[PATCH 3/4] advapi32: Add DACL inheritance support in SetSecurityInfo
Piotr Caban
piotr.caban at gmail.com
Thu Mar 26 13:10:25 CDT 2015
On 03/26/15 17:59, Erich E. Hoover wrote:
> I do not believe this is the correct place to make this change.
> Inheritance still needs to occur even when SetSecurityInfo is not
> used, which pretty much means it has to be within the wineserver
> itself so that the same code can be used for CreateFile. The code I
> put together for this (as written it is somewhat dependent on my other
> ACL code) can be found here:
> https://github.com/wine-compholio/wine-staging/tree/master/patches/server-Inherited_ACLs
>
> The first patch is for CreateFile and the second one is for
> SetSecurityInfo. I'm happy to try and change this to help you solve
> your problem without my other ACL code, it's been on my TODO list
> anyway - I've just been too busy with work lately :/
On windows the inheritance code is inside ntmarta.dll (according to some
Microsoft docs). Probably Microsoft uses ntmarta.dll inside advapi. But
I don't think we want to be compatible with native dlls in this case.
The inheritance doesn't occur when function from ntdll are used for
setting DACL. This makes your code inside server incorrect. Also your
code is not checking handle permissions correctly. If you try to test it
keep in mind that if correct inheritance flags are set in security
descriptor control field the permissions will be filled when you
right-click on file and display security properties on windows.
I see 3 ways of implementing the DACLs inheritance:
1) add a server call that does the inheritance
in this case there's no code duplication between CreateFile and
SetFileInformation, also it's possible to skip the inheritance when
NtSetSecurityObject is used directly
2) duplicate inheritance code inside advapi and ntdll/server
I think this is the best solution. The code that merges 2 DACLs has
only ~36 lines in my implementation. The code for getting parent
directory DACL is also not long (~30 lines). This code may get longer in
future (when we have complete support for security descriptors).
3) implement something like ntmarta.dll
This will need much more testing. I'm also not sure if it can be
used from ntdll at all.
What do you think about it?
Thanks,
Piotr
P.S. this patches fixes some real installers (TEMSInvestigation 16.1.1
(fails), Uru - Ages Beyond Myst (fails to remove some temporary files))
More information about the wine-devel
mailing list