[PATCH 3/7] server: Implement object's security descriptor check against token.

[Robert Shearman]

Vitaliy Margolen wrote:
> +    res = token_access_check( token, obj->sd, *access, &priv, &priv_count,
> +                              &mapping, access, &status ) == STATUS_SUCCESS &&
> +          status == STATUS_SUCCESS;
> +    if (!res)
> +    {
> +        fprintf( stderr, "access check failed\n" );
> +        set_error( STATUS_ACCESS_DENIED );
> +    }

We don't want anything in the wineserver that can possibly spam the 
console, so this should be made conditional on debug_level being non-zero.

Also, is there any reason you return STATUS_ACCESS_DENIED instead of the 
statuses returned by token_access_check? Could you try writing a test 
that creates or opens an object with ACCESS_SYSTEM_SECURITY access and 
see if it returns STATUS_PRIVILEGE_NOT_HELD or STATUS_ACCESS_DENIED?

-- 
Rob Shearman