- Currently, the stderr handle is duplicated in close_all_files().
This interferes the handle counting for detecting closure of read
pipe, which is introduced by commit f79a4611. This patch stops
duplicating stderr handle if it is write pipe.
I wasted valuable minutes of my life just to find out why we export
this weird version of pipe. In the pre-2000 era the idea was Cygwin
could be used as drop-in replacement for msvcrt.dll, apparently.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Due to reports on the Cygwin mailing list[1][2], it was uncovered
that a NtOpenDirectoryObject/NtQueryDirectoryObject/NtClose sequence
with NtQueryDirectoryObject iterating over the directory entries,
one entry per invocation, is not running atomically. If new entries
are inserted into the queried directory, other entries may be moved
around and then accidentally show up twice while iterating.
Change (almost) all NtQueryDirectoryObject invocations so that it gets
a really big buffer (64K) and ideally fetches all entries at once.
This appears to work atomically.
"Almost" all, because fhandler_procsys::readdir can't be easily changed.
[1] https://cygwin.com/pipermail/cygwin/2021-July/248998.html
[2] https://cygwin.com/pipermail/cygwin/2021-August/249124.html
Fixes: e9c8cb3193 ("(format_proc_partitions): Revamp loop over existing harddisks by scanning the NT native \Device object directory and looking for Harddisk entries.")
Fixes: a998dd7055 ("Implement advisory file locking.")
Fixes: 3b7cd74bfd ("(winpids::enum_processes): Fetch Cygwin processes from listing of shared cygwin object dir in the native NT namespace.")
Fixes: 0d6f2b0117 ("syscalls.cc (sync_worker): Rewrite using native NT functions.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
linkat(olddirfd, oldpath, oldname, newdirfd, newname, AT_EMPTY_PATH)
is supposed to create a link to the file referenced by olddirfd if
oldname is the empty string. Currently this is done via the /proc
filesystem by converting the call to
linkat(AT_FDCWD, "/proc/self/fd/<olddirfd>", newdirfd, newname,
AT_SYMLINK_FOLLOW),
which ultimately leads to a call to the appropriate fhandler's link
method. Simplify this by using cygheap_fdget to obtain the fhandler
directly.
When a FIFO is opened, syscalls.cc:open always calls fstat on the
newly-created fhandler_fifo. This results from a call to
device_access_denied.
To speed-up this fstat call, and therefore the open(2) call, use
PC_KEEP_HANDLE when the fhandler is created. The resulting
conv_handle is retained until after the fstat call if the fhandler is
a FIFO; otherwise, it is closed immediately.
Per discussion on cygwin-developers, a Cygwin tmpfile(3) implementation
has been added to syscalls.cc. This overrides the one supplied by
newlib. Then the open(2) flag O_TMPFILE was added to the open call that
tmpfile internally makes.
This v2 patch removes O_CREAT from open() call as O_TMPFILE obviates it.
Note that open() takes a directory's path but returns an fd to a file.
Replace all occurrences of OPEN_MAX_MAX by OPEN_MAX, and define the
latter to be 3200, which was the value of the former. In view of the
recent change to getdtablesize, there is no longer a need to
distinguish between these two macros.
According to the Linux man page for getdtablesize(3), the latter is
supposed to return "the maximum number of files a process can have
open, one more than the largest possible value for a file descriptor."
The constant OPEN_MAX_MAX is the only limit enforced by Cygwin, so we
now return that.
Previously getdtablesize returned the current size of cygheap->fdtab,
Cygwin's internal file descriptor table. But this is a dynamically
growing table, and its current size does not reflect an actual limit
on the number of open files.
With this change, gnulib now reports that getdtablesize and
fcntl(F_DUPFD) work on Cygwin. Packages like GNU tar that use the
corresponding gnulib modules will no longer use gnulib replacements on
Cygwin.
Allow fchmodat with the AT_SYMLINK_NOFOLLOW flag to succeed on
non-symlinks. Previously it always failed, as it does on Linux. But
POSIX permits it to succeed on non-symlinks even if it fails on
symlinks.
