From 00b3f055be5dbf54bc56ab6b6609e0cac50b61e0 Mon Sep 17 00:00:00 2001 From: Piotr Caban Date: Fri, 27 Mar 2015 15:17:38 +0100 Subject: [PATCH] server: Fix DACL to permissions conversion. --- dlls/advapi32/tests/security.c | 3 ++- server/file.c | 22 ++++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c index 0e9cf8c648c..a3690e84df3 100644 --- a/dlls/advapi32/tests/security.c +++ b/dlls/advapi32/tests/security.c @@ -3484,7 +3484,8 @@ static void test_GetNamedSecurityInfoA(void) h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); - todo_wine ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError()); + ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError()); + CloseHandle(h); bret = InitializeAcl(pDacl, 100, ACL_REVISION); ok(bret, "Failed to initialize ACL.\n"); diff --git a/server/file.c b/server/file.c index f565f5acb7f..aa5ff011135 100644 --- a/server/file.c +++ b/server/file.c @@ -473,7 +473,7 @@ static mode_t file_access_to_mode( unsigned int access ) mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) { mode_t new_mode = 0; - mode_t denied_mode = 0; + mode_t bits_to_set = ~0; mode_t mode; int present; const ACL *dacl = sd_get_dacl( sd, &present ); @@ -498,16 +498,16 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) mode = file_access_to_mode( ad_ace->Mask ); if (security_equal_sid( sid, security_world_sid )) { - denied_mode |= (mode << 6) | (mode << 3) | mode; /* all */ + bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */ } else if ((security_equal_sid( user, owner ) && token_sid_present( current->process->token, sid, TRUE ))) { - denied_mode |= (mode << 6) | (mode << 3); /* user + group */ + bits_to_set &= ~((mode << 6) | (mode << 3)); /* user + group */ } else if (security_equal_sid( sid, owner )) { - denied_mode |= (mode << 6); /* user only */ + bits_to_set &= ~(mode << 6); /* user only */ } break; case ACCESS_ALLOWED_ACE_TYPE: @@ -516,16 +516,22 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) mode = file_access_to_mode( aa_ace->Mask ); if (security_equal_sid( sid, security_world_sid )) { - new_mode |= (mode << 6) | (mode << 3) | mode; /* all */ + mode = (mode << 6) | (mode << 3) | mode; /* all */ + new_mode |= mode & bits_to_set; + bits_to_set &= ~mode; } else if ((security_equal_sid( user, owner ) && token_sid_present( current->process->token, sid, FALSE ))) { - new_mode |= (mode << 6) | (mode << 3); /* user + group */ + mode = (mode << 6) | (mode << 3); /* user + group */ + new_mode |= mode & bits_to_set; + bits_to_set &= ~mode; } else if (security_equal_sid( sid, owner )) { - new_mode |= (mode << 6); /* user only */ + mode = (mode << 6); /* user only */ + new_mode |= mode & bits_to_set; + bits_to_set &= ~mode; } break; } @@ -535,7 +541,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) /* no ACL means full access rights to anyone */ new_mode = S_IRWXU | S_IRWXG | S_IRWXO; - return new_mode & ~denied_mode; + return new_mode; } static int file_set_sd( struct object *obj, const struct security_descriptor *sd,