applied. See \fBSPLIT_WIMS\fR.
.TP
\fB--unix-data\fR
-This option may only be given in the normal extraction mode (not NTFS).
-By default, in the normal extraction mode, \fB@IMAGEX_PROGNAME@ apply\fR will ignore both
-Windows-style security descriptors and UNIX-specific file owners, groups, and
-modes set when using \fB@IMAGEX_PROGNAME@ capture\fR with the \fB--unix-data\fR flag. By
-passing \fB--unix-data\fR to \fB@IMAGEX_PROGNAME@ apply\fR instead, this causes this
-UNIX-specific data to be restored when available.
+This option may only be given in the normal extraction mode (not NTFS). By
+default, in the normal extraction mode on UNIX, \fB@IMAGEX_PROGNAME@ apply\fR
+will ignore both Windows-style security descriptors and UNIX-specific file
+owners, groups, and modes set when using \fB@IMAGEX_PROGNAME@ capture\fR with
+the \fB--unix-data\fR flag. By passing \fB--unix-data\fR to
+\fB@IMAGEX_PROGNAME@ apply\fR instead, this causes this UNIX-specific data to be
+restored when available.
+.TP
+\fB--noacls\fR
+In the NTFS apply mode, do not apply security descriptors. This flag is also
+available in the native Win32 build of wimlib and may be useful when running
+\fB@IMAGEX_PROGNAME@\fR as a non-administrator.
.SH NOTES
UNIX. Microsoft's software will not understand this special
information.
.TP
+\fB--noacls\fR
+In the NTFS capture mode, do not capture security descriptors. This flag is
+also available in the native Win32 build of wimlib and may be useful when
+running \fB@IMAGEX_PROGNAME@\fR as a non-administrator.
+.TP
\fB--source-list\fR
\fB@IMAGEX_PROGNAME@ capture\fR and \fB@IMAGEX_PROGNAME@ append\fR, as of wimlib 1.3.0, support a new
option to create a WIM image from multiple files or directories. When
" [DESCRIPTION] [--boot] [--check] [--flags EDITION_ID]\n"
" [--verbose] [--dereference] [--config=FILE]\n"
" [--threads=NUM_THREADS] [--rebuild] [--unix-data]\n"
-" [--source-list]\n",
+" [--source-list] [--noacls]\n",
[APPLY] =
IMAGEX_PROGNAME" apply WIMFILE [IMAGE_NUM | IMAGE_NAME | all]\n"
" (DIRECTORY | NTFS_VOLUME) [--check] [--hardlink]\n"
-" [--symlink] [--verbose] [--ref=\"GLOB\"] [--unix-data]\n",
+" [--symlink] [--verbose] [--ref=\"GLOB\"] [--unix-data]\n"
+" [--noacls]\n",
[CAPTURE] =
IMAGEX_PROGNAME" capture (DIRECTORY | NTFS_VOLUME) WIMFILE [IMAGE_NAME]\n"
" [DESCRIPTION] [--boot] [--check] [--compress=TYPE]\n"
" [--flags EDITION_ID] [--verbose] [--dereference]\n"
" [--config=FILE] [--threads=NUM_THREADS] [--unix-data]\n"
-" [--source-list]\n",
+" [--source-list] [--noacls]\n",
[DELETE] =
IMAGEX_PROGNAME" delete WIMFILE (IMAGE_NUM | IMAGE_NAME | all) [--check] [--soft]\n",
[DIR] =
{"verbose", no_argument, NULL, 'v'},
{"ref", required_argument, NULL, 'r'},
{"unix-data", no_argument, NULL, 'U'},
+ {"noacls", no_argument, NULL, 'N'},
{NULL, 0, NULL, 0},
};
static const struct option capture_or_append_options[] = {
{"rebuild", no_argument, NULL, 'R'},
{"unix-data", no_argument, NULL, 'U'},
{"source-list", no_argument, NULL, 'S'},
+ {"noacls", no_argument, NULL, 'N'},
{NULL, 0, NULL, 0},
};
static const struct option delete_options[] = {
case 'U':
extract_flags |= WIMLIB_EXTRACT_FLAG_UNIX_DATA;
break;
+ case 'N':
+ extract_flags |= WIMLIB_EXTRACT_FLAG_NOACLS;
+ break;
default:
usage(APPLY);
return -1;
case 'S':
source_list = true;
break;
+ case 'N':
+ add_image_flags |= WIMLIB_ADD_IMAGE_FLAG_NO_ACLS;
+ break;
default:
usage(cmd);
return -1;
apply_file_attributes_and_security_data(ntfs_inode *ni,
ntfs_inode *dir_ni,
const struct wim_dentry *dentry,
- const WIMStruct *w)
+ const WIMStruct *w,
+ int extract_flags)
{
int ret;
struct SECURITY_CONTEXT ctx;
dentry->full_path);
return WIMLIB_ERR_NTFS_3G;