The reason for following POSIX rather than Linux is to make gnulib
report that fchmodat works on Cygwin. This improves the efficiency of
packages like GNU tar that use gnulib's fchmodat module. Previously
such packages would use a gnulib replacement for fchmodat on Cygwin.
I think we don't need an extra flag as we can utilize: access & FILE_WRITE_ATTRIBUTES
What do you think?
Ben Wijen (1):
syscalls.cc: unlink_nt: Try FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE
winsup/cygwin/ntdll.h | 3 ++-
winsup/cygwin/syscalls.cc | 22 +++++++--------
winsup/cygwin/wincap.cc | 11 ++++++++
winsup/cygwin/wincap.h | 56 ++++++++++++++++++++-------------------
4 files changed, 53 insertions(+), 39 deletions(-)
--
2.30.0
>From 2d0ff6fec10d03c24d11c747852018b7bc1136ac Mon Sep 17 00:00:00 2001
In-Reply-To: <20210122105201.GD810271@calimero.vinschen.de>
References: <20210122105201.GD810271@calimero.vinschen.de>
From: Ben Wijen <ben@wijen.net>
Date: Tue, 17 Dec 2019 15:15:25 +0100
Subject: [PATCH v3 1/8] syscalls.cc: unlink_nt: Try
FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE
Implement wincap.has_posix_unlink_semantics_with_ignore_readonly and when set
skip setting/clearing of READONLY attribute and instead use
FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE
Move post-dir unlink check from fhandler_disk_file::rmdir to
_unlink_nt_post_dir_check
If a directory is not removed through fhandler_disk_file::rmdir
we can now make sure the post dir check is performed.
mknod32 actually creates a path_conv, just to call mknod_worker
with a win32 path. This doesn't only require to create path_conv
twice, it also breaks permissions on filesystems supporting ACLs.
Fix this by passing the path_conv created in the caller down to
symlink_worker. Also, while at it, simplify the handling of trailing
slashes and move it out of symlink_worker. Especially use the
new PC_SYM_NOFOLLOW_DIR flag to avoid fiddeling with creating
a new path copy without the trailing slash.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Following Linux, allow the pathname argument to be an empty string if
the AT_EMPTY_PATH flag is specified. In this case the dirfd argument
can refer to any type of file, not just a directory, and the call
operates on that file. In particular, dirfd can refer to a symlink
that was opened with O_PATH | O_NOFOLLOW.
Following Linux, allow the pathname argument to be an empty string,
provided the dirfd argument refers to a symlink opened with
O_PATH | O_NOFOLLOW. The readlinkat call then operates on that
symlink.
We don't support setting groups via /etc/groups anymore. Also, the
initgroups group list is created via S4U, so we have "Interactive" vs.
"Network" token, an artificial and entirely irrelevant difference.
So, "verifying" the lsaprivkeyauth token may lead to rejecting a prefectly
valid token. Just remove the verify_token call.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Revert "Cywin: user profile: unload impersonation user profile on exit"
Revert "Cygwin: seteuid: allow inheriting impersonation user profile handle"
Revert "Cygwin: user profile: add debug output to unload_user_profile"
Revert "Cygwin: user profile: Make an effort to unload unused user profiles"
This reverts commit bcb33dc4f0.
This reverts commit dd3730ed9c.
This reverts commit 8eee25241e.
This reverts commit 71b8777a71.
This patchset actually results in the following problem:
- After a couple of ssh logon/logoff attempts, an interactive session
of the same user loging in, is broken.
Apparently UnloadUserProfile manages to unload the user's profile
even while a parallel interactive session still uses the user's
profile.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The child process needs access to the handle to be able to
unload it when switching user context.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Does this work? There's not much feedback given.
TODO: We might want to try unloading the user profile at process
exit as well, FWIW.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
s4uath was only callable to create an impersonation token so
far. Rework the function to allow creating an identification
token for informational purposes even from untrusted processes.
