Throughout drop allow_ntsec and allow_smbntsec handling.

* environ.cc (set_ntsec): Remove.
	(set_smbntsec): Remove.
	(known): Remove ntsec and smbntsec options.
	* external.cc (check_ntsec): Return true if no filename is given.
	* mount.cc (oopts): Add "acl" and "noacl" options.  Set MOUNT_NOACL
	flag accordingly.
	(fillout_mntent): Handle MOUNT_NOACL flag.
	* path.h (enum path_types): Add PATH_NOACL.
	* security.cc (allow_ntsec): Remove.
	(allow_smbntsec): Remove.
	* security.h (allow_ntsec): Drop declaration.
	(allow_smbntsec): Drop declaration.
	* include/sys/mount.h (MOUNT_NOACL): Define.

winsup/cygwin/ChangeLog

@@ -1,3 +1,20 @@
+2008-07-14  Corinna Vinschen  <corinna@vinschen.de>
+
+	Throughout drop allow_ntsec and allow_smbntsec handling.
+	* environ.cc (set_ntsec): Remove.
+	(set_smbntsec): Remove.
+	(known): Remove ntsec and smbntsec options.
+	* external.cc (check_ntsec): Return true if no filename is given.
+	* mount.cc (oopts): Add "acl" and "noacl" options.  Set MOUNT_NOACL
+	flag accordingly.
+	(fillout_mntent): Handle MOUNT_NOACL flag.
+	* path.h (enum path_types): Add PATH_NOACL.
+	* security.cc (allow_ntsec): Remove.
+	(allow_smbntsec): Remove.
+	* security.h (allow_ntsec): Drop declaration.
+	(allow_smbntsec): Drop declaration.
+	* include/sys/mount.h (MOUNT_NOACL): Define.
+
 2008-07-14  Corinna Vinschen  <corinna@vinschen.de>
 
 	* miscfuncs.cc (cygwin_strncasecmp): Fix bug which results in

winsup/cygwin/environ.cc

@@ -571,18 +571,6 @@ set_proc_retry (const char *buf)
   child_info::retry_count = strtoul (buf, NULL, 0);
 }
 
-static void
-set_ntsec (const char *buf)
-{
-  allow_ntsec = (buf && ascii_strcasematch (buf, "yes"));
-}
-
-static void
-set_smbntsec (const char *buf)
-{
-  allow_smbntsec = (buf && ascii_strcasematch (buf, "yes"));
-}
-
 /* The structure below is used to set up an array which is used to
    parse the CYGWIN environment variable or, if enabled, options from
    the registry.  */
@@ -615,13 +603,11 @@ static struct parse_thing
   {"export", {&export_settings}, justset, NULL, {{false}, {true}}},
   {"forkchunk", {func: set_chunksize}, isfunc, NULL, {{0}, {0}}},
   {"glob", {func: &glob_init}, isfunc, NULL, {{0}, {s: "normal"}}},
-  {"ntsec", {func: set_ntsec}, isfunc, NULL, {{0}, {s: "yes"}}},
   {"proc_retry", {func: set_proc_retry}, isfunc, NULL, {{0}, {5}}},
   {"reset_com", {&reset_com}, justset, NULL, {{false}, {true}}},
 #ifdef USE_SERVER
   {"server", {&allow_server}, justset, NULL, {{false}, {true}}},
 #endif
-  {"smbntsec", {func: set_smbntsec}, isfunc, NULL, {{0}, {s: "yes"}}},
   {"strip_title", {&strip_title_path}, justset, NULL, {{false}, {true}}},
   {"title", {&display_title}, justset, NULL, {{false}, {true}}},
   {"tty", {NULL}, set_process_state, NULL, {{0}, {PID_USETTY}}},

winsup/cygwin/external.cc

@@ -123,9 +123,9 @@ static DWORD
 check_ntsec (const char *filename)
 {
   if (!filename)
-    return allow_ntsec;
+    return true;
   path_conv pc (filename);
-  return allow_ntsec && pc.has_acls ();
+  return pc.has_acls ();
 }
 
