[RFC] Handle process token groups in server/file.c::sd_to_mode

Mon, 16 Nov 2009 07:42:18 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This proposed patch (which I believe will contribute toward solving bugs
17672, 19588 and 20643, and any others where the permissions are set too
restrictive) exposes the token_sid_present call in token.c,
and uses it to check the SIDs in the security descriptor against those
in the process token.

Are there any changes anyone can think of before I submit it to
wine-patches?

Is there a better (already exposed) way of checking a SID against the
process token's group list?

- ----
 server/file.c     |    6 ++++--
 server/security.h |    1 +
 server/token.c    |    2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksBcpAACgkQTHDAI68Nsuny6ACfXu3vvWS6O27Z/mfozb4e/ZMG
MYQAoItP8P75a3l54TYrLnQbk7lNyaaQ
=7QsU
-----END PGP SIGNATURE-----

 server/file.c     |    6 ++++--
 server/security.h |    1 +
 server/token.c    |    2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/server/file.c b/server/file.c
index a74de14..793c24a 100644
--- a/server/file.c
+++ b/server/file.c
@@ -485,7 +485,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, 
const SID *owner )
                         if (access & FILE_EXECUTE)
                             denied_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
                     }
-                    else if (security_equal_sid( sid, owner ))
+                    else if (security_equal_sid( sid, owner ) ||
+                             token_sid_present( current->process->token, sid, 
1 ))
                     {
                         unsigned int access = generic_file_map_access( 
ad_ace->Mask );
                         if (access & FILE_READ_DATA)
@@ -509,7 +510,8 @@ mode_t sd_to_mode( const struct security_descriptor *sd, 
const SID *owner )
                         if (access & FILE_EXECUTE)
                             new_mode |= S_IXUSR|S_IXGRP|S_IXOTH;
                     }
-                    else if (security_equal_sid( sid, owner ))
+                    else if (security_equal_sid( sid, owner ) ||
+                             token_sid_present( current->process->token, sid, 
0 ))
                     {
                         unsigned int access = generic_file_map_access( 
aa_ace->Mask );
                         if (access & FILE_READ_DATA)
diff --git a/server/security.h b/server/security.h
index 39b1d2f..33cf5da 100644
--- a/server/security.h
+++ b/server/security.h
@@ -55,6 +55,7 @@ extern int token_check_privileges( struct token *token, int 
all_required,
 extern const ACL *token_get_default_dacl( struct token *token );
 extern const SID *token_get_user( struct token *token );
 extern const SID *token_get_primary_group( struct token *token );
+extern int token_sid_present( struct token *token, const SID *sid, int deny);
 
 static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
 {
diff --git a/server/token.c b/server/token.c
index ce896ac..461e79d 100644
--- a/server/token.c
+++ b/server/token.c
@@ -776,7 +776,7 @@ int token_check_privileges( struct token *token, int 
all_required,
         return (enabled_count > 0);
 }
 
-static int token_sid_present( struct token *token, const SID *sid, int deny )
+int token_sid_present( struct token *token, const SID *sid, int deny )
 {
     struct group *group;

Attachment: wine-sd_to_mode-group-check.patch.sig
Description: Binary data






















					Reply via email to