Index: security.h =================================================================== RCS file: /cvs/src/src/winsup/cygwin/security.h,v retrieving revision 1.44 diff -u -p -r1.44 security.h --- security.h 10 Sep 2003 02:12:25 -0000 1.44 +++ security.h 13 Sep 2003 21:29:56 -0000 @@ -256,9 +256,11 @@ SECURITY_DESCRIPTOR *__stdcall get_null_ /* Various types of security attributes for use in Create* functions. */ extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih; -extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) +extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, + DWORD access2, BOOL inherit) __attribute__ ((regparm (3))); -extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID); +extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID, + PSID sid2 = NO_SID, DWORD access2 = 0); int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len); BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len); @@ -266,14 +268,14 @@ PSECURITY_DESCRIPTOR alloc_sd (__uid32_t PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret); extern inline SECURITY_ATTRIBUTES * -sec_user_nih (char sa_buf[], PSID sid = NULL) +sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0) { - return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih; + return __sec_user (sa_buf, sid1, sid2, access2, FALSE); } extern inline SECURITY_ATTRIBUTES * -sec_user (char sa_buf[], PSID sid = NULL) +sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0) { - return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none; + return __sec_user (sa_buf, sid1, sid2, access2, TRUE); } #endif /*_SECURITY_H*/ Index: sec_helper.cc =================================================================== RCS file: /cvs/src/src/winsup/cygwin/sec_helper.cc,v retrieving revision 1.39 diff -u -p -r1.39 sec_helper.cc --- sec_helper.cc 16 Jun 2003 03:24:11 -0000 1.39 +++ sec_helper.cc 13 Sep 2003 21:29:56 -0000 @@ -372,23 +372,29 @@ get_null_sd () } BOOL -sec_acl (PACL acl, BOOL admins, PSID sid1, PSID sid2) +sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2) { size_t acl_len = MAX_DACL_LEN(5); + cygpsid psid; if (!InitializeAcl (acl, acl_len, ACL_REVISION)) { debug_printf ("InitializeAcl %E"); return FALSE; } - if (sid2) - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, sid2)) - debug_printf ("AddAccessAllowedAce(sid2) %E"); if (sid1) if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1)) debug_printf ("AddAccessAllowedAce(sid1) %E"); + if (original && (psid = cygheap->user.orig_sid ()) + && psid != sid1 && psid != well_known_system_sid) + if (!AddAccessAllowedAce (acl, ACL_REVISION, + GENERIC_ALL, psid)) + debug_printf ("AddAccessAllowedAce(original) %E"); + if (sid2) + if (!AddAccessAllowedAce (acl, ACL_REVISION, + access2, sid2)) + debug_printf ("AddAccessAllowedAce(sid2) %E"); if (admins) if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, well_known_admins_sid)) @@ -396,26 +402,18 @@ sec_acl (PACL acl, BOOL admins, PSID sid if (!AddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, well_known_system_sid)) debug_printf ("AddAccessAllowedAce(system) %E"); -#if 0 /* Does not seem to help */ - if (!AddAccessAllowedAce (acl, ACL_REVISION, - GENERIC_ALL, well_known_creator_owner_sid)) - debug_printf ("AddAccessAllowedAce(creator_owner) %E"); -#endif return TRUE; } PSECURITY_ATTRIBUTES __stdcall -__sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) +__sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit) { PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf; PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) ((char *) sa_buf + sizeof (*psa)); PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd)); - cygsid sid; - - if (!