Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-winehq
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-winehq
Commits
d87af3df
Commit
d87af3df
authored
Nov 03, 2008
by
Paul Bryan Roberts
Committed by
Alexandre Julliard
Nov 07, 2008
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
server: Refactor server side implementation of GetFileSecurity().
parent
27037218
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
55 additions
and
49 deletions
+55
-49
file.c
server/file.c
+53
-49
file.h
server/file.h
+2
-0
No files found.
server/file.c
View file @
d87af3df
...
...
@@ -75,7 +75,6 @@ static void file_destroy( struct object *obj );
static
int
file_get_poll_events
(
struct
fd
*
fd
);
static
void
file_flush
(
struct
fd
*
fd
,
struct
event
**
event
);
static
enum
server_fd_type
file_get_fd_type
(
struct
fd
*
fd
);
static
mode_t
sd_to_mode
(
const
struct
security_descriptor
*
sd
,
const
SID
*
owner
);
static
const
struct
object_ops
file_ops
=
{
...
...
@@ -291,14 +290,9 @@ static unsigned int generic_file_map_access( unsigned int access )
return
access
&
~
(
GENERIC_READ
|
GENERIC_WRITE
|
GENERIC_EXECUTE
|
GENERIC_ALL
);
}
st
atic
struct
security_descriptor
*
file_get_sd
(
struct
object
*
obj
)
st
ruct
security_descriptor
*
mode_to_sd
(
mode_t
mode
,
const
SID
*
user
,
const
SID
*
group
)
{
struct
file
*
file
=
(
struct
file
*
)
obj
;
struct
stat
st
;
int
unix_fd
;
struct
security_descriptor
*
sd
;
const
SID
*
user
;
const
SID
*
group
;
size_t
dacl_size
;
ACE_HEADER
*
current_ace
;
ACCESS_ALLOWED_ACE
*
aaa
;
...
...
@@ -308,34 +302,17 @@ static struct security_descriptor *file_get_sd( struct object *obj )
const
SID
*
world_sid
=
security_world_sid
;
const
SID
*
local_system_sid
=
security_local_system_sid
;
assert
(
obj
->
ops
==
&
file_ops
);
unix_fd
=
get_file_unix_fd
(
file
);
if
(
unix_fd
==
-
1
)
return
obj
->
sd
;
if
(
fstat
(
unix_fd
,
&
st
)
==
-
1
)
return
obj
->
sd
;
/* mode and uid the same? if so, no need to re-generate security descriptor */
if
(
obj
->
sd
&&
(
st
.
st_mode
&
(
S_IRWXU
|
S_IRWXO
))
==
(
file
->
mode
&
(
S_IRWXU
|
S_IRWXO
))
&&
(
st
.
st_uid
==
file
->
uid
))
return
obj
->
sd
;
user
=
security_unix_uid_to_sid
(
st
.
st_uid
);
group
=
token_get_primary_group
(
current
->
process
->
token
);
dacl_size
=
sizeof
(
ACL
)
+
FIELD_OFFSET
(
ACCESS_ALLOWED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
local_system_sid
->
SubAuthorityCount
]);
if
(
st
.
st_
mode
&
S_IRWXU
)
if
(
mode
&
S_IRWXU
)
dacl_size
+=
FIELD_OFFSET
(
ACCESS_ALLOWED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
]);
if
((
!
(
st
.
st_mode
&
S_IRUSR
)
&&
(
st
.
st_
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
st
.
st_mode
&
S_IWUSR
)
&&
(
st
.
st_
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
st
.
st_mode
&
S_IXUSR
)
&&
(
st
.
st_
mode
&
(
S_IXGRP
|
S_IXOTH
))))
if
((
!
(
mode
&
S_IRUSR
)
&&
(
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
mode
&
S_IWUSR
)
&&
(
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
mode
&
S_IXUSR
)
&&
(
mode
&
(
S_IXGRP
|
S_IXOTH
))))
dacl_size
+=
FIELD_OFFSET
(
ACCESS_DENIED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
]);
if
(
st
.
st_
mode
&
S_IRWXO
)
if
(
mode
&
S_IRWXO
)
dacl_size
+=
FIELD_OFFSET
(
ACCESS_ALLOWED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
world_sid
->
SubAuthorityCount
]);
...
...
@@ -343,7 +320,7 @@ static struct security_descriptor *file_get_sd( struct object *obj )
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
])
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
group
->
SubAuthorityCount
])
+
dacl_size
);
if
(
!
sd
)
return
obj
->
sd
;
if
(
!
sd
)
return
sd
;
sd
->
control
=
SE_DACL_PRESENT
;
sd
->
owner_len
=
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
]);
...
...
