[PATCH v2 2/2] server: Grant implicit DACL_SECURITY_INFORMATION permission to an object owner.
Alexandre Julliard
julliard at winehq.org
Wed Feb 10 02:01:30 CST 2021
Dmitry Timoshkov <dmitry at baikal.ru> writes:
> Alexandre Julliard <julliard at winehq.org> wrote:
>
>> Dmitry Timoshkov <dmitry at baikal.ru> writes:
>>
>> > @@ -482,6 +482,17 @@ struct object *get_handle_obj( struct process *process, obj_handle_t handle,
>> > set_error( STATUS_OBJECT_TYPE_MISMATCH ); /* not the right type */
>> > return NULL;
>> > }
>> > + if (access & (READ_CONTROL | WRITE_DAC))
>> > + {
>> > + const struct security_descriptor *sd = obj->ops->get_sd( obj );
>> > + if (sd)
>> > + {
>> > + struct token *token = current->token ? current->token : current->process->token;
>> > + const SID *owner = sd_get_owner( sd );
>> > + if (token_sid_present( token, owner, FALSE ))
>> > + access &= ~(READ_CONTROL | WRITE_DAC);
>> > + }
>> > + }
>>
>> That seems very ad-hoc. It would need more convincing tests.
>
> What kind of test would be more convincing for you? Even if the tests
> in 1/2 are not enough it's still a good start, and why not accept them
> while anticipating more tests?
I'd like to see tests for various object types, various types of
security descriptors and tokens, and other security bits. Adding
something like that in get_handle_obj() is going to affect everything,
so it needs extensive tests.
--
Alexandre Julliard
julliard at winehq.org
More information about the wine-devel
mailing list