[PATCH 2/2] server: Include user groups in file mode calculation when user is file owner

Ben Peddell klightspeed at netspace.net.au
Thu Dec 10 19:07:20 CST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexandre Julliard wrote:
> "Ben Peddell" <klightspeed at netspace.net.au> writes:
> 
>> @@ -474,7 +475,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
>>                          if (access & FILE_EXECUTE)
>>                              denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
>>                      }
>> -                    else if (security_equal_sid( sid, owner ))
>> +                    else if (security_equal_sid( sid, owner ) ||
>> +                             (security_equal_sid( user, owner ) &&
>> +                              token_sid_present( current->process->token, sid, TRUE )))
>>                      {
>>                          unsigned int access = generic_file_map_access( ad_ace->Mask );
>>                          if (access & FILE_READ_DATA)
>> @@ -498,7 +501,9 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
>>                          if (access & FILE_EXECUTE)
>>                              new_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
>>                      }
>> -                    else if (security_equal_sid( sid, owner ))
>> +                    else if (security_equal_sid( sid, owner ) ||
>> +                             (security_equal_sid( user, owner ) &&
>> +                              token_sid_present( current->process->token, sid, FALSE )))
> 
> You should most likely set the group permissions too in that case.
> 

I think we'd need to implement a security_sid_to_unix_uid function (and
re-implement the security_unix_uid_to_sid function to complement it) to
be able to do that properly.  Also, we'd need a map of groups and their
direct members, and possibly a map of members and their direct groups to
complement it, to be able to determine the full permission set of the
primary group.

To store additional permissions, we could use POSIX ACLs, Extended
Attributes or special files.  With POSIX ACLs, proper ordering would be
needed - e.g. most restrictive (full deny) through most permissive (full
grant, no deny) to least permissive (no grant, no deny), to ensure users
and groups get the access the security descriptor specifies.

- --
Ben Peddell

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkshm0cACgkQTHDAI68NsunHGwCfTOe0jDyv+spER3tTeyHToUTl
+gcAnRxwedfoxtc5MYeJXpDsLGJK4gKO
=YCdA
-----END PGP SIGNATURE-----

More information about the wine-devel mailing list