wineserver: Include owner groups in owner mode in server/file.c::sd_to_mode()

Ben Peddell klightspeed at netspace.net.au
Wed Nov 18 09:14:19 CST 2009 

Sorry - the previous patch was damaged by gpg

Expose server/token.c::token_sid_present() to allow checking group
permissions.
Check owner groups when contructing the owner mode in
server/file.c::sd_to_mode()
---
 server/file.c     |    7 +++++--
 server/security.h |    1 +
 server/token.c    |    2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/server/file.c b/server/file.c
index a74de14..db9dd5f 100644
--- a/server/file.c
+++ b/server/file.c
@@ -461,6 +461,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
     if (present && dacl)
     {
         const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1);
+        int user_is_owner = security_equal_sid( owner, token_get_user( current->process->token) );
         ULONG i;
         for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
         {
@@ -485,7 +486,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                         if (access & FILE_EXECUTE)
                             denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
                     }
-                    else if (security_equal_sid( sid, owner ))
+                    else if (security_equal_sid( sid, owner ) ||
+                             (user_is_owner && token_sid_present( current->process->token, sid, 1 )))
                     {
                         unsigned int access = generic_file_map_access( ad_ace->Mask );
                         if (access & FILE_READ_DATA)
@@ -509,7 +511,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                         if (access & FILE_EXECUTE)
                             new_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
                     }
-                    else if (security_equal_sid( sid, owner ))
+                    else if (security_equal_sid( sid, owner ) ||
+                             (user_is_owner && token_sid_present( current->process->token, sid, 0 )))
                     {
                         unsigned int access = generic_file_map_access( aa_ace->Mask );
                         if (access & FILE_READ_DATA)
diff --git a/server/security.h b/server/security.h
index 39b1d2f..33cf5da 100644
--- a/server/security.h
+++ b/server/security.h
@@ -55,6 +55,7 @@ extern int token_check_privileges( struct token *token, int all_required,
 extern const ACL *token_get_default_dacl( struct token *token );
 extern const SID *token_get_user( struct token *token );
 extern const SID *token_get_primary_group( struct token *token );
+extern int token_sid_present( struct token *token, const SID *sid, int deny);

 static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
 {
diff --git a/server/token.c b/server/token.c
index 4c45d50..69ffab7 100644
--- a/server/token.c
+++ b/server/token.c
@@ -776,7 +776,7 @@ int token_check_privileges( struct token *token, int all_required,
         return (enabled_count > 0);
 }

-static int token_sid_present( struct token *token, const SID *sid, int deny )
+int token_sid_present( struct token *token, const SID *sid, int deny )
 {
     struct group *group;

--
1.6.4.4

More information about the wine-patches mailing list