kernel32: Don't require full access to the newly created process
and thread.
Vitaliy Margolen
wine-devel at kievinfo.com
Mon Jan 22 12:21:36 CST 2007
Robert Shearman wrote:
> Vitaliy Margolen wrote:
>> - req->process_access = PROCESS_ALL_ACCESS;
>> + req->process_access = MAXIMUM_ALLOWED | PROCESS_ALL_ACCESS;
>> req->process_attr = (psa && (psa->nLength >= sizeof(*psa))
>> && psa->bInheritHandle) ? OBJ_INHERIT : 0;
>> - req->thread_access = THREAD_ALL_ACCESS;
>> + req->thread_access = MAXIMUM_ALLOWED | THREAD_ALL_ACCESS;
>
> This looks wrong/confusing. I don't think MAXIMUM_ALLOWED does anything
> more when or'd with specific access rights.
>
Well that's the price to pay for not having security descriptor in every
object. We can't use PROCESS_ALL_ACCESS here. I have few apps that
purposely restrict some access. And fail when we can't create handle
here. But we can't just use MAXIMUM_ALLOWED either. Because then it
won't be mapped into access mask when no SD is specified for the object.
Vitaliy.
More information about the wine-devel
mailing list