@@ -361,10 +338,10 @@ static struct security_descriptor *file_get_sd( struct object *obj )
dacl
->
AclRevision
=
ACL_REVISION
;
dacl
->
Sbz1
=
0
;
dacl
->
AclSize
=
dacl_size
;
dacl
->
AceCount
=
1
+
(
st
.
st_mode
&
S_IRWXU
?
1
:
0
)
+
(
st
.
st_
mode
&
S_IRWXO
?
1
:
0
);
if
((
!
(
st
.
st_mode
&
S_IRUSR
)
&&
(
st
.
st_
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
st
.
st_mode
&
S_IWUSR
)
&&
(
st
.
st_
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
st
.
st_mode
&
S_IXUSR
)
&&
(
st
.
st_
mode
&
(
S_IXGRP
|
S_IXOTH
))))
dacl
->
AceCount
=
1
+
(
mode
&
S_IRWXU
?
1
:
0
)
+
(
mode
&
S_IRWXO
?
1
:
0
);
if
((
!
(
mode
&
S_IRUSR
)
&&
(
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
mode
&
S_IWUSR
)
&&
(
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
mode
&
S_IXUSR
)
&&
(
mode
&
(
S_IXGRP
|
S_IXOTH
))))
dacl
->
AceCount
++
;
dacl
->
Sbz2
=
0
;
...
...
@@ -379,7 +356,7 @@ static struct security_descriptor *file_get_sd( struct object *obj )
sid
=
(
SID
*
)
&
aaa
->
SidStart
;
memcpy
(
sid
,
local_system_sid
,
FIELD_OFFSET
(
SID
,
SubAuthority
[
local_system_sid
->
SubAuthorityCount
])
);
if
(
st
.
st_
mode
&
S_IRWXU
)
if
(
mode
&
S_IRWXU
)
{
/* appropriate access rights for the user */
aaa
=
(
ACCESS_ALLOWED_ACE
*
)
ace_next
(
current_ace
);
...
...
@@ -389,18 +366,18 @@ static struct security_descriptor *file_get_sd( struct object *obj )
aaa
->
Header
.
AceSize
=
FIELD_OFFSET
(
ACCESS_ALLOWED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
]);
aaa
->
Mask
=
WRITE_DAC
|
WRITE_OWNER
;
if
(
st
.
st_
mode
&
S_IRUSR
)
if
(
mode
&
S_IRUSR
)
aaa
->
Mask
|=
FILE_GENERIC_READ
;
if
(
st
.
st_
mode
&
S_IWUSR
)
if
(
mode
&
S_IWUSR
)
aaa
->
Mask
|=
FILE_GENERIC_WRITE
|
DELETE
;
if
(
st
.
st_
mode
&
S_IXUSR
)
if
(
mode
&
S_IXUSR
)
aaa
->
Mask
|=
FILE_GENERIC_EXECUTE
;
sid
=
(
SID
*
)
&
aaa
->
SidStart
;
memcpy
(
sid
,
user
,
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
])
);
}
if
((
!
(
st
.
st_mode
&
S_IRUSR
)
&&
(
st
.
st_
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
st
.
st_mode
&
S_IWUSR
)
&&
(
st
.
st_
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
st
.
st_mode
&
S_IXUSR
)
&&
(
st
.
st_
mode
&
(
S_IXGRP
|
S_IXOTH
))))
if
((
!
(
mode
&
S_IRUSR
)
&&
(
mode
&
(
S_IRGRP
|
S_IROTH
)))
||
(
!
(
mode
&
S_IWUSR
)
&&
(
mode
&
(
S_IWGRP
|
S_IWOTH
)))
||
(
!
(
mode
&
S_IXUSR
)
&&
(
mode
&
(
S_IXGRP
|
S_IXOTH
))))
{
/* deny just in case the user is a member of the group */
ACCESS_DENIED_ACE
*
ada
=
(
ACCESS_DENIED_ACE
*
)
ace_next
(
current_ace
);
...
...
@@ -410,17 +387,17 @@ static struct security_descriptor *file_get_sd( struct object *obj )
ada
->
Header
.
AceSize
=
FIELD_OFFSET
(
ACCESS_DENIED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
]);
ada
->
Mask
=
0
;
if
(
!
(
st
.
st_mode
&
S_IRUSR
)
&&
(
st
.
st_
mode
&
(
S_IRGRP
|
S_IROTH
)))
if
(
!
(
mode
&
S_IRUSR
)
&&
(
mode
&
(
S_IRGRP
|
S_IROTH
)))
ada
->
Mask
|=
FILE_GENERIC_READ
;
if
(
!
(
st
.
st_mode
&
S_IWUSR
)
&&
(
st
.
st_
mode
&
(
S_IWGRP
|
S_IROTH
)))
if
(
!
