diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c index 6ecffb6c..fdfa4fd3 100644 --- a/libntfs-3g/acls.c +++ b/libntfs-3g/acls.c @@ -3096,6 +3096,7 @@ static int build_owngrp_permissions(const char *securattr, int nace; le32 special; BOOL grppresent; + BOOL ownpresent; le32 allowown, allowgrp, allowall; le32 denyown, denygrp, denyall; @@ -3105,6 +3106,7 @@ static int build_owngrp_permissions(const char *securattr, special = const_cpu_to_le32(0); allowown = allowgrp = allowall = const_cpu_to_le32(0); denyown = denygrp = denyall = const_cpu_to_le32(0); + ownpresent = FALSE; grppresent = FALSE; if (offdacl) { acecnt = le16_to_cpu(pacl->ace_count); @@ -3117,9 +3119,11 @@ static int build_owngrp_permissions(const char *securattr, if ((ntfs_same_sid(usid, &pace->sid) || ntfs_same_sid(ownersid, &pace->sid)) && (pace->mask & WRITE_OWNER)) { - if (pace->type == ACCESS_ALLOWED_ACE_TYPE) + if (pace->type == ACCESS_ALLOWED_ACE_TYPE) { allowown |= pace->mask; - } else + ownpresent = TRUE; + } + } else if (ntfs_same_sid(usid, &pace->sid) && (!(pace->mask & WRITE_OWNER))) { if (pace->type == ACCESS_ALLOWED_ACE_TYPE) { @@ -3140,6 +3144,8 @@ static int build_owngrp_permissions(const char *securattr, } offace += le16_to_cpu(pace->size); } + if (!ownpresent) + allowown = allowall; if (!grppresent) allowgrp = allowall; return (merge_permissions(isdir, diff --git a/src/secaudit.c b/src/secaudit.c index 346b93c9..1ee222d4 100644 --- a/src/secaudit.c +++ b/src/secaudit.c @@ -569,8 +569,21 @@ static const char worldsidbytes[] = { } ; static const SID *worldsid = (const SID*)worldsidbytes; +/* + * SID for authenticated user (S-1-5-11) + */ + +static const char authsidbytes[] = { + 1, /* revision */ + 1, /* auth count */ + 0, 0, 0, 0, 0, 5, /* base */ + 11, 0, 0, 0 /* 1st level */ +}; + +static const SID *authsid = (const SID*)authsidbytes; + /* - * SID for administrator + * SID for administrator (S-1-5-32-544) */ static const char adminsidbytes[] = { @@ -583,8 +596,22 @@ static const char adminsidbytes[] = { static const SID *adminsid = (const SID*)adminsidbytes; +/* + * SID for local users (S-1-5-32-545) + */ + +static const char localsidbytes[] = { + 1, /* revision */ + 2, /* auth count */ + 0, 0, 0, 0, 0, 5, /* base */ + 32, 0, 0, 0, /* 1st level */ + 33, 2, 0, 0 /* 2nd level */ +}; + +static const SID *localsid = (const SID*)localsidbytes; + /* - * SID for system + * SID for system (S-1-5-18) */ static const char systemsidbytes[] = { @@ -3375,7 +3402,7 @@ void check_samples() * which cannot be generated by Linux */ - for (cnt=1; cnt<=8; cnt++) { + for (cnt=1; cnt<=10; cnt++) { switch(cnt) { case 1 : /* hp/tmp */ isdir = TRUE; @@ -3473,6 +3500,32 @@ void check_samples() expectacc = expect = 0700; expectdef = 0700; break; + case 9 : /* Win8/bin */ + isdir = TRUE; + descr = build_dummy_descr(isdir, + (const SID*)owner3, (const SID*)owner3, + 6, + (int)TRUE, authsid, (int)0x3, (u32)0x1f01ff, + (int)TRUE, adminsid, (int)0x13, (u32)0x1f01ff, + (int)TRUE, systemsid, (int)0x13, (u32)0x1f01ff, + (int)TRUE, localsid, (int)0x13, (u32)0x1200a9, + (int)TRUE, authsid, (int)0x10, (u32)0x1301bf, + (int)TRUE, authsid, (int)0x1b, (u32)0xe0010000); + expectacc = expect = 0777; + expectdef = 0777; + break; + case 10 : /* Win8/bin/linem.exe */ + isdir = FALSE; + descr = build_dummy_descr(isdir, + (const SID*)owner3, (const SID*)owner3, + 4, + (int)TRUE, authsid, (int)0x10, (u32)0x1f01ff, + (int)TRUE, adminsid, (int)0x10, (u32)0x1f01ff, + (int)TRUE, systemsid, (int)0x10, (u32)0x1ff, + (int)TRUE, localsid, (int)0x10, (u32)0x1200a9); + expectacc = expect = 0777; + expectdef = 0; + break; default : expectacc = expectdef = 0; break;