Mercurial > trustbridge
comparison common/util.c @ 1070:f110a3f6e387
(issue114) Fine tune ACL propagation
using mkdir_p the ACL of the parent directories would
propagate to all subdirectories and objects in the directory.
Now we only use ACL propagation in the last directory to make
sure that files we might create in that directory inherit the
correct (resitricted) ACL
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Wed, 10 Sep 2014 16:41:36 +0200 |
| parents | 1f23803e1f83 |
| children | fd85a02d771d |
comparison
equal
deleted
inserted
replaced
| 1069:709a7633a2c6 | 1070:f110a3f6e387 |
|---|---|
| 653 #endif | 653 #endif |
| 654 } | 654 } |
| 655 | 655 |
| 656 #ifdef WIN32 | 656 #ifdef WIN32 |
| 657 bool | 657 bool |
| 658 create_restricted_directory (LPWSTR path) | 658 create_restricted_directory (LPWSTR path, bool objects_should_inherit) |
| 659 { | 659 { |
| 660 bool retval = false; | 660 bool retval = false; |
| 661 PSID everyone_SID = NULL, | 661 PSID everyone_SID = NULL, |
| 662 admin_SID = NULL; | 662 admin_SID = NULL; |
| 663 PACL access_control_list = NULL; | 663 PACL access_control_list = NULL; |
| 683 | 683 |
| 684 /* Initialize the first EXPLICIT_ACCESS structure for an ACE. | 684 /* Initialize the first EXPLICIT_ACCESS structure for an ACE. |
| 685 to allow everyone read access */ | 685 to allow everyone read access */ |
| 686 explicit_access[0].grfAccessPermissions = GENERIC_READ; /* Give read access */ | 686 explicit_access[0].grfAccessPermissions = GENERIC_READ; /* Give read access */ |
| 687 explicit_access[0].grfAccessMode = SET_ACCESS; /* Overwrite other access for all users */ | 687 explicit_access[0].grfAccessMode = SET_ACCESS; /* Overwrite other access for all users */ |
| 688 explicit_access[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; /* make it stick */ | 688 explicit_access[0].grfInheritance = objects_should_inherit ? |
| 689 SUB_CONTAINERS_AND_OBJECTS_INHERIT : /* make it stick */ | |
| 690 NO_PROPAGATE_INHERIT_ACE; /* Don't inherit */ | |
| 689 explicit_access[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; | 691 explicit_access[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; |
| 690 explicit_access[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; | 692 explicit_access[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; |
| 691 explicit_access[0].Trustee.ptstrName = (LPTSTR) everyone_SID; | 693 explicit_access[0].Trustee.ptstrName = (LPTSTR) everyone_SID; |
| 692 | 694 |
| 693 /* Create the SID for the BUILTIN\Administrators group. */ | 695 /* Create the SID for the BUILTIN\Administrators group. */ |
| 704 | 706 |
| 705 /* explicit_access[1] grants admins full rights for this object and inherits | 707 /* explicit_access[1] grants admins full rights for this object and inherits |
| 706 it to the children */ | 708 it to the children */ |
| 707 explicit_access[1].grfAccessPermissions = GENERIC_ALL; | 709 explicit_access[1].grfAccessPermissions = GENERIC_ALL; |
| 708 explicit_access[1].grfAccessMode = SET_ACCESS; | 710 explicit_access[1].grfAccessMode = SET_ACCESS; |
| 709 explicit_access[1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; | 711 explicit_access[1].grfInheritance = objects_should_inherit ? |
| 712 SUB_CONTAINERS_AND_OBJECTS_INHERIT : /* make it stick */ | |
| 713 NO_PROPAGATE_INHERIT_ACE; /* Don't inherit */ | |
| 710 explicit_access[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; | 714 explicit_access[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; |
| 711 explicit_access[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP; | 715 explicit_access[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP; |
| 712 explicit_access[1].Trustee.ptstrName = (LPTSTR) admin_SID; | 716 explicit_access[1].Trustee.ptstrName = (LPTSTR) admin_SID; |
| 713 | 717 |
| 714 /* Set up the ACL structure. */ | 718 /* Set up the ACL structure. */ |