server-File_Permissions: Do not force user modes to be at least as permissive as group modes, or group modes as world modes.

This removes one of the two parts of this patch.

It's really splitting hairs, but this isn't clearly more correct than the
current code, and in fact it actually makes at least one contrived ACL worse
(namely: deny user, then allow all; this should deny the user on Windows and
currently already does on Wine.)

patches/server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch

@@ -1,80 +1,38 @@
-From cdaab625171127248c76eabe2679bbd2a111bfc3 Mon Sep 17 00:00:00 2001
+From ae6b499cc82a4af467274ec1553b96aebdf077b6 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Fri, 13 Jan 2017 00:58:17 +0100
-Subject: [PATCH] server: Improve mapping of DACL to file permissions.
+Subject: [PATCH] server: Map group SIDs to Unix groups even if the owner
+ doesn't match the current user.
 
+Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=44691
 ---
- server/file.c | 25 ++++++++++++-------------
- 1 file changed, 12 insertions(+), 13 deletions(-)
+ server/file.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
 
 diff --git a/server/file.c b/server/file.c
-index 2cc4a9d978c..668dc7f0952 100644
+index 32cdec74d5a..3a0893d3b12 100644
 --- a/server/file.c
 +++ b/server/file.c
-@@ -487,7 +487,6 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-     mode_t mode;
-     int present;
-     const ACL *dacl = sd_get_dacl( sd, &present );
--    const SID *user = token_get_user( current->process->token );
-     if (present && dacl)
-     {
-         const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1);
-@@ -508,16 +507,15 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-                     mode = file_access_to_mode( ad_ace->Mask );
-                     if (security_equal_sid( sid, security_world_sid ))
+@@ -497,8 +497,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                      {
--                        bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */
-+                        bits_to_set &= ~(mode << 0); /* all */
+                         bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */
                      }
 -                    else if ((security_equal_sid( user, owner ) &&
 -                              token_sid_present( current->process->token, sid, TRUE )))
-+                    if (token_sid_present( current->process->token, sid, TRUE ))
++                    else if (token_sid_present( current->process->token, sid, TRUE ))
                      {
--                        bits_to_set &= ~((mode << 6) | (mode << 3));  /* user + group */
-+                        bits_to_set &= ~(mode << 3);  /* group */
+                         bits_to_set &= ~((mode << 6) | (mode << 3));  /* user + group */
                      }
--                    else if (security_equal_sid( sid, owner ))
-+                    if (security_equal_sid( sid, owner ))
-                     {
--                        bits_to_set &= ~(mode << 6);  /* user only */
-+                        bits_to_set &= ~(mode << 6);  /* user */
-                     }
-                     break;
-                 case ACCESS_ALLOWED_ACE_TYPE:
-@@ -526,26 +524,27 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-                     mode = file_access_to_mode( aa_ace->Mask );
-                     if (security_equal_sid( sid, security_world_sid ))
-                     {
--                        mode = (mode << 6) | (mode << 3) | mode;  /* all */
-+                        mode = (mode << 0); /* all */
+@@ -517,8 +516,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                          new_mode |= mode & bits_to_set;
                          bits_to_set &= ~mode;
                      }
 -                    else if ((security_equal_sid( user, owner ) &&
 -                              token_sid_present( current->process->token, sid, FALSE )))
-+                    if (token_sid_present( current->process->token, sid, FALSE ))
++                    else if (token_sid_present( current->process->token, sid, FALSE ))
                      {
--                        mode = (mode << 6) | (mode << 3);  /* user + group */
-+                        mode = (mode << 3); /* group */
+                         mode = (mode << 6) | (mode << 3);  /* user + group */
                          new_mode |= mode & bits_to_set;
-                         bits_to_set &= ~mode;
-                     }
--                    else if (security_equal_sid( sid, owner ))
-+                    if (security_equal_sid( sid, owner ))
-                     {
--                        mode = (mode << 6);  /* user only */
-+                        mode = (mode << 6); /* user */
-                         new_mode |= mode & bits_to_set;
-                         bits_to_set &= ~mode;
-                     }
-                     break;
-             }
-         }
-+        new_mode |= (new_mode & S_IRWXO) << 3;
-+        new_mode |= (new_mode & S_IRWXG) << 3;
-     }
-     else
-         /* no ACL means full access rights to anyone */
 -- 
-2.29.2
+2.30.2