[PATCH v2 2/2] server: Map a SD group to Unix group modes if the SD owner is present anywhere in the current user's token.
Zebediah Figura
z.figura12 at gmail.com
Tue Apr 20 14:35:00 CDT 2021
Instead of requiring the SD owner to match the token user.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=44691
Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
---
Granted, it's not immediately clear to me that this is the best way to handle
this case, but nothing else I considered seemed obviously any more faithful.
As the previous patch describes, the security descriptor that the Origin
installer sets has the owner set to the Administrators SID, and the default DACL
list of {allow FILE_ALL_ACCESS to LOCAL SYSTEM, allow FILE_ALL_ACCESS to the
current user, allow FILE_READ_ACCESS to world}.
Admittedly it doesn't seem to make a lot of sense to me to handle user and group
permissions differently. The concept of "apply this permission only if the SID
is the token user" just isn't present in the Windows DACL; the "token user" only
exists to set the default user and DACL for new objects. I'd be inclined to
argue that we should do is map a permission to both user and group if it applies
at all to the current token—i.e. what this patch does—and get rid of the "user
only" case.
dlls/advapi32/tests/security.c | 4 ++--
server/file.c | 9 ++++-----
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 08b73495aaa..299a340dcf3 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -8365,10 +8365,10 @@ static void test_group_as_file_owner(void)
sprintf(path, "%s\\testdir\\subdir", temp_path);
ret = CreateDirectoryA(path, NULL);
- todo_wine ok(ret, "got error %u\n", GetLastError());
+ ok(ret, "got error %u\n", GetLastError());
ret = RemoveDirectoryA(path);
- todo_wine ok(ret, "got error %u\n", GetLastError());
+ ok(ret, "got error %u\n", GetLastError());
sprintf(path, "%s\\testdir", temp_path);
ret = RemoveDirectoryA(path);
ok(ret, "got error %u\n", GetLastError());
diff --git a/server/file.c b/server/file.c
index 9a072e6c64e..aff4d9e09e1 100644
--- a/server/file.c
+++ b/server/file.c
@@ -473,7 +473,6 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
mode_t mode;
int present;
const ACL *dacl = sd_get_dacl( sd, &present );
- const SID *user = token_get_user( current->process->token );
if (present && dacl)
{
const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1);
@@ -496,8 +495,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
{
bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */
}
- else if ((security_equal_sid( user, owner ) &&
- token_sid_present( current->process->token, sid, TRUE )))
+ else if (token_sid_present( current->process->token, owner, TRUE ) &&
+ token_sid_present( current->process->token, sid, TRUE ))
{
bits_to_set &= ~((mode << 6) | (mode << 3)); /* user + group */
}
@@ -516,8 +515,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
new_mode |= mode & bits_to_set;
bits_to_set &= ~mode;
}
- else if ((security_equal_sid( user, owner ) &&
- token_sid_present( current->process->token, sid, FALSE )))
+ else if (token_sid_present( current->process->token, owner, FALSE ) &&
+ token_sid_present( current->process->token, sid, FALSE ))
{
mode = (mode << 6) | (mode << 3); /* user + group */
new_mode |= mode & bits_to_set;
--
2.30.2
More information about the wine-devel
mailing list