mirror of
https://git.code.sf.net/p/ntfs-3g/ntfs-3g.git
synced 2024-12-12 03:15:40 +08:00
Added inheritance of the set-group-id flag
So far the set-group-id flag could be set in a chmod. This patch enables the inheritance of the group to files and subdirectories, and the inheritance of the set-group-id flag to subdirectories.
This commit is contained in:
parent
93ac6ce3bf
commit
0f8ef123ea
@ -255,6 +255,8 @@ int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode);
|
|||||||
BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni);
|
BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni);
|
||||||
int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
|
int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
|
||||||
ntfs_inode *ni, int accesstype);
|
ntfs_inode *ni, int accesstype);
|
||||||
|
int ntfs_allowed_create(struct SECURITY_CONTEXT *scx,
|
||||||
|
ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid);
|
||||||
BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx,
|
BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx,
|
||||||
const char *path, int accesstype);
|
const char *path, int accesstype);
|
||||||
|
|
||||||
|
@ -1876,7 +1876,7 @@ static int access_check_posix(struct SECURITY_CONTEXT *scx,
|
|||||||
if (!scx->uid) {
|
if (!scx->uid) {
|
||||||
/* root access if owner or other execution */
|
/* root access if owner or other execution */
|
||||||
if (perms & 0101)
|
if (perms & 0101)
|
||||||
perms = 07777;
|
perms |= 01777;
|
||||||
else {
|
else {
|
||||||
/* root access if some group execution */
|
/* root access if some group execution */
|
||||||
groupperms = 0;
|
groupperms = 0;
|
||||||
@ -2292,7 +2292,7 @@ static int ntfs_get_perm(struct SECURITY_CONTEXT *scx,
|
|||||||
if (!scx->uid) {
|
if (!scx->uid) {
|
||||||
/* root access and execution */
|
/* root access and execution */
|
||||||
if (perm & 0111)
|
if (perm & 0111)
|
||||||
perm = 07777;
|
perm |= 01777;
|
||||||
else
|
else
|
||||||
perm = 0;
|
perm = 0;
|
||||||
} else
|
} else
|
||||||
@ -3395,6 +3395,56 @@ int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
|
|||||||
return (allow);
|
return (allow);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check whether user can create a file (or directory)
|
||||||
|
*
|
||||||
|
* Returns TRUE if access is allowed,
|
||||||
|
* Also returns the gid and dsetgid applicable to the created file
|
||||||
|
*/
|
||||||
|
|
||||||
|
int ntfs_allowed_create(struct SECURITY_CONTEXT *scx,
|
||||||
|
ntfs_inode *dir_ni, gid_t *pgid, mode_t *pdsetgid)
|
||||||
|
{
|
||||||
|
int perm;
|
||||||
|
int res;
|
||||||
|
int allow;
|
||||||
|
struct stat stbuf;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Always allow for root.
|
||||||
|
* Also always allow if no mapping has been defined
|
||||||
|
*/
|
||||||
|
if (!scx->mapping[MAPUSERS])
|
||||||
|
perm = 0777;
|
||||||
|
else
|
||||||
|
perm = ntfs_get_perm(scx, dir_ni, S_IWRITE + S_IEXEC);
|
||||||
|
if (!scx->mapping[MAPUSERS]
|
||||||
|
|| !scx->uid) {
|
||||||
|
allow = 1;
|
||||||
|
} else {
|
||||||
|
perm = ntfs_get_perm(scx, dir_ni, S_IWRITE + S_IEXEC);
|
||||||
|
if (perm >= 0) {
|
||||||
|
res = EACCES;
|
||||||
|
allow = ((perm & (S_IWUSR | S_IWGRP | S_IWOTH)) != 0)
|
||||||
|
&& ((perm & (S_IXUSR | S_IXGRP | S_IXOTH)) != 0);
|
||||||
|
if (!allow)
|
||||||
|
errno = res;
|
||||||
|
} else
|
||||||
|
allow = 0;
|
||||||
