.
(pwdgrp::read_group): Remove.
(pwdgrp::init_grp): New method.
(pwdgrp::prep_tls_grbuf): New method.
(pwdgrp::find_group): New methods.
(internal_getgrsid): Convert to call new pwdgrp methods.
(internal_getgrnam): Ditto.
(internal_getgrgid): Ditto.
(getgrgid_r): Drop 2nd parameter from internal_getgrgid call.
(getgrgid32): Ditto.
(getgrnam_r): Ditto for internal_getgrnam.
(getgrnam32): Ditto.
(getgrent32): Convert to call new pwdgrp methods.
(internal_getgrent): Remove.
(internal_getgroups): Simplify, especially drop calls to
internal_getgrent.
* ldap.cc: New file implementing cyg_ldap class for LDAP access to AD
and RFC 2307 server.
* ldap.h: New header, declaring cyg_ldap class.
* passwd.cc (passwd_buf): Drop.
(pr): Drop.
(pwdgrp::parse_passwd): Fill pg_pwd.
(pwdgrp::read_passwd): Remove.
(pwdgrp::init_pwd): New method.
(pwdgrp::prep_tls_pwbuf): New method.
(find_user): New methods.
(internal_getpwsid): Convert to call new pwdgrp methods.
(internal_getpwnam): Ditto.
(internal_getpwuid): Ditto.
(getpwuid32): Drop 2nd parameter from internal_getpwuid call.
(getpwuid_r): Ditto.
(getpwnam): Ditto for internal_getpwnam.
(getpwnam_r): Ditto.
(getpwent): Convert to call new pwdgrp methods.
* path.cc (class etc): Remove all methods.
* path.h (class etc): Drop.
* pinfo.cc (pinfo_basic::pinfo_basic): Set gid to ILLEGAL_GID rather
than UNKNOWN_GID.
(pinfo_init): Ditto.
* pwdgrp.h (internal_getpwnam): Drop 2nd parameter from declaration.
(internal_getpwuid): Ditto.
(internal_getgrgid): Ditto.
(internal_getgrnam): Ditto.
(internal_getgrent): Drop declaration.
(enum fetch_user_arg_type_t): New type.
(struct fetch_user_arg_t): New type.
(struct pg_pwd): New type.
(struct pg_grp): New type.
(class pwdgrp): Rework to provide functions for file and db requests
and caching.
(class ugid_cache_t): New class to provide RFC 2307 uid map caching.
(ugid_cache): Declare.
* sec_acl.cc: Drop including pwdgrp.h.
* sec_auth.cc: Drop including dsgetdc.h and pwdgrp.h.
(get_logon_server): Convert third parameter to ULONG flags argument
to allow arbitrary flags values in DsGetDcNameW call and change calls
to this function throughout. Use cached account domain name rather
than calling GetComputerNameW.
(get_unix_group_sidlist): Remove.
(get_server_groups): Drop call to get_unix_group_sidlist.
(verify_token): Rework token group check without calling
internal_getgrent.
* sec_helper.cc (cygpsid::pstring): New methods, like string() but
return pointer to end of string.
(cygsid::getfromstr): Add wide character implementation.
(get_sids_info): Add RFC 2307 uid/gid mapping for Samba shares.
* security.cc: Drop including pwdgrp.h.
* security.h (DEFAULT_UID): Remove.
(UNKNOWN_UID): Remove.
(UNKNOWN_GID): Remove.
(uinfo_init): Move here from winsup.h.
(ILLEGAL_UID): Ditto.
(ILLEGAL_GID): Ditto.
(UNIX_POSIX_OFFSET): Define. Add lengthy comment.
(UNIX_POSIX_MASK): Ditto.
(MAP_UNIX_TO_CYGWIN_ID): Ditto.
(ILLEGAL_UID16): Move here from winsup.h.
(ILLEGAL_GID16): Ditto.
(uid16touid32): Ditto.
(gid16togid32): Ditto.
(sid_id_auth): New convenience macro for SID component access.
(sid_sub_auth_count): Ditto.
(sid_sub_auth): Ditto.
(sid_sub_auth_rid): Ditto.
(cygpsid::pstring): Declare.
(cygsid::getfromstr): Declare wide character variant.
(cygsid::operator=): Ditto.
(cygsid::operator*=): Ditto.
(get_logon_server): Change declaration according to source code.
* setlsapwd.cc (setlsapwd): Drop 2nd parameter from internal_getpwnam
call.
* shared.cc (memory_init): Call cygheap->pg.init in first process.
* syscalls.cc: Drop including pwdgrp.h.
* tlsoffsets.h: Regenerate.
* tlsoffsets64.h: Ditto.
* uinfo.cc (internal_getlogin): Drop gratuitious internal_getpwuid
call. Fix debug output. Overwrite user gid in border case of a
missing passwd file while a group file exists.
(pwdgrp::add_line): Allocate memory on cygheap.
(pwdgrp::load): Remove.
(ugid_cache): Define.
