From da14f3201a19d351810d725da2492c7fa54e8beb Mon Sep 17 00:00:00 2001 From: Sebastian Lackner Date: Fri, 3 Apr 2015 18:36:35 +0200 Subject: [PATCH] Added patch to allow to open files/directories without any access rights in order to query attributes. --- README.md | 3 +- debian/changelog | 1 + ...inter-to-parent-s-fd-unix_name-in-th.patch | 22 ++-- .../definition | 1 + patches/patchinstall.sh | 33 +++++ ...open-files-without-any-permission-bi.patch | 117 ++++++++++++++++++ ...ting-new-directories-temporarily-giv.patch | 31 +++++ ...dd-tests-for-ACL-inheritance-in-Crea.patch | 93 ++++++++++++++ ...dd-ACL-inheritance-tests-for-creatin.patch | 100 +++++++++++++++ patches/server-File_Permissions/definition | 1 + ...ecurity-attributes-from-parent-direc.patch | 28 ++++- patches/server-Inherited_ACLs/definition | 1 + 12 files changed, 414 insertions(+), 17 deletions(-) create mode 100644 patches/server-File_Permissions/0001-server-Allow-to-open-files-without-any-permission-bi.patch create mode 100644 patches/server-File_Permissions/0002-server-When-creating-new-directories-temporarily-giv.patch create mode 100644 patches/server-File_Permissions/0003-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch create mode 100644 patches/server-File_Permissions/0004-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch create mode 100644 patches/server-File_Permissions/definition diff --git a/README.md b/README.md index eb9a14f8..7b814513 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,12 @@ Wine. All those differences are also documented on the Included bug fixes and improvements ----------------------------------- -**Bug fixes and features included in the next upcoming release [17]:** +**Bug fixes and features included in the next upcoming release [18]:** * Add stub fltmgr.sys (filter manager driver) ([Wine Bug #23583](https://bugs.winehq.org/show_bug.cgi?id=23583)) * Add stub for ntoskrnl.PsRemoveLoadImageNotifyRoutine * Add stubs for Power[Set|Clear]Request +* Allow to open files/directories without any access rights in order to query attributes * Avoid spam of FIXME messages for PsLookupProcessByProcessId stub ([Wine Bug #36821](https://bugs.winehq.org/show_bug.cgi?id=36821)) * Don't return an error in WS_select when EINTR happens during timeout * Fix calculation of 3D sound source ([Wine Bug #38041](https://bugs.winehq.org/show_bug.cgi?id=38041)) diff --git a/debian/changelog b/debian/changelog index eced361c..e35a7425 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,7 @@ wine-staging (1.7.40) UNRELEASED; urgency=low * Added patch to implement proper handling of CLI .NET images in Wine library loader. * Added patch to stub ntoskrnl.PsRemoveLoadImageNotifyRoutine * Added patch to fix invalid memory access in get_registry_locale_info. + * Added patch to allow to open files/directories without any access rights in order to query attributes. * Removed patch to fix regression causing black screen on startup (accepted upstream). * Removed patch to fix edge cases in TOOLTIPS_GetTipText (fixed upstream). * Removed patch for IConnectionPoint/INetworkListManagerEvents stub interface (accepted upstream). diff --git a/patches/ntdll-FileDispositionInformation/0001-server-Keep-a-pointer-to-parent-s-fd-unix_name-in-th.patch b/patches/ntdll-FileDispositionInformation/0001-server-Keep-a-pointer-to-parent-s-fd-unix_name-in-th.patch index 318fdc7c..187c786f 100644 --- a/patches/ntdll-FileDispositionInformation/0001-server-Keep-a-pointer-to-parent-s-fd-unix_name-in-th.patch +++ b/patches/ntdll-FileDispositionInformation/0001-server-Keep-a-pointer-to-parent-s-fd-unix_name-in-th.patch @@ -1,15 +1,15 @@ -From 35cc6b5ed224e27ef833bb84cea092bb65b8ab12 Mon Sep 