✨ Add set_facl_nofollow for symlink-aware ACL writes on Windows

Use handle-based SetSecurityInfo with FILE_FLAG_OPEN_REPARSE_POINT to
set ACLs on symlinks without following them. Extract ACL buffer building
into build_acl_buffer to share between set_d_acl and set_d_acl_by_handle.

Author: ChanTsune

cli/src/utils/os/windows/acl.rs

@@ -1,12 +1,13 @@
 use crate::{
     chunk::{self, AcePlatform, Identifier, OwnerType},
     utils::os::windows::{
-        fs::open_read_metadata,
+        fs::{open_read_metadata, open_write_dacl},
         security::{SecurityDescriptor, Sid, SidType},
     },
 };
 use field_offset::offset_of;
 use std::{io, mem, path::Path, ptr::null_mut};
+use windows::Win32::Foundation::HANDLE;
 use windows::Win32::Security::{
     ACCESS_ALLOWED_ACE, ACCESS_DENIED_ACE, ACE_FLAGS, ACE_HEADER, ACL as Win32ACL, ACL_REVISION_DS,
     AddAccessAllowedAceEx, AddAccessDeniedAceEx, CONTAINER_INHERIT_ACE, GetAce, INHERIT_ONLY_ACE,
@@ -41,6 +42,20 @@ pub fn get_facl<P: AsRef<Path>>(path: P) -> io::Result<chunk::Acl> {
     })
 }
 
+pub fn set_facl_nofollow<P: AsRef<Path>>(path: P, ace_list: chunk::Acl) -> io::Result<()> {
+    let path = path.as_ref();
+    let handle = open_write_dacl(path, false)?;
+    let acl = ACL::try_from_handle(handle.raw(), path)?;
+    let group_sid = acl.security_descriptor.group_sid()?;
+    let owner_sid = acl.security_descriptor.owner_sid()?;
+    let acl_entries = ace_list
+        .entries
+        .into_iter()
+        .map(|it| it.into_acl_entry_with(&owner_sid, &group_sid))
+        .collect::<Vec<_>>();
+    acl.set_d_acl_by_handle(handle.raw(), &acl_entries)
+}
+
 pub fn get_facl_nofollow<P: AsRef<Path>>(path: P) -> io::Result<chunk::Acl> {
     let acl = ACL::try_from_nofollow(path.as_ref())?;
     let ace_list = acl.get_d_acl()?;
@@ -71,6 +86,12 @@ impl ACL {
         })
     }
 
+    pub fn try_from_handle(handle: HANDLE, path: &Path) -> io::Result<Self> {
+        Ok(Self {
+            security_descriptor: SecurityDescriptor::try_from_handle(handle, path)?,
+        })
+    }
+
     pub fn get_d_acl(&self) -> io::Result<Vec<ACLEntry>> {
         let mut result = Vec::new();
         let p_acl = self.security_descriptor.p_dacl;
@@ -128,37 +149,47 @@ impl ACL {
     }
 
     pub fn set_d_acl(&self, acl_entries: &[ACLEntry]) -> io::Result<()> {
-        let acl_size = acl_entries.iter().map(|it| it.size as usize).sum::<usize>()
-            + mem::size_of::<Win32ACL>();
-        let mut new_acl_buffer = Vec::<u8>::with_capacity(acl_size);
-        let new_acl = new_acl_buffer.as_mut_ptr();
-        unsafe { InitializeAcl(new_acl as _, acl_size as u32, ACL_REVISION_DS) }?;
-        for ace in acl_entries {
-            match ace.ace_type {
-                AceType::AccessAllow => unsafe {
-                    AddAccessAllowedAceEx(
-                        new_acl as _,
-                        ACL_REVISION_DS,
-                        ACE_FLAGS(ace.flags as u32),
-                        ace.mask,
-                        ace.sid.as_psid(),
-                    )
-                },
-                AceType::AccessDeny => unsafe {
-                    AddAccessDeniedAceEx(
-                        new_acl as _,
-                        ACL_REVISION_DS,
-                        ACE_FLAGS(ace.flags as u32),
-                        ace.mask,
-                        ace.sid.as_psid(),
-                    )
-                },
-                AceType::Unknown(n) => return Err(io::Error::other(format!("{}", n))),
-            }?;
-        }
+        let buffer = build_acl_buffer(acl_entries)?;
         self.security_descriptor
-            .apply(None, None, Some(new_acl as _))
+            .apply(None, None, Some(buffer.as_ptr() as _))
+    }
+
+    pub fn set_d_acl_by_handle(&self, handle: HANDLE, acl_entries: &[ACLEntry]) -> io::Result<()> {
+        let buffer = build_acl_buffer(acl_entries)?;
+        SecurityDescriptor::apply_by_handle(handle, None, None, Some(buffer.as_ptr() as _))
+    }
+}
+
+fn build_acl_buffer(acl_entries: &[ACLEntry]) -> io::Result<Vec<u8>> {
+    let acl_size =
+        acl_entries.iter().map(|it| it.size as usize).sum::<usize>() + mem::size_of::<Win32ACL>();
+    let mut buffer = Vec::<u8>::with_capacity(acl_size);
+    let ptr = buffer.as_mut_ptr();
+    unsafe { InitializeAcl(ptr as _, acl_size as u32, ACL_REVISION_DS) }?;
+    for ace in acl_entries {
+        match ace.ace_type {
+            AceType::AccessAllow => unsafe {
+                AddAccessAllowedAceEx(
+                    ptr as _,
+                    ACL_REVISION_DS,
+                    ACE_FLAGS(ace.flags as u32),
+                    ace.mask,
+                    ace.sid.as_psid(),
+                )
+            },
+            AceType::AccessDeny => unsafe {
+                AddAccessDeniedAceEx(
+                    ptr as _,
+                    ACL_REVISION_DS,
+                    ACE_FLAGS(ace.flags as u32),
+                    ace.mask,
+                    ace.sid.as_psid(),
+                )
+            },
+            AceType::Unknown(n) => return Err(io::Error::other(format!("{}", n))),
+        }?;
     }
+    Ok(buffer)
 }
 
 #[derive(Clone, Copy, Debug, PartialEq)]

cli/src/utils/os/windows/fs.rs

@@ -12,7 +12,7 @@ use windows::Win32::Storage::FileSystem::{
     FILE_READ_ATTRIBUTES, FILE_SHARE_DELETE, FILE_SHARE_READ, FILE_SHARE_WRITE,
     FILE_WRITE_ATTRIBUTES, FileBasicInfo, GetFileInformationByHandle, GetFileInformationByHandleEx,
     MOVEFILE_COPY_ALLOWED, MOVEFILE_REPLACE_EXISTING, MoveFileExW, OPEN_EXISTING, READ_CONTROL,
-    SetFileInformationByHandle, WRITE_OWNER,
+    SetFileInformationByHandle, WRITE_DAC, WRITE_OWNER,
 };
 use windows::core::PCWSTR;
 
@@ -80,6 +80,11 @@ pub(crate) fn open_read_metadata(path: &Path, follow_symlink: bool) -> io::Resul
     )
 }
 
+#[inline]
+pub(crate) fn open_write_dacl(path: &Path, follow_symlink: bool) -> io::Result<FileHandle> {
+    open_path(path, (READ_CONTROL | WRITE_DAC).0, follow_symlink)
+}
+
 #[inline]
 pub(crate) fn file_information(handle: HANDLE) -> io::Result<BY_HANDLE_FILE_INFORMATION> {
     let mut info = BY_HANDLE_FILE_INFORMATION::default();