(cygheap_pwdgrp::init): New method.
(cygheap_pwdgrp::nss_init_line): New method.
(cygheap_pwdgrp::_nss_init): New method.
(cygheap_domain_info::init): New method.
(logon_sid): Define.
(get_logon_sid): New function.
(pwdgrp::add_account_post_fetch): New method.
(pwdgrp::add_account_from_file): New methods.
(pwdgrp::add_account_from_windows): New methods.
(pwdgrp::check_file): New method.
(pwdgrp::fetch_account_from_line): New method.
(pwdgrp::fetch_account_from_file): New method.
(pwdgrp::fetch_account_from_windows): New method.
* winsup.h: Move aforementioned macros and declarations to security.h.
* mount.cc (fs_info::update): Recognize ReFS.
* mount.h (enum fs_info_type): Add refs.
(class fs_info): Add refs flag and accessor methods.
* ntdll.h (RtlAddAccessAllowedAceEx): Declare.
(RtlAddAccessDeniedAceEx): Declare.
* path.h (path_conv::fs_is_refs): Define.
* sec_helper.cc (_recycler_sd): New function to create security
descriptors suitable for the recycler bin starting with Vista.
* security.cc (add_access_allowed_ace): Use RtlAddAccessAllowedAceEx
and drop code to set AceFlags explicitely.
(add_access_denied_ace): Use RtlAddAccessDeniedAceEx and drop code to
set AceFlags explicitely.
* security.h (_recycler_sd): Declare.
(recycler_sd): Define.
* syscalls.cc (desktop_ini): Change formatting.
(desktop_ini_ext): Define third line of recycler desktop.ini file
since Vista,
(try_to_bin): Handle ReFS just like NTFS. Write Vista and later
Recycler in all uppercase, just like shell32 does when recreating it.
Fix comments to include ReFS. Don't implicitely reuse object
attributes from earlier NtOpenFile call, rather recreate it for safety.
Use recycler_sd call when creating security descriptor for Recycler
dirs and files on Vista and later. Write third line of desktop.ini
when on Vista and later.
Throughout, change syscalls to report on return values using new %R format
option.
* smallprint.cc (__small_vsprintf): Add parsing for %R to report on return
values and possible errno from syscalls.
* errno.cc (errmap): Add PRIVILEGE_NOT_HELD.
* fhandler_tty.cc (fhandler_pty_master::setup): When creating a thread use
shorter name to reduce debuggging output.
* select.cc (start_thread_pipe): Ditto.
(start_thread_serial): Ditto.
(start_thread_socket): Ditto.
(start_thread_mailslot): Ditto.
* sigproc.cc (talktome): Ditto.
* ntdll.h (RtlConvertToAutoInheritSecurityObject): Declare.
(RtlDeleteSecurityObject): Declare.
(RtlGetControlSecurityDescriptor): Declare.
(RtlLengthSecurityDescriptor): Declare.
* security.cc (file_mapping): New global variable.
(get_file_sd): Rewrite. Clean up code. Get rid of GetSecurityInfo
call.
(alloc_sd): Call RtlSetControlSecurityDescriptor to set
SE_DACL_PROTECTED flag.
(check_file_access): Remove mapping. Use file_mapping instead.
(check_registry_access): Rename mapping to reg_mapping.
* wincap.cc: Througout, drop use_get_sec_info_on_dirs,
* wincap.h (struct wincaps): Drop use_get_sec_info_on_dirs.
filesystem supporting ACLs, create the file with WRITE_DAC access.
Explain why.
* fhandler_disk_file.cc (fhandler_disk_file::mkdir): Ditto for
directories.
* fhandler_socket.cc (fhandler_socket::bind): Ditto for sockets.
* path.cc (symlink_worker): Ditto for symlinks.
* security.cc (get_file_sd): Always call GetSecurityInfo for directories
on XP and Server 2003. Improve comment to explain why.
(set_file_attribute): Explicitely cast mode_t value to bool in call to
get_file_sd.
* wincap.h (wincaps::use_get_sec_info_on_dirs): New element.
* wincap.cc: Implement above element throughout.
* fhandler_disk_file.cc (fhandler_disk_file::facl): Handle ENOSYS and
point to the explanation.
* ntdll.h (STATUS_NOT_IMPLEMENTED): Define.
* path.cc (symlink_info::check): Handle the inability of NT4 to use
FileNetworkOpenInformation on share root dirs in either direction.
* path.h (slash_unc_prefix_p): Remove unused declaration.
* security.cc (get_info_from_sd): Handle ENOSYS from get_file_sd.
Explain when this happens.
instead of ACL_DEFAULT_SIZE.
* sec_acl.cc (setacl): Use TLS buffer to allow maximum ACL size.
* security.h (ACL_DEFAULT_SIZE): Drop definition.
(ACL_MAXIMUM_SIZE): Define.
(SD_MAXIMUM_SIZE): Define.