17 00:00:00 2001 +From e2337e9756c38d06661d6dabd4a04d97528c4ab1 Mon Sep 17 00:00:00 2001 From: Dmitry Timoshkov Date: Thu, 7 Aug 2014 18:31:33 -0600 Subject: server: Keep a pointer to parent's fd unix_name in the closed_fd structure. --- - server/fd.c | 38 +++++++++++++++++++++----------------- + server/fd.c | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/server/fd.c b/server/fd.c -index e3b722c..b022a3c 100644 +index 9a4aac4..cd62cc8 100644 --- a/server/fd.c +++ b/server/fd.c @@ -164,7 +164,8 @@ struct closed_fd @@ -124,8 +124,8 @@ index e3b722c..b022a3c 100644 - const char *unlink_name = ""; int root_fd = -1; int rw_mode; - -@@ -1752,8 +1756,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, + int do_chmod = 0; +@@ -1753,8 +1757,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, if (!(fd = alloc_fd_object())) return NULL; fd->options = options; @@ -135,17 +135,17 @@ index e3b722c..b022a3c 100644 { release_object( fd ); return NULL; -@@ -1810,7 +1813,8 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, +@@ -1834,7 +1837,8 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, } closed_fd->unix_fd = fd->unix_fd; - closed_fd->unlink[0] = 0; + closed_fd->unlink = 0; + closed_fd->unix_name = fd->unix_name; - fstat( fd->unix_fd, &st ); - *mode = st.st_mode; -@@ -1851,7 +1855,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, + if (do_chmod) fchmod( fd->unix_fd, *mode ); + fstat( fd->unix_fd, &st ); +@@ -1877,7 +1881,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, set_error( err ); return NULL; } @@ -154,7 +154,7 @@ index e3b722c..b022a3c 100644 if (flags & O_TRUNC) { if (S_ISDIR(st.st_mode)) -@@ -1870,7 +1874,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, +@@ -1896,7 +1900,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, set_error( STATUS_NOT_A_DIRECTORY ); goto error; } @@ -164,5 +164,5 @@ index e3b722c..b022a3c 100644 set_error( STATUS_INVALID_PARAMETER ); goto error; -- -1.7.9.5 +2.3.3 diff --git a/patches/ntdll-FileDispositionInformation/definition b/patches/ntdll-FileDispositionInformation/definition index 8e072239..dc7dcb17 100644 --- a/patches/ntdll-FileDispositionInformation/definition +++ b/patches/ntdll-FileDispositionInformation/definition @@ -1 +1,2 @@ Fixes: [30397] Support for NtSetInformationFile class FileDispositionInformation +Depends: server-File_Permissions diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index a07482bf..48d48d6c 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -178,6 +178,7 @@ patch_enable_all () enable_server_Address_List_Change="$1" enable_server_ClipCursor="$1" enable_server_CreateProcess_ACLs="$1" + enable_server_File_Permissions="$1" enable_server_Inherited_ACLs="$1" enable_server_JobObjects="$1" enable_server_Key_State="$1" @@ -601,6 +602,9 @@ patch_enable () server-CreateProcess_ACLs) enable_server_CreateProcess_ACLs="$2" ;; + server-File_Permissions) + enable_server_File_Permissions="$2" + ;; server-Inherited_ACLs) enable_server_Inherited_ACLs="$2" ;; @@ -1089,9 +1093,13 @@ if test "$enable_server_ACL_Compat" -eq 1; then fi if test "$enable_server_Inherited_ACLs" -eq 1; then + if test "$enable_server_File_Permissions" -gt 1; then + abort "Patchset server-File_Permissions disabled, but server-Inherited_ACLs depends on that." + fi if test "$enable_server_Stored_ACLs" -gt 1; then abort "Patchset server-Stored_ACLs disabled, but server-Inherited_ACLs depends on that." fi + enable_server_File_Permissions=1 enable_server_Stored_ACLs=1 fi @@ -1177,6 +1185,13 @@ if test "$enable_kernel32_CopyFileEx" -eq 1; then enable_ntdll_FileDispositionInformation=1 fi +if test "$enable_ntdll_FileDispositionInformation" -eq 1; then + if test "$enable_server_File_Permissions" -gt 