More Everyone

Pierre A. Humblet Pierre.Humblet@ieee.org
Sat Aug 24 14:06:00 GMT 2002


Corinna,

The changes below, which have no effects in sane cases, will
- greatly reduce the likelihood of denying access
- have "ls -l" reflect the actual situation.
Things can still be strange when group==Everyone, e.g. 
- chmod 707 will both deny and allow access to Everyone, with
  the net outcome being denied (as shown by ls -l)
- ls -l and getfacl report different settings for group

Pierre

2002-08-24 Pierre Humblet <Pierre.Humblet@ieee.org>
	
	* sec_acl.cc (getacl): Check ace_sid == well_known_world_sid
	before group_sid so that well_known_world_sid means "other"
	even when group_sid is Everyone. 
	* security.cc (get_nt_attribute): Ditto.

--- sec_acl.cc.orig     2002-07-02 20:29:16.000000000 -0400
+++ sec_acl.cc  2002-08-23 18:39:32.000000000 -0400
@@ -319,16 +319,16 @@
          type = USER_OBJ;
          id = uid;
        }
-      else if (ace_sid == group_sid)
-       {
-         type = GROUP_OBJ;
-         id = gid;
-       }
       else if (ace_sid == well_known_world_sid)
        {
          type = OTHER_OBJ;
          id = 0;
        }
+      else if (ace_sid == group_sid)
+       {
+         type = GROUP_OBJ;
+         id = gid;
+       }
       else
        {
          id = ace_sid.get_id (FALSE, &type);

--- security.cc.orig    2002-08-23 18:37:10.000000000 -0400
+++ security.cc 2002-08-24 15:01:04.000000000 -0400
@@ -1300,18 +1300,6 @@
          if (ace->Mask & FILE_EXECUTE)
            *flags |= S_IXUSR;
        }
-      else if (group_sid && ace_sid == group_sid)
-       {
-         if (ace->Mask & FILE_READ_DATA)
-           *flags |= S_IRGRP
-                     | ((grp_member && !(*anti & S_IRUSR)) ? S_IRUSR : 0);
-         if (ace->Mask & FILE_WRITE_DATA)
-           *flags |= S_IWGRP
-                     | ((grp_member && !(*anti & S_IWUSR)) ? S_IWUSR : 0);
-         if (ace->Mask & FILE_EXECUTE)
-           *flags |= S_IXGRP
-                     | ((grp_member && !(*anti & S_IXUSR)) ? S_IXUSR : 0);
-       }
       else if (ace_sid == well_known_world_sid)
        {
          if (ace->Mask & FILE_READ_DATA)
@@ -1343,6 +1331,18 @@
          if (ace->Mask & FILE_APPEND_DATA)
            *flags |= S_ISUID;
        }
+      else if (group_sid && ace_sid == group_sid)
+       {
+         if (ace->Mask & FILE_READ_DATA)
+           *flags |= S_IRGRP
+                     | ((grp_member && !(*anti & S_IRUSR)) ? S_IRUSR : 0);
+         if (ace->Mask & FILE_WRITE_DATA)
+           *flags |= S_IWGRP
+                     | ((grp_member && !(*anti & S_IWUSR)) ? S_IWUSR : 0);
+         if (ace->Mask & FILE_EXECUTE)
+           *flags |= S_IXGRP
+                     | ((grp_member && !(*anti & S_IXUSR)) ? S_IXUSR : 0);
+       }
     }
   *attribute &= ~(S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX | S_ISGID | S_ISUID);
   *attribute |= allow;




More information about the Cygwin-patches mailing list