diff options
| -rw-r--r-- | winsup/cygwin/ChangeLog | 5 | ||||
| -rw-r--r-- | winsup/cygwin/security.cc | 21 |
2 files changed, 18 insertions, 8 deletions
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 8c80f97e3..4b3f7de74 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,5 +1,10 @@ 2015-02-25 Corinna Vinschen <corinna@vinschen.de> + * security.cc (alloc_sd): Don't apply temporary workaround for chmod + to DEF_USER_OBJ, DEF_GROUP_OBJ, and DEF_OTHER_OBJ ACEs. + +2015-02-25 Corinna Vinschen <corinna@vinschen.de> + * fhandler_tty.cc (fhandler_pty_slave::read): Having no input is not an error condition for tcflush. diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 929e8a32e..9c94c7053 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -777,14 +777,19 @@ alloc_sd (path_conv &pc, uid_t uid, gid_t gid, int attribute, ace->Header.AceFlags &= ~INHERITED_ACE; } else if (uid == ILLEGAL_UID && gid == ILLEGAL_UID - && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) - /* FIXME: Temporary workaround for the problem that chmod does - not affect the group permissions if other users and groups - in the ACL have more permissions than the primary group due - to the CLASS_OBJ emulation. The temporary workaround is to - disallow any secondary ACE in the ACL more permissions than - the primary group when writing a new ACL via chmod. */ - ace->Mask &= group_allow; + && ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE + && ace_sid != well_known_creator_group_sid + && ace_sid != well_known_creator_owner_sid + && ace_sid != well_known_world_sid) + { + /* FIXME: Temporary workaround for the problem that chmod does + not affect the group permissions if other users and groups + in the ACL have more permissions than the primary group due + to the CLASS_OBJ emulation. The temporary workaround is to + disallow any secondary ACE in the ACL more permissions than + the primary group when writing a new ACL via chmod. */ + ace->Mask &= group_allow; + } /* Add unrelated ACCESS_DENIED_ACE to the beginning but behind the owner_deny, ACCESS_ALLOWED_ACE to the end. FIXME: this would break the order of the inherit-only ACEs. */ |