Take domainname and username instead of a passwd pointer to be
more multi-purpose.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Under WOW64 on 64 bit Windows 7, MsV1_0S4ULogon appears to be
unimplemented, probably under Vista as well. Re-enable
create_token method, to allow basic seteuid on W7 WOW64 and
Vista as well.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
In preparation to protect fork() against dll- and exe-updates, create
hardlinks to the main executable and each loaded dll in subdirectories
of /var/run/cygfork/, if that one exists on the NTFS file system.
The directory names consist of the user sid, the main executable's NTFS
IndexNumber, and the most recent LastWriteTime of all involved binaries
(dlls and main executable). Next to the main.exe hardlink we create the
empty file main.exe.local to enable dll redirection.
The name of the mutex to synchronize hardlink creation/cleanup also is
assembled from these directory names, to allow for synchronized cleanup
of even orphaned hardlink directories.
The hardlink to each dynamically loaded dll goes into another directory,
named using the NTFS IndexNumber of the dll's original directory.
* Makefile.in (DLL_OFILES): Add forkable.o.
* dll_init.h (struct dll): Declare member variables fbi, fii,
forkable_ntname. Declare methods nominate_forkable,
create_forkable.
(struct dll_list): Declare enum forkables_needs. Declare member
variables forkables_dirx_size, forkables_dirx_ntname,
forkables_mutex_name, forkables_mutex. Declare private methods
forkable_ntnamesize, prepare_forkables_nomination,
update_forkables_needs, update_forkables, create_forkables,
denominate_forkables, close_mutex, try_remove_forkables,
set_forkables_inheritance, request_forkables. Declare public
static methods ntopenfile, read_fii, read_fbi. Declare public
methods release_forkables, cleanup_forkables. Define public
inline method setup_forkables.
* dll_init.cc (dll_list::alloc): Allocate memory to hold the
name of the hardlink in struct dll member forkable_ntname.
Initialize struct dll members fbi, fii.
(dll_list::load_after_fork): Call release_forkables method.
* fork.cc: Rename public fork function to static dofork, add
with_forkables as bool pointer parameter. Add new fork function
calling dofork. (struct frok): Add bool pointer member
with_forkables, add as constructor parameter.
(frok::parent): Call dlls.setup_forkables before CreateProcessW,
dlls.release_forkables afterwards.
* pinfo.cc (pinfo::exit): Call dlls.cleanup_forkables.
* syscalls.cc (_unlink_nt): Rename public unlink_nt function to
static _unlink_nt, with 'shareable' as additional argument.
(unlink_nt): New, wrap _unlink_nt for original behaviour.
(unlink_nt_shareable): New, wrap _unlink_nt to keep a binary
file still loadable while removing one of its hardlinks.
* forkable.cc: New file.
Implement static functions mkdirs, rmdirs, rmdirs_synchronized,
stat_real_file_once, format_IndexNumber, rootname, sidname,
exename, lwtimename. Define static array forkable_nameparts.
(struct dll): Implement nominate_forkable, create_forkable.
(struct dll_list): Implement static methods ntopenfile,
read_fii, read_fbi. Implement forkable_ntnamesize,
Trying to delete in-use executables and DLLs using
FILE_DISPOSITION_POSIX_SEMANTICS returns STATUS_CANNOT_DELETE.
Fall back to the former method if that error occurs to allow
unlinking these files.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The symlink target of /proc/PID/fd files pointing to pipes and
sockets are just artificial filenames referencing the object using
some internal number. The pipe open code expects a path specifying
process pid and the internal number so it access the right process
and pipe.
- Set the posix path of the pipe to the simple pipe name only,
as it shows up in /proc/PID/fd. A /proc/self prefix is just
as wrong as a /dev/fd prefix.
- Revert thinko in fhandler_pipe::open expecting the name as
/proc/self/fd/... In fact this should never happen.
