-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This proposed patch (which I believe will contribute toward solving bugs 17672, 19588 and 20643, and any others where the permissions are set too restrictive) exposes the token_sid_present call in token.c, and uses it to check the SIDs in the security descriptor against those in the process token.
Are there any changes anyone can think of before I submit it to wine-patches?
Is there a better (already exposed) way of checking a SID against the process token's group list?
- ---- server/file.c | 6 ++++-- server/security.h | 1 + server/token.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-)
server/file.c | 6 ++++-- server/security.h | 1 + server/token.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/server/file.c b/server/file.c index a74de14..793c24a 100644 --- a/server/file.c +++ b/server/file.c @@ -485,7 +485,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH; } - else if (security_equal_sid( sid, owner )) + else if (security_equal_sid( sid, owner ) || + token_sid_present( current->process->token, sid, 1 )) { unsigned int access = generic_file_map_access( ad_ace->Mask ); if (access & FILE_READ_DATA) @@ -509,7 +510,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) new_mode |= S_IXUSR|S_IXGRP|S_IXOTH; } - else if (security_equal_sid( sid, owner )) + else if (security_equal_sid( sid, owner ) || + token_sid_present( current->process->token, sid, 0 )) { unsigned int access = generic_file_map_access( aa_ace->Mask ); if (access & FILE_READ_DATA) diff --git a/server/security.h b/server/security.h index 39b1d2f..33cf5da 100644 --- a/server/security.h +++ b/server/security.h @@ -55,6 +55,7 @@ extern int token_check_privileges( struct token *token, int all_required, extern const ACL *token_get_default_dacl( struct token *token ); extern const SID *token_get_user( struct token *token ); extern const SID *token_get_primary_group( struct token *token ); +extern int token_sid_present( struct token *token, const SID *sid, int deny);
static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace ) { diff --git a/server/token.c b/server/token.c index ce896ac..461e79d 100644 --- a/server/token.c +++ b/server/token.c @@ -776,7 +776,7 @@ int token_check_privileges( struct token *token, int all_required, return (enabled_count > 0); }
-static int token_sid_present( struct token *token, const SID *sid, int deny ) +int token_sid_present( struct token *token, const SID *sid, int deny ) { struct group *group;