-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexandre Julliard wrote:

"Ben Peddell" <klightspeed(a)netspace.net.au> writes:

...

@@ -474,7 +475,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH; } - else if (security_equal_sid( sid, owner )) + else if (security_equal_sid( sid, owner ) || + (security_equal_sid( user, owner ) && + token_sid_present( current->process->token, sid, TRUE ))) { unsigned int access = generic_file_map_access( ad_ace->Mask ); if (access & FILE_READ_DATA) @@ -498,7 +501,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) new_mode |= S_IXUSR|S_IXGRP|S_IXOTH; } - else if (security_equal_sid( sid, owner )) + else if (security_equal_sid( sid, owner ) || + (security_equal_sid( user, owner ) && + token_sid_present( current->process->token, sid, FALSE )))

You should most likely set the group permissions too in that case.

I think we'd need to implement a security_sid_to_unix_uid function (and re-implement the security_unix_uid_to_sid function to complement it) to be able to do that properly. Also, we'd need a map of groups and their direct members, and possibly a map of members and their direct groups to complement it, to be able to determine the full permission set of the primary group. To store additional permissions, we could use POSIX ACLs, Extended Attributes or special files. With POSIX ACLs, proper ordering would be needed - e.g. most restrictive (full deny) through most permissive (full grant, no deny) to least permissive (no grant, no deny), to ensure users and groups get the access the security descriptor specifies. - -- Ben Peddell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkshm0cACgkQTHDAI68NsunHGwCfTOe0jDyv+spER3tTeyHToUTl +gcAnRxwedfoxtc5MYeJXpDsLGJK4gKO =YCdA -----END PGP SIGNATURE-----