|
}
|
||||||
|
*pgid = scx->gid;
|
||||||
|
*pdsetgid = 0;
|
||||||
|
/* return directory group if S_ISGID is set */
|
||||||
|
if (allow && (perm & S_ISGID)) {
|
||||||
|
if (ntfs_get_owner_mode(scx, dir_ni, &stbuf) >= 0) {
|
||||||
|
*pdsetgid = stbuf.st_mode & S_ISGID;
|
||||||
|
if (perm & S_ISGID)
|
||||||
|
*pgid = stbuf.st_gid;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (allow);
|
||||||
|
}
|
||||||
|
|
||||||
#if 0 /* not needed any more */
|
#if 0 /* not needed any more */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1820,6 +1820,8 @@ static int ntfs_fuse_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
|||||||
struct open_file *of;
|
struct open_file *of;
|
||||||
int state = 0;
|
int state = 0;
|
||||||
le32 securid;
|
le32 securid;
|
||||||
|
gid_t gid;
|
||||||
|
mode_t dsetgid;
|
||||||
mode_t type = typemode & ~07777;
|
mode_t type = typemode & ~07777;
|
||||||
mode_t perm;
|
mode_t perm;
|
||||||
struct SECURITY_CONTEXT security;
|
struct SECURITY_CONTEXT security;
|
||||||
@ -1842,13 +1844,15 @@ static int ntfs_fuse_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
|||||||
#if !KERNELPERMS | (POSIXACLS & !KERNELACLS)
|
#if !KERNELPERMS | (POSIXACLS & !KERNELACLS)
|
||||||
/* make sure parent directory is writeable and executable */
|
/* make sure parent directory is writeable and executable */
|
||||||
if (!ntfs_fuse_fill_security_context(req, &security)
|
if (!ntfs_fuse_fill_security_context(req, &security)
|
||||||
|| ntfs_allowed_access(&security,
|
|| ntfs_allowed_create(&security,
|
||||||
dir_ni,S_IWRITE + S_IEXEC)) {
|
dir_ni, &gid, &dsetgid)) {
|
||||||
#else
|
#else
|
||||||
ntfs_fuse_fill_security_context(req, &security);
|
ntfs_fuse_fill_security_context(req, &security);
|
||||||
|
ntfs_allowed_create(&security, dir_ni, &gid, &dsetgid);
|
||||||
#endif
|
#endif
|
||||||
if (S_ISDIR(type))
|
if (S_ISDIR(type))
|
||||||
perm = typemode & ~ctx->dmask & 0777;
|
perm = (typemode & ~ctx->dmask & 0777)
|
||||||
|
| (dsetgid & S_ISGID);
|
||||||
else
|
else
|
||||||
perm = typemode & ~ctx->fmask & 0777;
|
perm = typemode & ~ctx->fmask & 0777;
|
||||||
/*
|
/*
|
||||||
@ -1866,11 +1870,11 @@ static int ntfs_fuse_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
|||||||
else
|
else
|
||||||
#if POSIXACLS
|
#if POSIXACLS
|
||||||
securid = ntfs_alloc_securid(&security,
|
securid = ntfs_alloc_securid(&security,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
dir_ni, perm, S_ISDIR(type));
|
dir_ni, perm, S_ISDIR(type));
|
||||||
#else
|
#else
|
||||||
securid = ntfs_alloc_securid(&security,
|
securid = ntfs_alloc_securid(&security,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
perm & ~security.umask, S_ISDIR(type));
|
perm & ~security.umask, S_ISDIR(type));
|
||||||
#endif
|
#endif
|
||||||
/* Create object specified in @type. */
|
/* Create object specified in @type. */
|
||||||
@ -1904,13 +1908,13 @@ static int ntfs_fuse_create(fuse_req_t req, fuse_ino_t parent, const char *name,
|
|||||||
#if POSIXACLS
|
#if POSIXACLS
|
||||||
if (!securid
|
if (!securid
|
||||||
&& ntfs_set_inherited_posix(&security, ni,
|
&& ntfs_set_inherited_posix(&security, ni,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
dir_ni, perm) < 0)
|
dir_ni, perm) < 0)
|
||||||
set_fuse_error(&res);
|
set_fuse_error(&res);
|
||||||
#else
|
#else
|
||||||
if (!securid
|
if (!securid
|
||||||
