From 33d85bda8a9739c940b0d9df2d3277b313613cae Mon Sep 17 00:00:00 2001
From: Zebediah Figura <z.figura12@gmail.com>
Date: Mon, 19 Apr 2021 18:33:18 -0500
Subject: [PATCH] server-File_Permissions: Do not force user modes to be at
 least as permissive as group modes, or group modes as world modes.

This removes one of the two parts of this patch.

It's really splitting hairs, but this isn't clearly more correct than the
current code, and in fact it actually makes at least one contrived ACL worse
(namely: deny user, then allow all; this should deny the user on Windows and
currently already does on Wine.)
---
 ...-mapping-of-DACL-to-file-permissions.patch | 72 ++++---------------
 1 file changed, 15 insertions(+), 57 deletions(-)

diff --git a/patches/server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch b/patches/server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch
index b0b80d40..3f6821eb 100644
--- a/patches/server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch
+++ b/patches/server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch
@@ -1,80 +1,38 @@
-From cdaab625171127248c76eabe2679bbd2a111bfc3 Mon Sep 17 00:00:00 2001
+From ae6b499cc82a4af467274ec1553b96aebdf077b6 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Fri, 13 Jan 2017 00:58:17 +0100
-Subject: [PATCH] server: Improve mapping of DACL to file permissions.
+Subject: [PATCH] server: Map group SIDs to Unix groups even if the owner
+ doesn't match the current user.
 
+Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=44691
 ---
- server/file.c | 25 ++++++++++++-------------
- 1 file changed, 12 insertions(+), 13 deletions(-)
+ server/file.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
 
 diff --git a/server/file.c b/server/file.c
-index 2cc4a9d978c..668dc7f0952 100644
+index 32cdec74d5a..3a0893d3b12 100644
 --- a/server/file.c
 +++ b/server/file.c
-@@ -487,7 +487,6 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-     mode_t mode;
-     int present;
-     const ACL *dacl = sd_get_dacl( sd, &present );
--    const SID *user = token_get_user( current->process->token );
-     if (present && dacl)
-     {
-         const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1);
-@@ -508,16 +507,15 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-                     mode = file_access_to_mode( ad_ace->Mask );
-                     if (security_equal_sid( sid, security_world_sid ))
+@@ -497,8 +497,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                      {
--                        bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */
-+                        bits_to_set &= ~(mode << 0); /* all */
+                         bits_to_set &= ~((mode << 6) | (mode << 3) | mode); /* all */
                      }
 -                    else if ((security_equal_sid( user, owner ) &&
 -                              token_sid_present( current->process->token, sid, TRUE )))
-+                    if (token_sid_present( current->process->token, sid, TRUE ))
++                    else if (token_sid_present( current->process->token, sid, TRUE ))
                      {
--                        bits_to_set &= ~((mode << 6) | (mode << 3));  /* user + group */
-+                        bits_to_set &= ~(mode << 3);  /* group */
+                         bits_to_set &= ~((mode << 6) | (mode << 3));  /* user + group */
                      }
--                    else if (security_equal_sid( sid, owner ))
-+                    if (security_equal_sid( sid, owner ))
-                     {
--                        bits_to_set &= ~(mode << 6);  /* user only */
-+                        bits_to_set &= ~(mode << 6);  /* user */
-                     }
-                     break;
-                 case ACCESS_ALLOWED_ACE_TYPE:
-@@ -526,26 +524,27 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
-                     mode = file_access_to_mode( aa_ace->Mask );
-                     if (security_equal_sid( sid, security_world_sid ))
-                     {
--                        mode = (mode << 6) | (mode << 3) | mode;  /* all */
-+                        mode = (mode << 0); /* all */
+@@ -517,8 +516,7 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
                          new_mode |= mode & bits_to_set;
                          bits_to_set &= ~mode;
                      }
 -                    else if ((security_equal_sid( user, owner ) &&
 -                              token_sid_present( current->process->token, sid, FALSE )))
-+                    if (token_sid_present( current->process->token, sid, FALSE ))
++                    else if (token_sid_present( current->process->token, sid, FALSE ))
                      {
--                        mode = (mode << 6) | (mode << 3);  /* user + group */
-+                        mode = (mode << 3); /* group */
+                         mode = (mode << 6) | (mode << 3);  /* user + group */
                          new_mode |= mode & bits_to_set;
-                         bits_to_set &= ~mode;
-                     }
--                    else if (security_equal_sid( sid, owner ))
-+                    if (security_equal_sid( sid, owner ))
-                     {
--                        mode = (mode << 6);  /* user only */
-+                        mode = (mode << 6); /* user */
-                         new_mode |= mode & bits_to_set;
-                         bits_to_set &= ~mode;
-                     }
-                     break;
-             }
-         }
-+        new_mode |= (new_mode & S_IRWXO) << 3;
-+        new_mode |= (new_mode & S_IRWXG) << 3;
-     }
-     else
-         /* no ACL means full access rights to anyone */
 -- 
-2.29.2
+2.30.2