Re: [PATCH 2/2] server: Include user groups in file mode calculation when user is file owner
"Ben Peddell" klightspeed@netspace.net.au writes:
@@ -474,7 +475,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH; }
else if (security_equal_sid( sid, owner ))
else if (security_equal_sid( sid, owner ) ||(security_equal_sid( user, owner ) &&token_sid_present( current->process->token, sid, TRUE ))) { unsigned int access = generic_file_map_access( ad_ace->Mask ); if (access & FILE_READ_DATA)@@ -498,7 +501,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) new_mode |= S_IXUSR|S_IXGRP|S_IXOTH; }
else if (security_equal_sid( sid, owner ))
else if (security_equal_sid( sid, owner ) ||(security_equal_sid( user, owner ) &&token_sid_present( current->process->token, sid, FALSE )))
You should most likely set the group permissions too in that case.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Alexandre Julliard wrote:
"Ben Peddell" klightspeed@netspace.net.au writes:
@@ -474,7 +475,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH; }
else if (security_equal_sid( sid, owner ))
else if (security_equal_sid( sid, owner ) ||(security_equal_sid( user, owner ) &&token_sid_present( current->process->token, sid, TRUE ))) { unsigned int access = generic_file_map_access( ad_ace->Mask ); if (access & FILE_READ_DATA)@@ -498,7 +501,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) if (access & FILE_EXECUTE) new_mode |= S_IXUSR|S_IXGRP|S_IXOTH; }
else if (security_equal_sid( sid, owner ))
else if (security_equal_sid( sid, owner ) ||(security_equal_sid( user, owner ) &&token_sid_present( current->process->token, sid, FALSE )))You should most likely set the group permissions too in that case.
I think we'd need to implement a security_sid_to_unix_uid function (and re-implement the security_unix_uid_to_sid function to complement it) to be able to do that properly. Also, we'd need a map of groups and their direct members, and possibly a map of members and their direct groups to complement it, to be able to determine the full permission set of the primary group.
To store additional permissions, we could use POSIX ACLs, Extended Attributes or special files. With POSIX ACLs, proper ordering would be needed - e.g. most restrictive (full deny) through most permissive (full grant, no deny) to least permissive (no grant, no deny), to ensure users and groups get the access the security descriptor specifies.
- -- Ben Peddell
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ben Peddell wrote:
I think we'd need to implement a security_sid_to_unix_uid function (and re-implement the security_unix_uid_to_sid function to complement it) to be able to do that properly.
Sorry - that should be security_sid_to_unix_gid and security_unix_gid_to_sid.
- -- Ben Peddell
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ben Peddell wrote:
Alexandre Julliard wrote:
You should most likely set the group permissions too in that case.
I have re-submitted, this time setting group mode according to the permission set of the user's groups.
I forgot to unmask the group bits in try 2, so I have unmasked them in try 3.
- -- Ben Peddell
-
Alexandre Julliard -
Ben Peddell