 /* Copy cygwin environment variables to the Windows environment. */

winsup/cygwin/fhandler.cc

@@ -374,13 +374,12 @@ fhandler_base::fhaccess (int flags)
   else if (has_attribute (FILE_ATTRIBUTE_READONLY) && (flags & W_OK)
 	   && !pc.isdir ())
     goto eaccess_done;
-  else if (has_acls () && allow_ntsec)
+  else if (has_acls ())
     {
       res = check_file_access (pc, flags);
       goto done;
     }
-  else if (get_device () == FH_REGISTRY && allow_ntsec && open (O_RDONLY, 0)
+  else if (get_device () == FH_REGISTRY && open (O_RDONLY, 0) && get_handle ())
-	   && get_handle ())
     {
       res = check_registry_access (get_handle (), flags);
       close ();
@@ -588,7 +587,7 @@ fhandler_base::open (int flags, mode_t mode)
 	     descriptor matches.  The result is that the file gets created, but
 	     then NtCreateFile doesn't return a handle to the file and fails
 	     with STATUS_ACCESS_DENIED.  Go figure! */
-	  if (allow_ntsec && has_acls ())
+	  if (has_acls ())
 	    {
 	      set_security_attribute (mode, &sa, sd);
 	      attr.SecurityDescriptor = sa.lpSecurityDescriptor;

winsup/cygwin/fhandler_disk_file.cc

@@ -761,7 +761,7 @@ fhandler_disk_file::fchmod (mode_t mode)
       if (!(oret = open (O_BINARY, 0)))
 	{
 	  /* Need WRITE_DAC|WRITE_OWNER to write ACLs. */
-	  if (allow_ntsec && pc.has_acls ())
+	  if (pc.has_acls ())
 	    return -1;
 	  /* Otherwise FILE_WRITE_ATTRIBUTES is sufficient. */
 	  query_open (query_write_attributes);
@@ -798,13 +798,12 @@ fhandler_disk_file::fchmod (mode_t mode)
       goto out;
     }
 
-  if (allow_ntsec && pc.has_acls ())
+  if (pc.has_acls ())
     {
       if (pc.isdir ())
 	mode |= S_IFDIR;
       if (!set_file_attribute (get_handle (), pc,
-			       ILLEGAL_UID, ILLEGAL_GID, mode)
+			       ILLEGAL_UID, ILLEGAL_GID, mode))
-	  && allow_ntsec)
 	res = 0;
     }
 
@@ -823,7 +822,7 @@ fhandler_disk_file::fchmod (mode_t mode)
   status = NtSetInformationFile (get_handle (), &io, &fbi, sizeof fbi,
 				 FileBasicInformation);
   /* Correct NTFS security attributes have higher priority */
-  if (!allow_ntsec || !pc.has_acls ())
+  if (!pc.has_acls ())
     {
       if (!NT_SUCCESS (status))
 	__seterrno_from_nt_status (status);
@@ -843,7 +842,7 @@ fhandler_disk_file::fchown (__uid32_t uid, __gid32_t gid)
 {
   int oret = 0;
 
-  if (!pc.has_acls () || !allow_ntsec)
+  if (!pc.has_acls ())
     {
       /* fake - if not supported, pretend we're like win95
 	 where it just works */
@@ -887,7 +886,7 @@ fhandler_disk_file::facl (int cmd, int nentries, __aclent32_t *aclbufp)
   int res = -1;
   int oret = 0;
 
-  if (!pc.has_acls () || !allow_ntsec)
+  if (!pc.has_acls ())
     {
 cant_access_acl:
       switch (cmd)
@@ -1388,7 +1387,7 @@ fhandler_disk_file::mkdir (mode_t mode)
   SECURITY_ATTRIBUTES sa = sec_none_nih;
   security_descriptor sd;
 
