Rob Shearman : server: Move most of the duplicate_token request to a new function, token_duplicate, to enable the code to be used inside wineserver.

Wed May 30 08:56:50 CDT 2007

Module: wine
Branch: master
Commit: bdf964dce80c66c7eb4d9ad5376393648dbb2075
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=bdf964dce80c66c7eb4d9ad5376393648dbb2075

Author: Rob Shearman <rob at codeweavers.com>
Date:   Mon May 28 18:39:33 2007 +0100

server: Move most of the duplicate_token request to a new function, token_duplicate, to enable the code to be used inside wineserver.

---

 server/security.h |    2 +
 server/token.c    |  101 +++++++++++++++++++++++++++++------------------------
 2 files changed, 57 insertions(+), 46 deletions(-)

diff --git a/server/security.h b/server/security.h
index 20f42e3..f0c1b8c 100644
--- a/server/security.h
+++ b/server/security.h
@@ -42,6 +42,8 @@ extern const LUID SeCreateGlobalPrivilege;
 extern const PSID security_interactive_sid;
 
 extern struct token *token_create_admin(void);
+extern struct token *token_duplicate( struct token *src_token, unsigned primary,
+                                      SECURITY_IMPERSONATION_LEVEL impersonation_level );
 extern int token_check_privileges( struct token *token, int all_required,
                                    const LUID_AND_ATTRIBUTES *reqprivs,
                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
diff --git a/server/token.c b/server/token.c
index 9472cf5..8975c54 100644
--- a/server/token.c
+++ b/server/token.c
@@ -520,6 +520,59 @@ static struct token *create_token( unsigned primary, const SID *user,
     return token;
 }
 
+struct token *token_duplicate( struct token *src_token, unsigned primary,
+                               SECURITY_IMPERSONATION_LEVEL impersonation_level )
+{
+    const luid_t *modified_id =
+        primary || (impersonation_level == src_token->impersonation_level) ?
+            &src_token->modified_id : NULL;
+    struct token *token = NULL;
+    struct privilege *privilege;
+    struct group *group;
+
+    if ((impersonation_level < SecurityAnonymous) ||
+        (impersonation_level > SecurityDelegation))
+    {
+        set_error( STATUS_BAD_IMPERSONATION_LEVEL );
+        return NULL;
+    }
+
+    if (primary || (impersonation_level <= src_token->impersonation_level))
+        token = create_token( primary, src_token->user, NULL, 0,
+                              NULL, 0, src_token->default_dacl,
+                              src_token->source, modified_id,
+                              impersonation_level );
+    else set_error( STATUS_BAD_IMPERSONATION_LEVEL );
+
+    if (!token) return token;
+
+    /* copy groups */
+    LIST_FOR_EACH_ENTRY( group, &src_token->groups, struct group, entry )
+    {
+        size_t size = FIELD_OFFSET( struct group, sid.SubAuthority[group->sid.SubAuthorityCount] );
+        struct group *newgroup = mem_alloc( size );
+        if (!newgroup)
+        {
+            release_object( token );
+            return NULL;
+        }
+        memcpy( newgroup, group, size );
+        list_add_tail( &token->groups, &newgroup->entry );
+    }
+    token->primary_group = src_token->primary_group;
+    assert( token->primary_group );
+
+    /* copy privileges */
+    LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
+        if (!privilege_add( token, &privilege->luid, privilege->enabled ))
+        {
+            release_object( token );
+            return NULL;
+        }
+
+    return token;
+}
+
 static ACL *create_default_dacl( const SID *user )
 {
     ACCESS_ALLOWED_ACE *aaa;
@@ -1170,58 +1223,14 @@ DECL_HANDLER(duplicate_token)
 {
     struct token *src_token;
 
-    if ((req->impersonation_level < SecurityAnonymous) ||
-        (req->impersonation_level > SecurityDelegation))
-    {
-        set_error( STATUS_BAD_IMPERSONATION_LEVEL );
-        return;
-    }
-
     if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
                                                      TOKEN_DUPLICATE,
                                                      &token_ops )))
     {
-        const luid_t *modified_id =
-            req->primary || (req->impersonation_level == src_token->impersonation_level) ?
-                &src_token->modified_id : NULL;
-        struct token *token = NULL;
-
-        if (req->primary || (req->impersonation_level <= src_token->impersonation_level))
-            token = create_token( req->primary, src_token->user, NULL, 0,
-                                  NULL, 0, src_token->default_dacl,
-                                  src_token->source, modified_id,
-                                  req->impersonation_level );
-        else set_error( STATUS_BAD_IMPERSONATION_LEVEL );
-
+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level );
         if (token)
         {
-            struct privilege *privilege;
-            struct group *group;
-            unsigned int access;
-
-            /* copy groups */
-            LIST_FOR_EACH_ENTRY( group, &src_token->groups, struct group, entry )
-            {
-                size_t size = FIELD_OFFSET( struct group, sid.SubAuthority[group->sid.SubAuthorityCount] );
-                struct group *newgroup = mem_alloc( size );
-                if (!newgroup)
-                {
-                    release_object( token );
-                    release_object( src_token );
-                    return;
-                }
-                memcpy( newgroup, group, size );
-                list_add_tail( &token->groups, &newgroup->entry );
-            }
-            token->primary_group = src_token->primary_group;
-            assert( token->primary_group );
-
-            /* copy privileges */
-            LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-                privilege_add( token, &privilege->luid, privilege->enabled );
-
-            access = req->access;
-            reply->new_handle = alloc_handle( current->process, token, access, req->attributes);
+            reply->new_handle = alloc_handle( current->process, token, req->access, req->attributes);
             release_object( token );
         }
         release_object( src_token );