- Fix up the path before re-opening the pipe instead.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The reopen code neglected to pass along the requested open
mode correctly. This may end up reopening the file with
incorrect access mask, or duplicating the wrong pipe handle.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- This simple and official method replaces cyglsa and "create token"
methods. No network share access, same as before.
- lsaauth and create_token are disabled now. If problems crop up,
they can be easily reactivated. If no problems crop up, they
can be removed in a while, together with the lsaauth subdir.
- Bump Cygwin version to 3.0.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
While FileRenameInformationEx is defined starting with Windows
10 1709 per MSDN, it only starts working in W10 1809, apparently.
Users of 1803 report "Function not implemented".
Introduce wincap_10_1809 and change the version check in
wincapc::init accordingly. Split has_posix_file_info into
has_posix_unlink_semantics and has_posix_rename_semantics.
Enable the latter only starting with W10 1809.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far we check the recycler name all the time, and the last interation
also only managed to handle two ways to write the recycler. However,
an adventurous user might change the case of the recycler arbitrarily.
Fix this problem by keeping track of the name in a somewhat relaxed
fashion. Use camel back on drive C by default, all upper case elsewhere.
Only if the rename op fails do we fix the recycler name on the fly
when trying to create it, and it turns out it already existed.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
If the first rename fails, we reopen the rootdir for creating a subdir.
The rootdir handle can change its value at this point, but the code
doesn't take this into account. The subsequent rename then fails with
STATUS_INVALID_HANDLE. Fix this by copying the new rootdir value to
pfri->RootDirectory.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far we reopened the file if it was opened case sensitive to
workaround the problem that the recycler could be named in
camel back or all upper case, depending on who created it.
That's a problem for O_TMPFILE on pre-W10. As soon as the
original HANDLE gets closed, delete-on-close is converted to full
delete disposition and all useful operations on the file cease to
work (STATUS_ACCESS_DENIED or STATUS_FILE_DELETED).
To avoid that problem drop the reopen code and check for the exact
recycler filename, either $Recycle.Bin or $RECYCLE.BIN, if the file
has been opened case sensitive.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
move special fd symlink code into own fhandler_process_fd class
to simplify further additions to /proc/PID/fd/DESCRIPTOR symlink
handling.
Add a method to handle stat(2) on such a proc fd symlink by handle.
This allows correct reply from stat(2) if the target file has been
deleted. This eventually fixes `awk -f /dev/fd/3 3<<eof'.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
path_conv now sets the PATH_RESOLVE_PROCFD flag in path_flags if
the PC_SYM_NOFOLLOW_PROCFD pathconv_arg flag has been set on input
*and* the file is actually a proc fd symlink.
Add matching path_conv::follow_fd_symlink method for checking and
use it in open(2).
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Along the same lines as the previous patch: By reopening an
O_TMPFILE by handle, we can now move the file to the bin at
open time and thus free'ing up the parent dir and *still*
open the file as /proc/PID/fd/DESCRIPTOR by linkat(2).
Allows expressions along the lines of `cat /proc/self/fd/0 <<EOF'.
The problem here is that the temporary file used for the here script
has already been deleted by the shell. Opening by filename, as
implemented so far, doesn't work because the file has been moved
to the bin.
Allow reopening files by handle the same way from another process
as long as we have sufficient permissions on the foreign process.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The commit message of commit 07e0a9584f
and the expectation set therein, are wrong.
There's no POSIX semantics allowing to link a file with a link
count of 0 and making it available in the file system again.
In fact, the Linux linkat extension AT_EMPTY_PATH explicitely
disallows to link a file descriptor to a file with a link count
of 0, except for O_TMPFILE without O_EXCL.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- Turns out, the definition of POSIX unlink semantics is half-hearted
so far: It's not possible to link an open file HANDLE if it has
been deleted with POSIX semantics, nor is it possible to remove
the delete disposition. This breaks linkat on an O_TMPFILE.
Tested with W10 1809.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- short-circuit most code in unlink_nt since it's not necessary
anymore if FILE_DISPOSITION_POSIX_SEMANTICS is supported.