-  if (allow_ntsec && has_acls ())
+  if (has_acls ())
     set_security_attribute (S_IFDIR | ((mode & 07777) & ~cygheap->umask),
 			    &sa, sd);
 

winsup/cygwin/fhandler_socket.cc

@@ -882,7 +882,7 @@ fhandler_socket::bind (const struct sockaddr *name, int namelen)
 	fattr |= FILE_ATTRIBUTE_READONLY;
       SECURITY_ATTRIBUTES sa = sec_none_nih;
       security_descriptor sd;
-      if (allow_ntsec && pc.has_acls ())
+      if (pc.has_acls ())
 	set_security_attribute (mode, &sa, sd);
       NTSTATUS status;
       HANDLE fh;

winsup/cygwin/include/sys/mount.h

@@ -30,7 +30,8 @@ enum
   MOUNT_DEVFS =		0x0200,	/* /device "filesystem" */
   MOUNT_PROC =		0x0400,	/* /proc "filesystem" */
   MOUNT_ENC =		0x0800,	/* encode special characters */
-  MOUNT_RO =		0x1000  /* read-only "filesystem" */
+  MOUNT_RO =		0x1000, /* read-only "filesystem" */
+  MOUNT_NOACL =		0x2000  /* support reading/writing ACLs */
 };
 
 int mount (const char *, const char *, unsigned __flags);

winsup/cygwin/mount.cc

@@ -831,7 +831,9 @@ struct opt
   {"notexec", MOUNT_NOTEXEC, 0},
   {"cygexec", MOUNT_CYGWIN_EXEC, 0},
   {"nosuid", 0, 0},
-  {"managed", MOUNT_ENC, 0}
+  {"managed", MOUNT_ENC, 0},
+  {"acl", MOUNT_NOACL, 1},
+  {"noacl", MOUNT_NOACL, 0}
 };
 
 static bool
@@ -1353,6 +1355,9 @@ fillout_mntent (const char *native_path, const char *posix_path, unsigned flags)
   if (flags & MOUNT_ENC)
     strcat (_my_tls.locals.mnt_opts, ",managed");
 
+  if (flags & MOUNT_NOACL)
+    strcat (_my_tls.locals.mnt_opts, (char *) ",noacl");
+
   if ((flags & MOUNT_CYGDRIVE))		/* cygdrive */
     strcat (_my_tls.locals.mnt_opts, (char *) ",noumount");
 

winsup/cygwin/path.cc

@@ -516,8 +516,7 @@ fs_info::update (PUNICODE_STRING upath, HANDLE in_vol)
   is_nfs (RtlEqualUnicodeString (&fsname, &testname, FALSE));
   is_cdrom (ffdi.DeviceType == FILE_DEVICE_CD_ROM);
 
-  has_acls ((flags () & FS_PERSISTENT_ACLS)
+  has_acls (flags () & FS_PERSISTENT_ACLS);
-	    && (allow_smbntsec || !is_remote_drive ()));
   hasgood_inode (((flags () & FILE_PERSISTENT_ACLS) && !is_netapp ())
 		 || is_nfs ());
   /* Known file systems with buggy open calls. Further explanation
@@ -1231,7 +1230,7 @@ out:
       if (exists () || fs.update (get_nt_native_path (), NULL))
 	{
 	  debug_printf ("this->path(%s), has_acls(%d)", path, fs.has_acls ());
-	  if (fs.has_acls () && allow_ntsec)
+	  if (fs.has_acls ())
 	    set_exec (0);  /* We really don't know if this is executable or not here
 			      but set it to not executable since it will be figured out
 			      later by anything which cares about this. */
@@ -1785,7 +1784,7 @@ symlink_worker (const char *oldpath, const char *newpath, bool use_winsym,
 	  goto done;
 	}
     }
-  if (allow_ntsec && win32_newpath.has_acls ())
+  if (win32_newpath.has_acls ())
     set_security_attribute (S_IFLNK | STD_RBITS | STD_WBITS,
 			    &sa, sd);
   status = NtCreateFile (&fh, DELETE | FILE_GENERIC_WRITE,