1; then + abort "Patchset server-File_Permissions disabled, but ntdll-FileDispositionInformation depends on that." + fi + enable_server_File_Permissions=1 +fi + if test "$enable_dxva2_Video_Decoder" -eq 1; then if test "$enable_winecfg_Staging" -gt 1; then abort "Patchset winecfg-Staging disabled, but dxva2-Video_Decoder depends on that." @@ -2611,6 +2626,24 @@ if test "$enable_kernel32_Console_Handles" -eq 1; then ) >> "$patchlist" fi +# Patchset server-File_Permissions +# | +# | Modified files: +# | * dlls/advapi32/tests/security.c, server/fd.c +# | +if test "$enable_server_File_Permissions" -eq 1; then + patch_apply server-File_Permissions/0001-server-Allow-to-open-files-without-any-permission-bi.patch + patch_apply server-File_Permissions/0002-server-When-creating-new-directories-temporarily-giv.patch + patch_apply server-File_Permissions/0003-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch + patch_apply server-File_Permissions/0004-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch + ( + echo '+ { "Sebastian Lackner", "server: Allow to open files without any permission bits.", 2 },'; + echo '+ { "Sebastian Lackner", "server: When creating new directories temporarily give read-permissions until they are opened.", 1 },'; + echo '+ { "Sebastian Lackner", "advapi32/tests: Add tests for ACL inheritance in CreateDirectoryA.", 1 },'; + echo '+ { "Sebastian Lackner", "advapi32/tests: Add ACL inheritance tests for creating subdirectories with NtCreateFile.", 1 },'; + ) >> "$patchlist" +fi + # Patchset ntdll-FileDispositionInformation # | # | This patchset fixes the following Wine bugs: diff --git a/patches/server-File_Permissions/0001-server-Allow-to-open-files-without-any-permission-bi.patch b/patches/server-File_Permissions/0001-server-Allow-to-open-files-without-any-permission-bi.patch new file mode 100644 index 00000000..cd8c8a5a --- /dev/null +++ b/patches/server-File_Permissions/0001-server-Allow-to-open-files-without-any-permission-bi.patch @@ -0,0 +1,117 @@ +From 79e9440272eed16300dc4aacc96765a24841a705 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Fri, 3 Apr 2015 03:58:47 +0200 +Subject: server: Allow to open files without any permission bits. (try 2) + +Changes in v2: +* As suggested by Piotr, fix the problem for both files and directories. +* Pay attention to requested access attributes - this fixes a couple more todo_wine's. +--- + dlls/advapi32/tests/security.c | 32 ++++++++++++-------------------- + server/fd.c | 21 +++++++++++++++++++++ + 2 files changed, 33 insertions(+), 20 deletions(-) + +diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c +index 466100d..329ae09 100644 +--- a/dlls/advapi32/tests/security.c ++++ b/dlls/advapi32/tests/security.c +@@ -3319,17 +3319,13 @@ static void test_CreateDirectoryA(void) + error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, + (PSID *)&owner, NULL, &pDacl, NULL, &pSD); +- todo_wine + ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error); +- if (error == ERROR_SUCCESS) +- { +- bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); +- ok(bret, "GetAclInformation failed\n"); +- todo_wine +- ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", +- acl_size.AceCount); +- LocalFree(pSD); +- } ++ bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); ++ ok(bret, "GetAclInformation failed\n"); ++ todo_wine ++ ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", ++ acl_size.AceCount); ++ LocalFree(pSD); + CloseHandle(hTemp); + + /* Test inheritance of ACLs in NtCreateFile without security descriptor */ +@@ -3399,17 +3395,13 @@ static void test_CreateDirectoryA(void) + error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, + (PSID *)&owner, NULL, &pDacl, NULL, &pSD); +- todo_wine + ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error); +- if (error == ERROR_SUCCESS) +- { +- bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); +- ok(bret, "GetAclInformation failed\n"); +- todo_wine +- ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", +- acl_size.AceCount); +- LocalFree(pSD); +- } ++ bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); ++ ok(bret, "GetAclInformation failed\n"); ++ todo_wine ++ ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", ++ acl_size.AceCount); ++ LocalFree(pSD); + CloseHandle(hTemp); + + done: +diff --git a/server/fd.c b/server/fd.c +index e3b722c..3afb89a 100644 +--- a/server/fd.c ++++ b/server/fd.c +@@ -1741,6 +1741,7 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, + const char *unlink_name = ""; + int root_fd = -1; + int rw_mode; ++ int do_chmod = 0; + + if (((options & FILE_DELETE_ON_CLOSE) && !(access & DELETE)) || + ((options & FILE_DIRECTORY_FILE) && (flags & O_TRUNC))) +@@ -1801,16 +1802,36 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, + if ((access & FILE_UNIX_WRITE_ACCESS) || (flags & O_CREAT)) + fd->unix_fd = open( name, O_RDONLY | (flags & ~(O_TRUNC | O_CREAT | O_EXCL)), *mode ); + } ++ else if (errno == EACCES) ++ { ++ /* try to change permissions temporarily to open a file descriptor */ ++ if (!(access & (FILE_UNIX_WRITE_ACCESS | FILE_UNIX_READ_ACCESS | DELETE)) && ++ !stat( name, &st ) && st.st_uid == getuid() && ++ !chmod( name, st.st_mode | S_IRUSR )) ++ { ++ fd->unix_fd = open( name, O_RDONLY | (flags & ~(O_TRUNC | O_CREAT | O_EXCL)), *mode ); ++ *mode = st.st_mode; ++ do_chmod = 1; ++ } ++ else ++ { ++ set_error( STATUS_ACCESS_DENIED ); ++ goto error; ++ } ++ } + + if (fd->unix_fd == -1) + { + file_set_error(); ++ if (do_chmod) chmod( name, *mode ); + goto error; + } + } + + closed_fd->unix_fd = fd->unix_fd; + closed_fd->unlink[0] = 0; ++ ++ if (do_chmod) fchmod( fd->unix_fd, *mode ); + fstat( fd->unix_fd, &st ); + *mode = st.st_mode; + +-- +2.3.3 + diff --git a/patches/server-File_Permissions/0002-server-When-creating-new-directories-temporarily-giv.patch b/patches/server-File_Permissions/0002-server-When-creating-new-directories-temporarily-giv.patch new file mode 100644 index 00000000..5d08ebce --- /dev/null +++ b/patches/server-File_Permissions/0002-server-When-creating-new-directories-temporarily-giv.patch @@ -0,0 +1,31 @@ +From 9443494239616a5a9f1e7d5711324c435d04e035 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Fri, 3 Apr 2015 03:58:53 +0200 +Subject: server: When creating new directories temporarily give + read-permissions until they are opened. + +--- + server/fd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/server/fd.c b/server/fd.c +index 3afb89a..9a4aac4 100644 +--- a/server/fd.c ++++ b/server/fd.c +@@ -1774,7 +1774,12 @@ struct fd *open_fd( struct fd *root, const char *name, int flags, mode_t *mode, + /* create the directory if needed */ + if ((options & FILE_DIRECTORY_FILE) && (flags & O_CREAT)) + { +- if (mkdir( name, *mode ) == -1) ++ if (mkdir( name, *mode | S_IRUSR ) != -1) ++ { ++ /* remove S_IRUSR later, after we have opened the directory */ ++ do_chmod = !