- Immediately remove O_TMPFILE from filesystem after creation.
Disable code for now because we have to implement /proc/self/fd
opening by handle first, lest linkat fails.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Difference to Linux: We can't create files which don't show up
in the filesystem due to OS restrictions. As a kludge, make a
(half-hearted) attempt to hide the file in the filesystem.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Also updates the fhandler_*::ftruncate implementations to adhere to the same
semantics. The error handling semantics of those syscalls that use
fhandler_*::ftruncate are moved to the implementations of those syscalls (
in particular ftruncate() and friends still set errno and return -1 on error
but that logic is handled in the syscall implementation).
Under some not quite clear conditions, NFS fails to use its
unlink workaround to rename a file to ".nfsXYZ". The problem has been
reproduced with the GAWK testext.awk testcase. To workaround this in
Cygwin, we now call try_to_bin on NFS, too. For some reason NFS doesn't
fail to rename the .cygXYZ file to .nfsXYZ after this Cygwin rename.
Fix comment in unlink_nt accordingly.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The "final trick" code in try_to_bin accidentally never worked on
remote drives because it relies on rootdir. Which isn't set for
remote unlinks. The code now creates a full path for remote files.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The try_to_bin function isn't called for netapp FSes anyway, so testing
for this FS type in the function is moot.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
If newfile already exists and is in use, trying to overwrite it with
NtSetInformationFile(FileRenameInformation) fails exactly as if we
don't have the permissions to delete it. Unfortunately the return code
is the same STATUS_ACCESS_DENIED, so we have no way to distinguish
these cases. What we do here so far is to start a transaction to delete
newfile. If this open fails with a transactional error we stop the
transaction and retry opening the file without transaction.
But, here's the problem: If newfile is in use, NtOpenFile(oldfile)
naturally does NOT fail with a transactional error. Rather, the
subsequent call to unlink_nt(newfile) does, because there's another
handle open to newfile outside a transaction. However, the code does
not check if unlink_nt fails with a transactional error and so fails
to retry without transaction.
This patch recifies the problem and checks unlink_nt's status as well.
Refactor code to get rid of goto into another code block.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Long-standing problem in one of the corner cases of rename(2):
If we rename a directory a check is performed to see if newpath is
identical to oldpath or a subdir of oldpath. This check is
(accidentally? no hints anywhere in ChangeLogs or code) performed
case-insensitive for as long as we use Unicode paths and NT functions.
This leads to the problems described in
https://cygwin.com/ml/cygwin/2016-09/msg00264.html
Change this to be conditional case-sensitive as all other checks but
let's take this with a grain of salt. There may be corner-cases in
this corner-case which require to chek parts of the path always
case-insensitive. Off the top of my head I can't construct such a
case but that's no proof they don't exist :}
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Revamp device parsing code. Introducing support for more partitions
into the shilka-generated parser has the unfortunate side-effect of
raising the size of the DLL by almost 2 Megs. Therefore we split out
the handling for /dev/sdXY devices into a tiny bit of hand-written
code.
While at it, remove some unused cruft from devices.* and generally
clean up the device class to provide access methods instead of direct
access to members.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Bump GPLv2+ to GPLv3+ for some files, clarify BSD 2-clause.
Everything else stays under GPLv3+.
New Linking Exception exempts resulting executables from LGPLv3 section 4.
Add CONTRIBUTORS file to keep track of licensing.
Remove 'Copyright Red Hat Inc' comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* path.cc (path_conv::set_nt_native_path): New function.
* path.h (path_conv::set_nt_native_path): Add prototype.
* syscall.cc (try_to_bin): Handle moving files to the recycler
accessed via a local virtual drive (subst). Fix a problem renaming
the file to the unique replacement name on Samba. Align comment.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
suffix and make private. Rename normalized_path to posix_path and
make privtae. Accommodate name changes throughout in path_conv
methods.
(path_conv::known_suffix): New method. Use throughout instead of
accessing suffix directly.