(sid = cygheap->user.orig_sid ()) || - (!sec_acl (acl, TRUE, sid, sid2))) + if (!wincap.has_security () || !sec_acl (acl, true, true, sid1, sid2, access2)) return inherit ? &sec_none : &sec_none_nih; if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION)) Index: pinfo.cc =================================================================== RCS file: /cvs/src/src/winsup/cygwin/pinfo.cc,v retrieving revision 1.84 diff -u -p -r1.84 pinfo.cc --- pinfo.cc 13 Sep 2003 17:14:15 -0000 1.84 +++ pinfo.cc 13 Sep 2003 21:29:57 -0000 @@ -164,7 +164,11 @@ pinfo::init (pid_t n, DWORD flag, HANDLE } else { - h = CreateFileMapping (INVALID_HANDLE_VALUE, &sec_all_nih, + char sa_buf[1024]; + PSECURITY_ATTRIBUTES sec_attribs = + sec_user_nih (sa_buf, cygheap->user.sid(), well_known_world_sid, + FILE_MAP_READ | FILE_MAP_WRITE); /* FIXME */ + h = CreateFileMapping (INVALID_HANDLE_VALUE, sec_attribs, PAGE_READWRITE, 0, mapsize, mapname); created = h && GetLastError () != ERROR_ALREADY_EXISTS; } Index: security.cc =================================================================== RCS file: /cvs/src/src/winsup/cygwin/security.cc,v retrieving revision 1.150 diff -u -p -r1.150 security.cc --- security.cc 26 Jul 2003 04:53:59 -0000 1.150 +++ security.cc 13 Sep 2003 21:30:00 -0000 @@ -906,7 +906,7 @@ create_token (cygsid &usersid, user_grou goto out; /* Create default dacl. */ - if (!sec_acl ((PACL) acl_buf, FALSE, + if (!sec_acl ((PACL) acl_buf, false, false, tmp_gsids.contains (well_known_admins_sid) ? well_known_admins_sid : usersid)) goto out; @@ -926,7 +926,7 @@ create_token (cygsid &usersid, user_grou else { /* Set security descriptor and primary group */ - psa = __sec_user (sa_buf, usersid, TRUE); + psa = sec_user (sa_buf, usersid); if (psa->lpSecurityDescriptor && !SetSecurityDescriptorGroup ((PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor, Index: syscalls.cc =================================================================== RCS file: /cvs/src/src/winsup/cygwin/syscalls.cc,v retrieving revision 1.288 diff -u -p -r1.288 syscalls.cc --- syscalls.cc 13 Sep 2003 17:14:15 -0000 1.288 +++ syscalls.cc 13 Sep 2003 21:30:05 -0000 @@ -2076,7 +2076,6 @@ seteuid32 (__uid32_t uid) user_groups &groups = cygheap->user.groups; HANDLE ptok, new_token = INVALID_HANDLE_VALUE; struct passwd * pw_new; - cygpsid origpsid, psid2 (NO_SID); BOOL token_is_internal, issamesid; pw_new = internal_getpwuid (uid); @@ -2121,9 +2120,7 @@ seteuid32 (__uid32_t uid) if (cygheap->user.current_token != new_token) { char dacl_buf[MAX_DACL_LEN (5)]; - if (usersid != (origpsid = cygheap->user.orig_sid ())) - psid2 = usersid; - if (sec_acl ((PACL) dacl_buf, FALSE, origpsid, psid2)) + if (sec_acl ((PACL) dacl_buf, true, false, usersid)) { TOKEN_DEFAULT_DACL tdacl; tdacl.DefaultDacl = (PACL) dacl_buf; @@ -2171,7 +2168,7 @@ seteuid32 (__uid32_t uid) } CloseHandle (ptok); - issamesid = (usersid == (psid2 = cygheap->user.sid ())); + issamesid = (usersid == cygheap->user.sid ()); cygheap->user.set_sid (usersid); cygheap->user.current_token = new_token == ptok ? INVALID_HANDLE_VALUE : new_token; Index: dcrt0.cc =================================================================== RCS file: /cvs/src/src/winsup/cygwin/dcrt0.cc,v retrieving revision 1.180 diff -u -p -r1.180 dcrt0.cc --- dcrt0.cc 12 Sep 2003 06:41:53 -0000 1.180 +++ dcrt0.cc 13 Sep 2003 21:30:06 -0000 @@ -680,6 +680,9 @@ dll_crt0_1 () } #endif + /* Init global well known SID objects */ + cygsid::init (); + /* Initialize our process table entry. */ pinfo_init (envp, envc); @@ -689,9 +692,6 @@ dll_crt0_1 () /* Allocate cygheap->fdtab */ dtable_init (); - /* Init global well known SID objects */ - cygsid::init (); - /* Initialize user info. */ uinfo_init ();