This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] Try to avoid creating dangerous DENY ACEs
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 18 Apr 2015 15:07:16 -0000
- Subject: [newlib-cygwin] Try to avoid creating dangerous DENY ACEs
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=2e950b1edd5615bd145f2eaa99f03db4c998ed15
commit 2e950b1edd5615bd145f2eaa99f03db4c998ed15
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Sat Apr 18 17:07:08 2015 +0200
Try to avoid creating dangerous DENY ACEs
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/ChangeLog | 5 +++++
winsup/cygwin/sec_acl.cc | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 04bd520..a19a9e9 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,10 @@
2015-04-17 Corinna Vinschen <corinna@vinschen.de>
+ * sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
+ GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
+
+2015-04-17 Corinna Vinschen <corinna@vinschen.de>
+
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 9336dea..7e65077 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -316,6 +316,12 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
idx < nentries && aclbufp[idx].a_type & check_types;
++idx)
{
+ /* Avoid to create DENY ACEs for the second orrurence of
+ accounts which show up twice, as USER_OBJ and USER, or
+ GROUP_OBJ and GROUP. */
+ if ((aclbufp[idx].a_type & USER && aclsid[idx] == owner)
+ || (aclbufp[idx].a_type & GROUP && aclsid[idx] == group))
+ continue;
/* For the rules how to construct the deny access mask, see the
comment right at the start of this file. */
if (aclbufp[idx].a_type & USER_OBJ)