(path_conv::get_win32): Constify.
(path_conv::get_posix): New method to read posix_path. Use throughout
instead of accessing normalized_path directly.
(path_conv::set_posix): Rename from set_normalized_path. Accommodate
name change throughout.
* spawn.cc (find_exec): Return POSIX path, not Win32 path.
(LoadUserProfileW): Import.
* registry.cc (get_registry_hive_path): Move to sec_auth.cc.
(load_registry_hive): Remove.
* registry.h (get_registry_hive_path): Drop declaration.
(load_registry_hive): Ditto.
* sec_auth.cc (get_user_profile_directory): Moved from registry.cc and
renamed. Take third parameter with buffer length.
(load_user_profile): New function taking over for load_registry_hive.
Use official functions to load profile. If profile is missing, create
it on Vista and later.
* security.h (get_user_profile_directory): Declare.
(load_user_profile): Declare.
* syscalls.cc (seteuid32): Replace call to load_registry_hive with call
to load_user_profile.
* uinfo.cc (cygheap_user::env_userprofile): Replace call to
get_registry_hive_path with call to get_user_profile_directory.
POBJECT_ATTRIBUTES. Take OBJECT_ATTRIBUTES reference as argument, not
pointer.
* fhandler_disk_file.cc: Throughout accommodate above change.
* syscalls.cc: Ditto.
* ntea.cc (read_ea): Don't set hdl to NULL if it's already NULL. Set
attr with pc.init_reopen_attr before trying to reopen file.
(write_ea): Ditto.
* security.cc (get_file_sd): Use pc.init_reopen_attr rather than
pc.get_object_attr when trying to reopen file.
(set_file_sd): Ditto.
handler.
* cygtls.cc (_cygtls::remove): Accommodate the fact that pathbufs
has been moved from _local_storage to _cygtls.
* cygtls.h (class tls_pathbuf): Add comment to hint to gendef usage
of counters. Change type of counters to uint32_t for clarity.
Remove _cygtls as friend class.
(struct _local_storage): Move pathbufs from here...
(struct _cygtls): ...to here, allowing to access it from _sigbe.
(class san): Only define on 32 bit. Remove errno, _c_cnt and _w_cnt
members.
(san::setup): Drop parameter. Don't initialize removed members.
(san::leave): Don't set removed members.
(class myfault): Only define on 32 bit.
(myfault::faulted): Only keep implementation not taking any parameter.
Drop argument in call to sebastian.setup.
(__try/__leave/__except/__endtry): Implement to support real SEH. For
now stick to SJLJ on 32 bit.
* dcrt0.cc (dll_crt0_0): Drop 64 bit call to
exception::install_myfault_handler.
* exception.h (exception_handler): Define with EXCEPTION_DISPOSITION
as return type.
(PDISPATCHER_CONTEXT): Define as void * on 32 bit. Define as pointer
to _DISPATCHER_CONTEXT on 64 bit.
(class exception): Define separately for 32 and 64 bit.
(exception::myfault): Add handler for myfault SEH handling on 64 bit.
(exception::exception): Fix mangled method name to account for change
in type of last parameter.
(exception::install_myfault_handler): Remove.
* exceptions.cc (exception::myfault_handle): Remove.
(exception::myfault): New SEH handler for 64 bit.
* gendef (_sigbe): Set tls_pathbuf counters to 0 explicitely when
returning to the caller.
* ntdll.h: Move a comment to a better place.
(struct _SCOPE_TABLE): Define on 64 bit.
* thread.cc (verifyable_object_isvalid): Remove gcc 4.7 workaround.
* tls_pbuf.cc (tls_pbuf): Fix to accommodate new place of pathbufs.
(tls_pathbuf::destroy): Change type of loop variables to uint32_t.
* tls_pbuf.h (class tmp_pathbuf): Change type of buffer counters to
uint32_t. Accommodate new place of pathbufs.
* tlsoffsets.h: Regenerate.
* tlsoffsets64.h: Regenerate.