* security.cc (get_file_sd): Allocate security_decscriptor with size
SD_MAXIMUM_SIZE.
(alloc_sd): Use TLS buffer to allow maximum ACL size.
GetSecurityInfo only if justcreated is true, NtQuerySecurityObject
otherwise. Add comment to explain why. Don't waste time to call
NtQuerySecurityObject twice, just allocate big enough area.
(get_file_attribute): Call get_file_sd with justcreated set to false.
(set_file_attribute): Call get_file_sd with justcreated depending on
S_JUSTCREATED pseudo file attribute.
(check_file_access): Call get_file_sd with justcreated set to false.
* sec_acl.cc (setacl): Ditto.
(getacl): Ditto.
* security.h: Convert many functions to regparm functions.
(get_file_sd): Declare with extra bool parameter.
* fhandler.h (fhandler_tty_slave::fch_open_handles): Declare private.
(fhandler_tty_slave::fch_close_handles): Ditto.
(fhandler_tty_slave::cygserver_attach_tty): Drop declaration.
(fhandler_tty_slave::fstat): Declare public.
(fhandler_tty_slave::fchmod): Declare public.
(fhandler_tty_slave::fchown): Declare public.
(class fhandler_pty_master): Add master_ctl handle.
(fhandler_pty_master::pty_master_thread): Declare public.
* fhandler_termios.cc (fhandler_termios::tcinit): If the process
is started from a non-Cygwin process, make it tty process group
leader.
* fhandler_tty.cc: Throughout accommodate additional security related
arguments in calls to functions creating or opening objects.
(close_maybe): Move to start of file to reuse it
in other methods.
(struct pipe_request): Define.
(struct pipe_reply): Define.
(fhandler_tty_slave::open): Throughout, try to open synchronization
objects with MAXIMUM_ALLOWED permissions. Drop call to cygserver.
Try to duplicate pipe handles via master_ctl pipe if duplicating
directly doesn't work.
(fhandler_tty_slave::cygserver_attach_tty): Remove.
(fhandler_tty_slave::init): Close unused incoming pipe handle.
(fhandler_pty_master::close): Send exit message to master control
thread and close master_ctl handle.
(fhandler_pty_master::pty_master_thread): New method, implementing the
master control thread.
(pty_master_thread): Static helper to start master control thread.
(fhandler_pty_master::setup): Simplify creating pipe inheritance.
Make sure we're the one creating the input_available_event. Add
comment to explain why. Create master_ctl pipe and start master
control thread. Close master_ctl handle in case of error.
* security.cc (alloc_sd): Add code to handle tty objects. Add comments
to explain what exactly is required.
(get_object_sd): New function.
(get_object_attribute): New function.
(create_object_sd_from_attribute): New function.
(set_object_sd): New function.
(set_object_attribute): New function.
(set_file_attribute): Change attribute type to mode_t.
* security.h (set_file_attribute): Change attribute type to mode_t.
(get_object_sd): Declare.
(get_object_attribute): Declare.
(create_object_sd_from_attribute): Declare.
(set_object_sd): Declare.
(set_object_attribute): Declare.
* tty.cc (tty::slave_alive): Implement directly instead of via alive.
(tty::exists): Open mutex handle with READ_CONTROL access.
(tty::alive): Remove.
(tty::open_output_mutex): Convert to inline method.
(tty::open_input_mutex): Ditto.
(tty::open_mutex): Take additional ACCESS_MASK parameter for the
mutex open access mask.
(tty::open_inuse): New method.
(tty::create_inuse): Take PSECURITY_ATTRIBUTES parameter. Drop fmt
name parameter. Always create TTY_SLAVE_ALIVE event.
(tty::get_event): Take additional PSECURITY_ATTRIBUTES parameter for
CreateEvent.
* tty.h (class tty): Change declarations according to aforementioned
changes.
(tty::open_output_mutex): Implement as inline method.
(tty::open_input_mutex): Ditto.
LocalFree instead of ::free.
* sec_acl.cc: Throughout replace old ACE flag definitions with current
definitions as used in MSDN man pages.
* security.cc: Ditto.
* fhandler.cc (fhandler_base::open): Make sure file has really been
just created before fixing file permissions. Add S_JUSTCREATED
attribute to set_file_attribute call.
* fhandler_disk_file.cc (fhandler_disk_file::mkdir): Always create dir
with default security descriptor and fix descriptor afterwards.
Add S_JUSTCREATED flag to set_file_attribute call.
* fhandler_socket.cc (fhandler_socket::bind): Ditto for AF_LOCAL
socket files.
* path.cc (symlink_worker): Ditto for symlinks.
* security.cc (get_file_sd): Call GetSecurityInfo rather than
NtQuerySecurityObject. Explain why. Change error handling accordingly.
(alloc_sd): Skip non-inherited, non-standard entries in ACL if
S_JUSTCREATED attribute is set. Explain why. Minor format fixes.
* security.h (S_JUSTCREATED): New define.
(security_descriptor::operator=): New operator.