(*mode & S_IRUSR); ++ } ++ else + { + if (errno != EEXIST || (flags & O_EXCL)) + { +-- +2.3.3 + diff --git a/patches/server-File_Permissions/0003-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch b/patches/server-File_Permissions/0003-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch new file mode 100644 index 00000000..ec8dfdf5 --- /dev/null +++ b/patches/server-File_Permissions/0003-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch @@ -0,0 +1,93 @@ +From 0c188a73bf19cbdb18c61d0a8417e9557c3daf59 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Fri, 3 Apr 2015 03:58:59 +0200 +Subject: advapi32/tests: Add tests for ACL inheritance in CreateDirectoryA. + +--- + dlls/advapi32/tests/security.c | 70 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c +index 329ae09..36ef972 100644 +--- a/dlls/advapi32/tests/security.c ++++ b/dlls/advapi32/tests/security.c +@@ -3404,6 +3404,76 @@ static void test_CreateDirectoryA(void) + LocalFree(pSD); + CloseHandle(hTemp); + ++ /* Test inheritance of ACLs in CreateDirectory without security descriptor */ ++ strcpy(tmpfile, tmpdir); ++ lstrcatA(tmpfile, "/tmpdir"); ++ bret = CreateDirectoryA(tmpfile, NULL); ++ ok(bret == TRUE, "CreateDirectoryA failed with error %u\n", GetLastError()); ++ ++ error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, ++ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, ++ (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ++ ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n"); ++ test_inherited_dacl(pDacl, admin_sid, user_sid, ++ OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERITED_ACE, ++ 0x1f01ff, TRUE, TRUE, TRUE, __LINE__); ++ LocalFree(pSD); ++ bret = RemoveDirectoryA(tmpfile); ++ ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError()); ++ ++ /* Test inheritance of ACLs in CreateDirectory with security descriptor */ ++ pSD = &sd; ++ InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); ++ pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL)); ++ bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION); ++ ok(bret, "Failed to initialize ACL\n"); ++ bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE); ++ ok(bret, "Failed to add ACL to security desciptor\n"); ++ ++ strcpy(tmpfile, tmpdir); ++ lstrcatA(tmpfile, "/tmpdir1"); ++ ++ sa.nLength = sizeof(sa); ++ sa.lpSecurityDescriptor = pSD; ++ sa.bInheritHandle = TRUE; ++ bret = CreateDirectoryA(tmpfile, &sa); ++ ok(bret == TRUE, "CreateDirectoryA failed with error %u\n", GetLastError()); ++ HeapFree(GetProcessHeap(), 0, pDacl); ++ ++ error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, ++ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, ++ (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ++ ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error); ++ bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); ++ ok(bret, "GetAclInformation failed\n"); ++ todo_wine ++ ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", ++ acl_size.AceCount); ++ LocalFree(pSD); ++ ++ SetLastError(0xdeadbeef); ++ bret = RemoveDirectoryA(tmpfile); ++ error = GetLastError(); ++ ok(bret == FALSE, "RemoveDirectoryA unexpected succeeded\n"); ++ ok(error == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %u\n", error); ++ ++ pSD = &sd; ++ InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); ++ pDacl = HeapAlloc(GetProcessHeap(), 0, 100); ++ bret = InitializeAcl(pDacl, 100, ACL_REVISION); ++ ok(bret, "Failed to initialize ACL.\n"); ++ bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid); ++ ok(bret, "Failed to add Current User to ACL.\n"); ++ bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE); ++ ok(bret, "Failed to add ACL to security desciptor.