[PATCH] advapi32: Don't revoke ACCESS_DENIED_ACE.
Adam Gashlin
agashlin at gmail.com
Mon Mar 1 23:18:01 CST 2021
REVOKE_ACCESS is only documented to remove ACCESS_ALLOWED_ACE and
SYSTEM_AUDIT_ACE.
Signed-off-by: Adam Gashlin <agashlin at gmail.com>
---
I wasn't sure what to do with SYSTEM_ALARM_ACE, so I left it alone.
This is my first patch to Wine, I hope it's not too far from
acceptable!
---
dlls/advapi32/security.c | 3 +--
dlls/advapi32/tests/security.c | 26 ++++++++++++++++++++++++++
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
index 9f80a846966..6246cd21a62 100644
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -2314,8 +2314,7 @@ DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries,
add = FALSE;
break;
case ACCESS_DENIED_ACE_TYPE:
- if (EqualSid(ppsid[j], &((ACCESS_DENIED_ACE *)old_ace_header)->SidStart))
- add = FALSE;
+ /* REVOKE_ACCESS does not affect ACCESS_DENIED_ACE. */
break;
case SYSTEM_AUDIT_ACE_TYPE:
if (EqualSid(ppsid[j], &((SYSTEM_AUDIT_ACE *)old_ace_header)->SidStart))
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index f43ac2431e1..fdac67aecb8 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7437,6 +7437,32 @@ static void test_GetExplicitEntriesFromAclW(void)
ok(access2 == NULL, "access2 was not NULL\n");
LocalFree(new_acl);
+ /* Make the ACL both Allow and Deny Everyone. */
+ res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, everyone_sid);
+ ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+ res = AddAccessDeniedAce(old_acl, ACL_REVISION, KEY_WRITE, everyone_sid);
+ ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
+ /* Revoke Everyone. */
+ access.Trustee.ptstrName = everyone_sid;
+ access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+ access.grfAccessPermissions = 0;
+ new_acl = NULL;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+ /* Deny Everyone should remain (along with Grant Users from earlier). */
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_READ , "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
+ ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
+ ok(access2[1].grfAccessMode == DENY_ACCESS, "Expected DENY_ACCESS, got %d\n", access2[1].grfAccessMode);
+ ok(access2[1].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[1].grfAccessPermissions);
+ ok(EqualSid(access2[1].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+
FreeSid(users_sid);
FreeSid(everyone_sid);
HeapFree(GetProcessHeap(), 0, old_acl);
--
2.17.1
More information about the wine-devel
mailing list