}
- if (inode->i_security_id != -1) {
+ if (inode->i_security_id != -1 &&
+ !(extract_flags & WIMLIB_EXTRACT_FLAG_NOACLS))
+ {
const char *desc;
const struct wim_security_data *sd;
}
ret = apply_file_attributes_and_security_data(ni, dir_ni, dentry,
- args->w);
+ args->w,
+ args->extract_flags);
if (ret != 0)
goto out_close_dir_ni;
static int
apply_root_dentry_ntfs(const struct wim_dentry *dentry,
- ntfs_volume *vol, const WIMStruct *w)
+ ntfs_volume *vol, const WIMStruct *w,
+ int extract_flags)
{
ntfs_inode *ni;
int ret = 0;
ERROR_WITH_ERRNO("Could not find root NTFS inode");
return WIMLIB_ERR_NTFS_3G;
}
- ret = apply_file_attributes_and_security_data(ni, ni, dentry, w);
+ ret = apply_file_attributes_and_security_data(ni, ni, dentry, w,
+ extract_flags);
if (ntfs_inode_close(ni) != 0) {
ERROR_WITH_ERRNO("Failed to close NTFS inode for root "
"directory");
/* Treat the root dentry specially. */
if (dentry_is_root(dentry))
- return apply_root_dentry_ntfs(dentry, vol, w);
+ return apply_root_dentry_ntfs(dentry, vol, w,
+ args->extract_flags);
/* NTFS filename namespaces need careful consideration. A name for a
* NTFS file may be in either the POSIX, Win32, DOS, or Win32+DOS
if (ret != 0)
return ret;
- /* Get security descriptor */
- char _sd[1];
- char *sd = _sd;
- errno = 0;
- ret = ntfs_xattr_system_getxattr(&ctx, XATTR_NTFS_ACL,
- ni, dir_ni, sd,
- sizeof(sd));
- if (ret > sizeof(sd)) {
- sd = alloca(ret);
+ if (!(add_image_flags & WIMLIB_ADD_IMAGE_FLAG_NO_ACLS)) {
+ /* Get security descriptor */
+ char _sd[1];
+ char *sd = _sd;
+ errno = 0;
ret = ntfs_xattr_system_getxattr(&ctx, XATTR_NTFS_ACL,
- ni, dir_ni, sd, ret);
- }
- if (ret > 0) {
- root->d_inode->i_security_id = sd_set_add_sd(sd_set, sd, ret);
- if (root->d_inode->i_security_id == -1) {
- ERROR("Out of memory");
- return WIMLIB_ERR_NOMEM;
+ ni, dir_ni, sd,
+ sizeof(sd));
+ if (ret > sizeof(sd)) {
+ sd = alloca(ret);
+ ret = ntfs_xattr_system_getxattr(&ctx, XATTR_NTFS_ACL,
+ ni, dir_ni, sd, ret);
+ }
+ if (ret > 0) {
+ root->d_inode->i_security_id = sd_set_add_sd(sd_set, sd, ret);
+ if (root->d_inode->i_security_id == -1) {
+ ERROR("Out of memory");
+ return WIMLIB_ERR_NOMEM;
+ }
+ DEBUG("Added security ID = %u for `%s'",
+ root->d_inode->i_security_id, path);
+ ret = 0;
+ } else if (ret < 0) {
+ ERROR_WITH_ERRNO("Failed to get security information from "
+ "`%s'", path);
+ ret = WIMLIB_ERR_NTFS_3G;
+ } else {
+ root->d_inode->i_security_id = -1;
+ DEBUG("No security ID for `%s'", path);
}
- DEBUG("Added security ID = %u for `%s'",
- root->d_inode->i_security_id, path);
- ret = 0;
- } else if (ret < 0) {
- ERROR_WITH_ERRNO("Failed to get security information from "
- "`%s'", path);
- ret = WIMLIB_ERR_NTFS_3G;
- } else {
- root->d_inode->i_security_id = -1;
- DEBUG("No security ID for `%s'", path);
}
return ret;
}
* This flag cannot be combined with ::WIMLIB_ADD_IMAGE_FLAG_NTFS. */
#define WIMLIB_ADD_IMAGE_FLAG_UNIX_DATA 0x00000010
+/** Do not capture security descriptors. Only has an effect in NTFS capture
+ * mode, or in Win32 native builds. */
+#define WIMLIB_ADD_IMAGE_FLAG_NO_ACLS 0x00000020
+
/******************************
* WIMLIB_EXPORT_FLAG_* *
******************************/
* Cannot be used with ::WIMLIB_EXTRACT_FLAG_NTFS. */
#define WIMLIB_EXTRACT_FLAG_UNIX_DATA 0x00000020
+/** Do not extract security descriptors. Only has an effect in NTFS apply mode,
+ * or in Win32 native builds. */
+#define WIMLIB_EXTRACT_FLAG_NOACLS 0x00000040
+
/******************************
* WIMLIB_MOUNT_FLAG_* *
******************************/
}
#endif
-HANDLE
-win32_open_file_readonly(const wchar_t *path, bool data_only)
+static HANDLE
+win32_open_existing_file(const wchar_t *path, DWORD dwDesiredAccess)
{
- DWORD dwDesiredAccess = FILE_READ_DATA;
- if (!data_only)
- dwDesiredAccess |= FILE_READ_ATTRIBUTES | READ_CONTROL | ACCESS_SYSTEM_SECURITY;
return CreateFileW(path,
dwDesiredAccess,
FILE_SHARE_READ,
NULL /* hTemplateFile */);
}
+HANDLE
+win32_open_file_data_only(const wchar_t *path)
+{
+ return win32_open_existing_file(path, FILE_READ_DATA);
+}
+
int
win32_read_file(const mbchar *filename,
void *handle, u64 offset, size_t size, void *buf)
DWORD bytesRead;
int ret;
- hFile = win32_open_file_readonly(path, false);
+ hFile = win32_open_file_data_only(path);
if (hFile == INVALID_HANDLE_VALUE)
return WIMLIB_ERR_OPEN;
goto out_destroy_sd_set;
path_utf16_nchars = path_utf16_nbytes / sizeof(wchar_t);
- HANDLE hFile = win32_open_file_readonly(path_utf16, false);
+ HANDLE hFile = win32_open_existing_file(path_utf16,
+ FILE_READ_DATA | FILE_READ_ATTRIBUTES);
if (hFile == INVALID_HANDLE_VALUE) {
err = GetLastError();
ERROR("Win32 API: Failed to open \"%s\"", root_disk_path);
/* Get DOS name and security descriptor (if any). */
ret = win32_get_short_name(root, path_utf16);
- if (ret)
- goto out_close_handle;
- ret = win32_get_security_descriptor(root, sd_set, path_utf16);
if (ret)
goto out_close_handle;
+ if (!(add_image_flags & WIMLIB_ADD_IMAGE_FLAG_NO_ACLS)) {
+ ret = win32_get_security_descriptor(root, sd_set, path_utf16);
+ if (ret)
+ goto out_close_handle;
+ }
+
if (inode_is_directory(inode)) {
/* Directory (not a reparse point) --- recurse to children */
win32_extract_stream(const struct wim_inode *inode,
const wchar_t *path,
const wchar_t *stream_name_utf16,
- struct wim_lookup_table_entry *lte)
+ struct wim_lookup_table_entry *lte,
+ const struct wim_security_data *security_data)
{
wchar_t *stream_path;
HANDLE h;
DWORD err;
DWORD creationDisposition = CREATE_ALWAYS;
+ SECURITY_ATTRIBUTES *secattr;
+
+ if (security_data && inode->i_security_id != -1) {
+ secattr = alloca(sizeof(*secattr));
+ secattr->nLength = sizeof(*secattr);
+ secattr->lpSecurityDescriptor = security_data->descriptors[inode->i_security_id];
+ secattr->bInheritHandle = FALSE;
+ } else {
+ secattr = NULL;
+ }
+
if (stream_name_utf16) {
/* Named stream. Create a buffer that contains the UTF-16LE
* string [.\]@path:@stream_name_utf16. This is needed to
* the call to CreateFileW() will merely open the directory that
* was already created rather than creating a new file. */
if (inode->i_attributes & FILE_ATTRIBUTE_DIRECTORY) {
- if (!CreateDirectoryW(stream_path, NULL)) {
+ if (!CreateDirectoryW(stream_path, secattr)) {
err = GetLastError();
if (err != ERROR_ALREADY_EXISTS) {
ERROR("Failed to create directory \"%ls\"",
DEBUG("Opening \"%ls\"", stream_path);
h = CreateFileW(stream_path,
- GENERIC_WRITE | WRITE_OWNER | WRITE_DAC | ACCESS_SYSTEM_SECURITY,
+ GENERIC_WRITE,
0,
- NULL,
+ secattr,
creationDisposition,
FILE_FLAG_OPEN_REPARSE_POINT |
FILE_FLAG_BACKUP_SEMANTICS |
*/
static int
win32_extract_streams(const struct wim_inode *inode,
- const wchar_t *path, u64 *completed_bytes_p)
+ const wchar_t *path, u64 *completed_bytes_p,
+ const struct wim_security_data *security_data)
{
struct wim_lookup_table_entry *unnamed_lte;
int ret;
unnamed_lte = inode_unnamed_lte_resolved(inode);
- ret = win32_extract_stream(inode, path, NULL, unnamed_lte);
+ ret = win32_extract_stream(inode, path, NULL, unnamed_lte,
+ security_data);
if (ret)
goto out;
if (unnamed_lte)
ret = win32_extract_stream(inode,
path,
ads_entry->stream_name,
- ads_entry->lte);
+ ads_entry->lte,
+ NULL);
if (ret)
break;
if (ads_entry->lte)
return ret;
}
-/*
- * Sets the security descriptor on an extracted file. This is Win32-specific
- * code.
- *
- * @inode: The WIM inode that was extracted and has a security descriptor.
- * @path: UTF-16LE external path that the inode was extracted to.
- * @sd: Security data for the WIM image.
- *
- * Returns 0 on success; nonzero on failure.
- */
-static int win32_set_security_data(const struct wim_inode *inode,
- const wchar_t *path,
- const struct wim_security_data *sd)
-{
- SECURITY_INFORMATION securityInformation = DACL_SECURITY_INFORMATION |
- SACL_SECURITY_INFORMATION |
- OWNER_SECURITY_INFORMATION |
- GROUP_SECURITY_INFORMATION;
- if (!SetFileSecurityW(path, securityInformation,
- (PSECURITY_DESCRIPTOR)sd->descriptors[inode->i_security_id]))
- {
- DWORD err = GetLastError();
- ERROR("Can't set security descriptor on \"%ls\"", path);
- win32_error(err);
- return WIMLIB_ERR_WRITE;
- }
- return 0;
-}
-
/* Extract a file, directory, reparse point, or hard link to an
* already-extracted file using the Win32 API */
int win32_do_apply_dentry(const mbchar *output_path,
} else {
/* Create the file, directory, or reparse point, and extract the
* data streams. */
+ const struct wim_security_data *security_data;
+ if (args->extract_flags & WIMLIB_EXTRACT_FLAG_NOACLS)
+ security_data = NULL;
+ else
+ security_data = wim_const_security_data(args->w);
+
ret = win32_extract_streams(inode, utf16le_path,
- &args->progress.extract.completed_bytes);
+ &args->progress.extract.completed_bytes,
+ security_data);
if (ret)
goto out_free_utf16_path;
- /* Set security descriptor if present */
- if (inode->i_security_id != -1) {
- DEBUG("Setting security descriptor %d on %s",
- inode->i_security_id, output_path);
- ret = win32_set_security_data(inode,
- utf16le_path,
- wim_const_security_data(args->w));
- if (ret)
- goto out_free_utf16_path;
- }
if (inode->i_nlink > 1) {
/* Save extracted path for a later call to
* CreateHardLinkW() if this inode has multiple links.
return ret;
DEBUG("Opening \"%s\" to set timestamps", output_path);
- h = CreateFileW(utf16le_path,
- GENERIC_WRITE | WRITE_OWNER | WRITE_DAC | ACCESS_SYSTEM_SECURITY,
- FILE_SHARE_READ,
- NULL,
- OPEN_EXISTING,
- FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
- NULL);
+ h = win32_open_existing_file(utf16le_path, FILE_WRITE_ATTRIBUTES);
if (h == INVALID_HANDLE_VALUE)
err = GetLastError();
size_t size, void *buf);
extern HANDLE
-win32_open_file_readonly(const wchar_t *path_utf16, bool data_only);
+win32_open_file_data_only(const wchar_t *path_utf16);
extern void
win32_close_file(void *handle);
case RESOURCE_WIN32:
if (lte->win32_file_on_disk_fp == INVALID_HANDLE_VALUE) {
lte->win32_file_on_disk_fp =
- win32_open_file_readonly(lte->win32_file_on_disk, true);
+ win32_open_file_data_only(lte->win32_file_on_disk);
if (lte->win32_file_on_disk_fp == INVALID_HANDLE_VALUE) {
ERROR("Win32 API: Can't open %ls", lte->win32_file_on_disk);
win32_error_last();