[PATCH 3/7] server: Implement object's security descriptor check
against token.
Vitaliy Margolen
wine-patches at kievinfo.com
Thu Feb 1 17:10:17 CST 2007
Robert Shearman wrote:
> Vitaliy Margolen wrote:
>> + res = token_access_check( token, obj->sd, *access, &priv,
>> &priv_count,
>> + &mapping, access, &status ) ==
>> STATUS_SUCCESS &&
>> + status == STATUS_SUCCESS;
>> + if (!res)
>> + {
>> + fprintf( stderr, "access check failed\n" );
>> + set_error( STATUS_ACCESS_DENIED );
>> + }
>
> We don't want anything in the wineserver that can possibly spam the
> console, so this should be made conditional on debug_level being non-zero.
In case we will have any problems related to security checks this will
be really helpful troubleshooting them.
> Also, is there any reason you return STATUS_ACCESS_DENIED instead of the
> statuses returned by token_access_check? Could you try writing a test
> that creates or opens an object with ACCESS_SYSTEM_SECURITY access and
> see if it returns STATUS_PRIVILEGE_NOT_HELD or STATUS_ACCESS_DENIED?
>
The two programs I'm fixing does not require this. Nor do we handle it
properly anyway.
Vitaliy.
More information about the wine-devel
mailing list