[newlib-cygwin/cygwin-3_6-branch] Cygwin: ACLs: don't allow special accounts as USER entry

Sun, 30 Mar 2025 14:27:02 -0700 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=ac0ac6630c3f716068c12c3d88f03ceb929b1744

commit ac0ac6630c3f716068c12c3d88f03ceb929b1744
Author:     Corinna Vinschen <cori...@vinschen.de>
AuthorDate: Sun Mar 30 21:56:33 2025 +0200
Commit:     Corinna Vinschen <cori...@vinschen.de>
CommitDate: Sun Mar 30 22:00:43 2025 +0200

    Cygwin: ACLs: don't allow special accounts as USER entry
    
    While accounts from the BUILTIN, NT AUTHORITY, and NT SERVICE domains
    can be owner of a file, they are always treated as group entries if they
    show up as additional entrys in a Windows ACL.  Consequentially, it
    shouldn't be possible to add or remove them as USER entry, for instance,
    via setfacl.
    
    Add a check to disallow BUILTIN, NT AUTHORITY, and NT SERVICE accounts
    as USER entries in a POSIX ACL.
    
    Fixes: bc444e5aa4ca ("Reapply POSIX ACL changes.")
    Signed-off-by: Corinna Vinschen <cori...@vinschen.de>
    
    (cherry picked from commit 98112b9f6f90dbce1ded637dd533ff0f5a1dffa9)

Diff:
---
 winsup/cygwin/release/3.6.1 |  3 +++
 winsup/cygwin/sec/acl.cc    | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/winsup/cygwin/release/3.6.1 b/winsup/cygwin/release/3.6.1
index c1dbbfb24ae8..7a6afe6b87e2 100644
--- a/winsup/cygwin/release/3.6.1
+++ b/winsup/cygwin/release/3.6.1
@@ -20,3 +20,6 @@ Fixes:
   Addresses: https://cygwin.com/pipermail/cygwin/2025-March/257783.html
 
 - Fix reference counting when dlopen/dlclose a DLL with RTLD_NODELETE.
+
+- Disallow accounts from the BUILTIN, NT AUTHORITY, NT SERVICE domains
+  as USER entry in a POSIX ACL.  Only allow USER_OBJ, GROUP_OBJ and GROUP.
diff --git a/winsup/cygwin/sec/acl.cc b/winsup/cygwin/sec/acl.cc
index 5d27a91280f4..129fe9adf1af 100644
--- a/winsup/cygwin/sec/acl.cc
+++ b/winsup/cygwin/sec/acl.cc
@@ -256,7 +256,21 @@ set_posix_access (mode_t attr, uid_t uid, gid_t gid,
              }
          }
        if (!aclsid[idx])
-         aclsid[idx] = sidfromuid (aclbufp[idx].a_id, &cldap);
+         {
+           struct passwd *pw = internal_getpwuid (aclbufp[idx].a_id, &cldap);
+           if (pw)
+             {
+               /* Don't allow to pass special accounts as USER, only as
+                  USER_OBJ, GROUP_OBJ, or GROUP */
+#define BUILTIN        "U-BUILTIN\\"
+#define NT_AUTH "U-NT AUTHORITY\\"
+#define NT_SVC  "U-NT SERVICE\\"
+               if (strncmp (pw->pw_gecos, BUILTIN, strlen (BUILTIN)) != 0
+                   && strncmp (pw->pw_gecos, NT_AUTH, strlen (NT_AUTH)) != 0
+                   && strncmp (pw->pw_gecos, NT_SVC, strlen (NT_SVC)) != 0)
+                 aclsid[idx] = (PSID) ((pg_pwd *) pw)->sid;
+             }
+         }
        break;
       case GROUP_OBJ:
        aclsid[idx] = group;

Reply via email to