\n"); ++ error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, ++ NULL, pDacl, NULL); ++ ok(error == ERROR_SUCCESS, "SetNamedSecurityInfoA failed with error %u\n", error); ++ HeapFree(GetProcessHeap(), 0, pDacl); ++ ++ bret = RemoveDirectoryA(tmpfile); ++ ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError()); ++ + done: + HeapFree(GetProcessHeap(), 0, user); + bret = RemoveDirectoryA(tmpdir); +-- +2.3.3 + diff --git a/patches/server-File_Permissions/0004-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch b/patches/server-File_Permissions/0004-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch new file mode 100644 index 00000000..3c4cf220 --- /dev/null +++ b/patches/server-File_Permissions/0004-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch @@ -0,0 +1,100 @@ +From 39e8ae54cb3e8dcd4ef48e190f96b6dd48b40969 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Fri, 3 Apr 2015 03:59:05 +0200 +Subject: advapi32/tests: Add ACL inheritance tests for creating subdirectories + with NtCreateFile. + +--- + dlls/advapi32/tests/security.c | 76 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 76 insertions(+) + +diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c +index 36ef972..a0532f6 100644 +--- a/dlls/advapi32/tests/security.c ++++ b/dlls/advapi32/tests/security.c +@@ -3474,6 +3474,82 @@ static void test_CreateDirectoryA(void) + bret = RemoveDirectoryA(tmpfile); + ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError()); + ++ /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) without security descriptor */ ++ strcpy(tmpfile, tmpdir); ++ lstrcatA(tmpfile, "/tmpdir"); ++ get_nt_pathW(tmpfile, &tmpfileW); ++ ++ attr.Length = sizeof(attr); ++ attr.RootDirectory = 0; ++ attr.ObjectName = &tmpfileW; ++ attr.Attributes = OBJ_CASE_INSENSITIVE; ++ attr.SecurityDescriptor = NULL; ++ attr.SecurityQualityOfService = NULL; ++ ++ status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL, ++ FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, NULL, 0); ++ ok(!status, "NtCreateFile failed with %08x\n", status); ++ RtlFreeUnicodeString(&tmpfileW); ++ ++ error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, ++ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, ++ (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ++ ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n"); ++ test_inherited_dacl(pDacl, admin_sid, user_sid, ++ OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERITED_ACE, ++ 0x1f01ff, TRUE, TRUE, TRUE, __LINE__); ++ LocalFree(pSD); ++ CloseHandle(hTemp); ++ ++ /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) with security descriptor */ ++ pSD = &sd; ++ InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); ++ pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL)); ++ bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION); ++ ok(bret, "Failed to initialize ACL\n"); ++ bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE); ++ ok(bret, "Failed to add ACL to security desciptor\n"); ++ ++ strcpy(tmpfile, tmpdir); ++ lstrcatA(tmpfile, "/tmpdir2"); ++ get_nt_pathW(tmpfile, &tmpfileW); ++ ++ attr.Length = sizeof(attr); ++ attr.RootDirectory = 0; ++ attr.ObjectName = &tmpfileW; ++ attr.Attributes = OBJ_CASE_INSENSITIVE; ++ attr.SecurityDescriptor = pSD; ++ attr.SecurityQualityOfService = NULL; ++ ++ status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL, ++ FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, NULL, 0); ++ ok(!status, "NtCreateFile failed with %08x\n", status); ++ RtlFreeUnicodeString(&tmpfileW); ++ HeapFree(GetProcessHeap(), 0, pDacl); ++ ++ error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT, ++ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, ++ (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ++ ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error); ++ bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); ++ ok(bret, "GetAclInformation failed\n"); ++ todo_wine ++ ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", ++ acl_size.AceCount); ++ LocalFree(pSD); ++ ++ error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, ++ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, ++ (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ++ ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error); ++ bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation); ++ ok(bret, "GetAclInformation failed\n"); ++ todo_wine ++ ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n", ++ acl_size.AceCount); ++ LocalFree(pSD); ++ CloseHandle(hTemp); ++ + done: + HeapFree(GetProcessHeap(), 0, user); + bret = RemoveDirectoryA(tmpdir); +-- +2.3.3 + diff --git a/patches/server-File_Permissions/definition b/patches/server-File_Permissions/definition new file mode 100644 index 00000000..1c6832a4 --- /dev/null +++ b/patches/server-File_Permissions/definition @@ -0,0 +1 @@ +Fixes: Allow to open files/directories without any access rights in order to query attributes diff --git a/patches/server-Inherited_ACLs/0001-server-Inherit-security-attributes-from-parent-direc.patch b/patches/server-Inherited_ACLs/0001-server-Inherit-security-attributes-from-parent-direc.patch index a59151db..f5fa6d44 100644 --- a/patches/server-Inherited_ACLs/0001-server-Inherit-security-attributes-from-parent-direc.patch +++ b/patches/server-Inherited_ACLs/0001-server-Inherit-security-attributes-from-parent-direc.patch @@ -1,16 +1,16 @@ -From 2e6b68d04f4b74591fdbea0ef5fbea4879235c96 Mon Sep 17 00:00:00 2001 +From 42b83b84ee0ff3b0a9d2439e1d0154287630f192 Mon Sep 17 00:00:00 2001 From: "Erich E. Hoover" Date: Fri, 18 Apr 2014 14:08:36 -0600 Subject: server: Inherit security attributes from parent directories on creation. (try 7) --- - dlls/advapi32/tests/security.c | 4 +- + dlls/advapi32/tests/security.c | 8 +-- server/file.c | 137 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 139 insertions(+), 2 deletions(-) + 2 files changed, 141 insertions(+), 4 deletions(-) diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c -index a530a3f..ae9ec99 100644 +index 4db46f5..c509d3c 100644 --- a/dlls/advapi32/tests/security.c +++ b/dlls/advapi32/tests/security.c @@ -3278,7 +3278,7 @@ static void test_CreateDirectoryA(void) @@ -22,7 +22,7 @@ index a530a3f..ae9ec99 100644 LocalFree(pSD); CloseHandle(hTemp); -@@ -3352,7 +3352,7 @@ static void test_CreateDirectoryA(void) +@@ -3348,7 +3348,7 @@ static void test_CreateDirectoryA(void) (PSID *)&owner, NULL, &pDacl, NULL, &pSD); ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n"); test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE, @@ -31,6 +31,24 @@ index a530a3f..ae9ec99 100644 LocalFree(pSD); CloseHandle(hTemp); +@@ -3414,7 +3414,7 @@ static void test_CreateDirectoryA(void) + ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n"); + test_inherited_dacl(pDacl, admin_sid, user_sid, + OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERITED_ACE, +- 0x1f01ff, TRUE, TRUE, TRUE, __LINE__); ++ 0x1f01ff, FALSE, FALSE, FALSE, __LINE__); + LocalFree(pSD); + bret = RemoveDirectoryA(tmpfile); + ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError()); +@@ -3495,7 +3495,7 @@ static void test_CreateDirectoryA(void) + ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n"); + test_inherited_dacl(pDacl, admin_sid, user_sid, + OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERITED_ACE, +- 0x1f01ff, TRUE, TRUE, TRUE, __LINE__); ++ 0x1f01ff, FALSE, FALSE, FALSE, __LINE__); + LocalFree(pSD); + CloseHandle(hTemp); + diff --git a/server/file.c b/server/file.c index b6435d1..43be63b 100644 --- a/server/file.c diff --git a/patches/server-Inherited_ACLs/definition b/patches/server-Inherited_ACLs/definition index 548d7437..2c7fa699 100644 --- a/patches/server-Inherited_ACLs/definition +++ b/patches/server-Inherited_ACLs/definition @@ -1,2 +1,3 @@ Depends: server-Stored_ACLs +Depends: server-File_Permissions Fixes: [34406] Support for inherited file ACLs