&& ntfs_set_owner_mode(&security, ni,
|
&& ntfs_set_owner_mode(&security, ni,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
perm & ~security.umask) < 0)
|
perm & ~security.umask) < 0)
|
||||||
set_fuse_error(&res);
|
set_fuse_error(&res);
|
||||||
#endif
|
#endif
|
||||||
|
@ -1598,6 +1598,8 @@ static int ntfs_fuse_create(const char *org_path, mode_t typemode, dev_t dev,
|
|||||||
char *dir_path;
|
char *dir_path;
|
||||||
le32 securid;
|
le32 securid;
|
||||||
char *path;
|
char *path;
|
||||||
|
gid_t gid;
|
||||||
|
mode_t dsetgid;
|
||||||
ntfschar *stream_name;
|
ntfschar *stream_name;
|
||||||
int stream_name_len;
|
int stream_name_len;
|
||||||
mode_t type = typemode & ~07777;
|
mode_t type = typemode & ~07777;
|
||||||
@ -1636,13 +1638,15 @@ static int ntfs_fuse_create(const char *org_path, mode_t typemode, dev_t dev,
|
|||||||
#if !KERNELPERMS | (POSIXACLS & !KERNELACLS)
|
#if !KERNELPERMS | (POSIXACLS & !KERNELACLS)
|
||||||
/* make sure parent directory is writeable and executable */
|
/* make sure parent directory is writeable and executable */
|
||||||
if (!ntfs_fuse_fill_security_context(&security)
|
if (!ntfs_fuse_fill_security_context(&security)
|
||||||
|| ntfs_allowed_access(&security,
|
|| ntfs_allowed_create(&security,
|
||||||
dir_ni,S_IWRITE + S_IEXEC)) {
|
dir_ni, &gid, &dsetgid)) {
|
||||||
#else
|
#else
|
||||||
ntfs_fuse_fill_security_context(&security);
|
ntfs_fuse_fill_security_context(&security);
|
||||||
|
ntfs_allowed_create(&security, dir_ni, &gid, &dsetgid);
|
||||||
#endif
|
#endif
|
||||||
if (S_ISDIR(type))
|
if (S_ISDIR(type))
|
||||||
perm = typemode & ~ctx->dmask & 0777;
|
perm = (typemode & ~ctx->dmask & 0777)
|
||||||
|
| (dsetgid & S_ISGID);
|
||||||
else
|
else
|
||||||
perm = typemode & ~ctx->fmask & 0777;
|
perm = typemode & ~ctx->fmask & 0777;
|
||||||
/*
|
/*
|
||||||
@ -1660,11 +1664,11 @@ static int ntfs_fuse_create(const char *org_path, mode_t typemode, dev_t dev,
|
|||||||
else
|
else
|
||||||
#if POSIXACLS
|
#if POSIXACLS
|
||||||
securid = ntfs_alloc_securid(&security,
|
securid = ntfs_alloc_securid(&security,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
dir_ni, perm, S_ISDIR(type));
|
dir_ni, perm, S_ISDIR(type));
|
||||||
#else
|
#else
|
||||||
securid = ntfs_alloc_securid(&security,
|
securid = ntfs_alloc_securid(&security,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
perm & ~security.umask, S_ISDIR(type));
|
perm & ~security.umask, S_ISDIR(type));
|
||||||
#endif
|
#endif
|
||||||
/* Create object specified in @type. */
|
/* Create object specified in @type. */
|
||||||
@ -1698,13 +1702,13 @@ static int ntfs_fuse_create(const char *org_path, mode_t typemode, dev_t dev,
|
|||||||
#if POSIXACLS
|
#if POSIXACLS
|
||||||
if (!securid
|
if (!securid
|
||||||
&& ntfs_set_inherited_posix(&security, ni,
|
&& ntfs_set_inherited_posix(&security, ni,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
dir_ni, perm) < 0)
|
dir_ni, perm) < 0)
|
||||||
set_fuse_error(&res);
|
set_fuse_error(&res);
|
||||||
#else
|
#else
|
||||||
if (!securid
|
if (!securid
|
||||||
&& ntfs_set_owner_mode(&security, ni,
|
&& ntfs_set_owner_mode(&security, ni,
|
||||||
security.uid, security.gid,
|
security.uid, gid,
|
||||||
perm & ~security.umask) < 0)
|
perm & ~security.umask) < 0)
|
||||||
set_fuse_error(&res);
|
set_fuse_error(&res);
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user