winsup/cygwin/path.h

@@ -80,6 +80,7 @@ enum path_types
   PATH_CYGWIN_EXEC	= MOUNT_CYGWIN_EXEC,
   PATH_ENC		= MOUNT_ENC,
   PATH_RO		= MOUNT_RO,
+  PATH_NOACL		= MOUNT_NOACL,
   PATH_ALL_EXEC		= (PATH_CYGWIN_EXEC | PATH_EXEC),
   PATH_NO_ACCESS_CHECK	= PC_NO_ACCESS_CHECK,
   PATH_LNK		= 0x01000000,
@@ -148,7 +149,7 @@ class path_conv
   bool case_clash;
 
   bool isremote () const {return fs.is_remote_drive ();}
-  bool has_acls () const {return fs.has_acls (); }
+  bool has_acls () const {return !(path_flags & PATH_NOACL) && fs.has_acls (); }
   bool hasgood_inode () const {return fs.hasgood_inode (); }
   bool isgood_inode (__ino64_t ino) const;
   int has_symlinks () const {return path_flags & PATH_HAS_SYMLINKS;}

winsup/cygwin/security.cc

@@ -29,12 +29,6 @@ details. */
 				  | GROUP_SECURITY_INFORMATION \
 				  | OWNER_SECURITY_INFORMATION)
 
-/* Set ntsec explicit as default. */
-bool allow_ntsec = true;
-/* allow_smbntsec is handled exclusively in path.cc (path_conv::check).
-   It's defined here because of it's strong relationship to allow_ntsec. */
-bool allow_smbntsec;
-
 LONG
 get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd)
 {
@@ -310,15 +304,12 @@ int
 get_reg_attribute (HKEY hkey, mode_t *attribute, __uid32_t *uidret,
 		   __gid32_t *gidret)
 {
-  if (allow_ntsec)
+  security_descriptor sd;
-    {
-      security_descriptor sd;
 
-      if (!get_reg_sd (hkey, sd))
+  if (!get_reg_sd (hkey, sd))
-	{
+    {
-	  get_info_from_sd (sd, attribute, uidret, gidret);
+      get_info_from_sd (sd, attribute, uidret, gidret);
-	  return 0;
+      return 0;
-	}
     }
   /* The entries are already set to default values */
   return -1;
@@ -328,7 +319,7 @@ int
 get_file_attribute (HANDLE handle, path_conv &pc,
 		    mode_t *attribute, __uid32_t *uidret, __gid32_t *gidret)
 {
-  if (pc.has_acls () && allow_ntsec)
+  if (pc.has_acls ())
     {
       security_descriptor sd;
 
@@ -707,7 +698,7 @@ set_file_attribute (HANDLE handle, path_conv &pc,
 {
   int ret = -1;
 
-  if (pc.has_acls () && allow_ntsec)
+  if (pc.has_acls ())
     {
       security_descriptor sd;
 

winsup/cygwin/security.h

@@ -336,9 +336,6 @@ legal_sid_type (SID_NAME_USE type)
       || type == SidTypeAlias || type == SidTypeWellKnownGroup;
 }
 
-extern bool allow_ntsec;
-extern bool allow_smbntsec;
-
 /* File manipulation */
 int __stdcall get_file_attribute (HANDLE, path_conv &, mode_t *,
 				  __uid32_t *, __gid32_t *);

winsup/cygwin/spawn.cc

@@ -169,7 +169,7 @@ find_exec (const char *name, path_conv& buf, const char *mywinenv,
 
       if ((suffix = perhaps_suffix (tmp, buf, err, opt)) != NULL)
 	{
-	  if (buf.has_acls () && allow_ntsec && check_file_access (buf, X_OK))
+	  if (buf.has_acls () && check_file_access (buf, X_OK))
 	    continue;
 
 	  if (posix == tmp)