(
mode
&
S_IWUSR
)
&&
(
mode
&
(
S_IWGRP
|
S_IROTH
)))
ada
->
Mask
|=
FILE_GENERIC_WRITE
|
DELETE
;
if
(
!
(
st
.
st_mode
&
S_IXUSR
)
&&
(
st
.
st_
mode
&
(
S_IXGRP
|
S_IXOTH
)))
if
(
!
(
mode
&
S_IXUSR
)
&&
(
mode
&
(
S_IXGRP
|
S_IXOTH
)))
ada
->
Mask
|=
FILE_GENERIC_EXECUTE
;
ada
->
Mask
&=
~
STANDARD_RIGHTS_ALL
;
/* never deny standard rights */
sid
=
(
SID
*
)
&
ada
->
SidStart
;
memcpy
(
sid
,
user
,
FIELD_OFFSET
(
SID
,
SubAuthority
[
user
->
SubAuthorityCount
])
);
}
if
(
st
.
st_
mode
&
S_IRWXO
)
if
(
mode
&
S_IRWXO
)
{
/* appropriate access rights for Everyone */
aaa
=
(
ACCESS_ALLOWED_ACE
*
)
ace_next
(
current_ace
);
...
...
@@ -430,16 +407,43 @@ static struct security_descriptor *file_get_sd( struct object *obj )
aaa
->
Header
.
AceSize
=
FIELD_OFFSET
(
ACCESS_ALLOWED_ACE
,
SidStart
)
+
FIELD_OFFSET
(
SID
,
SubAuthority
[
world_sid
->
SubAuthorityCount
]);
aaa
->
Mask
=
0
;
if
(
st
.
st_
mode
&
S_IROTH
)
if
(
mode
&
S_IROTH
)
aaa
->
Mask
|=
FILE_GENERIC_READ
;
if
(
st
.
st_
mode
&
S_IWOTH
)
if
(
mode
&
S_IWOTH
)
aaa
->
Mask
|=
FILE_GENERIC_WRITE
|
DELETE
;
if
(
st
.
st_
mode
&
S_IXOTH
)
if
(
mode
&
S_IXOTH
)
aaa
->
Mask
|=
FILE_GENERIC_EXECUTE
;
sid
=
(
SID
*
)
&
aaa
->
SidStart
;
memcpy
(
sid
,
world_sid
,
FIELD_OFFSET
(
SID
,
SubAuthority
[
world_sid
->
SubAuthorityCount
])
);
}
return
sd
;
}
static
struct
security_descriptor
*
file_get_sd
(
struct
object
*
obj
)
{
struct
file
*
file
=
(
struct
file
*
)
obj
;
struct
stat
st
;
int
unix_fd
;
struct
security_descriptor
*
sd
;
assert
(
obj
->
ops
==
&
file_ops
);
unix_fd
=
get_file_unix_fd
(
file
);
if
(
unix_fd
==
-
1
||
fstat
(
unix_fd
,
&
st
)
==
-
1
)
return
obj
->
sd
;
/* mode and uid the same? if so, no need to re-generate security descriptor */
if
(
obj
->
sd
&&
(
st
.
st_mode
&
(
S_IRWXU
|
S_IRWXO
))
==
(
file
->
mode
&
(
S_IRWXU
|
S_IRWXO
))
&&
(
st
.
st_uid
==
file
->
uid
))
return
obj
->
sd
;
sd
=
mode_to_sd
(
st
.
st_mode
,
security_unix_uid_to_sid
(
st
.
st_uid
),
token_get_primary_group
(
current
->
process
->
token
));
if
(
!
sd
)
return
obj
->
sd
;
file
->
mode
=
st
.
st_mode
;
file
->
uid
=
st
.
st_uid
;
free
(
obj
->
sd
);
...
...
@@ -447,7 +451,7 @@ static struct security_descriptor *file_get_sd( struct object *obj )
return
sd
;
}
static
mode_t
sd_to_mode
(
const
struct
security_descriptor
*
sd
,
const
SID
*
owner
)
mode_t
sd_to_mode
(
const
struct
security_descriptor
*
sd
,
const
SID
*
owner
)
{
mode_t
new_mode
=
0
;
mode_t
denied_mode
=
0
;
...
...
server/file.h
View file @
d87af3df
...
...
@@ -112,6 +112,8 @@ extern struct file *grab_file_unless_removable( struct file *file );
extern
int
grow_file
(
struct
file
*
file
,
file_pos_t
size
);
extern
struct
file
*
create_temp_file
(
int
access
);
extern
void
file_set_error
(
void
);
extern
struct
security_descriptor
*
mode_to_sd
(
mode_t
mode
,
const
SID
*
user
,
const
SID
*
group
);
extern
mode_t
sd_to_mode
(
const
struct
security_descriptor
*
sd
,
const
SID
*
owner
);
/* change notification functions */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment