From fec65d853bbcfdb4639d8446db8d3c681c7ae00d Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 1 Sep 2012 12:58:09 -0500 Subject: [PATCH] security descriptor application fix --- doc/mkwinpeimg.1.in | 2 +- src/ntfs-apply.c | 6 +++--- src/security.c | 29 +++++++++++++++++++++++++++-- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/doc/mkwinpeimg.1.in b/doc/mkwinpeimg.1.in index dd6084fd..0db9d6e0 100644 --- a/doc/mkwinpeimg.1.in +++ b/doc/mkwinpeimg.1.in @@ -1,4 +1,4 @@ -.TH MKWINPEIMG "1" "May 2012" "mkwinpeimg (wimlib @VERSION@)" "User Commands" +.TH MKWINPEIMG "1" "September 2012" "mkwinpeimg (wimlib @VERSION@)" "User Commands" .SH NAME mkwinpeimg \- Make a customized bootable image of Windows PE .SH SYNOPSIS diff --git a/src/ntfs-apply.c b/src/ntfs-apply.c index 23526810..d9f6d37a 100644 --- a/src/ntfs-apply.c +++ b/src/ntfs-apply.c @@ -280,9 +280,9 @@ apply_file_attributes_and_security_data(ntfs_inode *ni, SACL_SECURITY_INFORMATION; ret = ntfs_set_inode_security(ni, selection, descriptor); #else - ntfs_xattr_system_setxattr(&ctx, XATTR_NTFS_ACL, - ni, dir_ni, descriptor, - sd->sizes[dentry->security_id], 0); + ret = ntfs_xattr_system_setxattr(&ctx, XATTR_NTFS_ACL, + ni, dir_ni, descriptor, + sd->sizes[dentry->security_id], 0); #endif if (ret != 0) { diff --git a/src/security.c b/src/security.c index 6f0152ea..fef6043a 100644 --- a/src/security.c +++ b/src/security.c @@ -1,8 +1,9 @@ /* * security.c * - * Read the security data from the WIM. Doing anything with the security data - * is not yet implemented other than printing some information about it. + * Read and write the WIM security data. The security data is a table of + * security descriptors. Each WIM image has its own security data, but it's + * possible that an image's security data have no security descriptors. */ /* @@ -28,6 +29,29 @@ #include "io.h" #include "security.h" +/* + * This is a hack to work around a problem in libntfs-3g. libntfs-3g validates + * security descriptors with a function named ntfs_valid_descr(). + * ntfs_valid_descr() considers a security descriptor that ends in a SACL + * (Sysetm Access Control List) with no ACE's (Access Control Entries) to be + * invalid. However, a security descriptor like this exists in the Windows 7 + * install.wim. Here, security descriptors matching this pattern are modified + * to have no SACL. This should make no difference since the SACL had no + * entries anyway; however his ensures that that the security descriptors pass + * the validation in libntfs-3g. + */ +static void empty_sacl_fixup(char *descr, u64 *size_p) +{ + if (*size_p >= sizeof(SecurityDescriptor)) { + SecurityDescriptor *sd = (SecurityDescriptor*)descr; + u32 sacl_offset = le32_to_cpu(sd->sacl_offset); + if (sacl_offset == *size_p - sizeof(ACL)) { + sd->sacl_offset = to_le32(0); + *size_p -= sizeof(ACL); + } + } +} + /* * Reads the security data from the metadata resource. * @@ -150,6 +174,7 @@ int read_security_data(const u8 metadata_resource[], u64 metadata_resource_len, goto out_free_sd; } p = get_bytes(p, sd->sizes[i], sd->descriptors[i]); + empty_sacl_fixup(sd->descriptors[i], &sd->sizes[i]); } out: sd->total_length = (u32)total_len; -- 2.43.0