[PATCH 3/4] advapi32: Add DACL inheritance support in SetSecurityInfo

Piotr Caban piotr.caban at gmail.com
Thu Mar 26 13:10:25 CDT 2015

On 03/26/15 17:59, Erich E. Hoover wrote:
> I do not believe this is the correct place to make this change.
> Inheritance still needs to occur even when SetSecurityInfo is not
> used, which pretty much means it has to be within the wineserver
> itself so that the same code can be used for CreateFile.  The code I
> put together for this (as written it is somewhat dependent on my other
> ACL code) can be found here:
> https://github.com/wine-compholio/wine-staging/tree/master/patches/server-Inherited_ACLs
> The first patch is for CreateFile and the second one is for
> SetSecurityInfo.  I'm happy to try and change this to help you solve
> your problem without my other ACL code, it's been on my TODO list
> anyway - I've just been too busy with work lately :/

On windows the inheritance code is inside ntmarta.dll (according to some 
Microsoft docs). Probably Microsoft uses ntmarta.dll inside advapi. But 
I don't think we want to be compatible with native dlls in this case.

The inheritance doesn't occur when function from ntdll are used for 
setting DACL. This makes your code inside server incorrect. Also your 
code is not checking handle permissions correctly. If you try to test it 
keep in mind that if correct inheritance flags are set in security 
descriptor control field the permissions will be filled when you 
right-click on file and display security properties on windows.

I see 3 ways of implementing the DACLs inheritance:
  1) add a server call that does the inheritance
     in this case there's no code duplication between CreateFile and 
SetFileInformation, also it's possible to skip the inheritance when 
NtSetSecurityObject is used directly
  2) duplicate inheritance code inside advapi and ntdll/server
     I think this is the best solution. The code that merges 2 DACLs has 
only ~36 lines in my implementation. The code for getting parent 
directory DACL is also not long (~30 lines). This code may get longer in 
future (when we have complete support for security descriptors).
  3) implement something like ntmarta.dll
     This will need much more testing. I'm also not sure if it can be 
used from ntdll at all.

What do you think about it?


P.S. this patches fixes some real installers (TEMSInvestigation 16.1.1 
(fails), Uru - Ages Beyond Myst (fails to remove some temporary files))

More information about the wine-devel mailing list