[6/7] server: Perform an access check for kernel objects without a security descriptor using access rights of the owner's token. Resend.

Dmitry Timoshkov dmitry at baikal.ru
Wed Apr 18 02:30:23 CDT 2012


---
 dlls/kernel32/tests/sync.c |    3 +--
 server/token.c             |   31 ++++++++++++++++---------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/dlls/kernel32/tests/sync.c b/dlls/kernel32/tests/sync.c
index d4f6cf7..2605b8f 100644
--- a/dlls/kernel32/tests/sync.c
+++ b/dlls/kernel32/tests/sync.c
@@ -185,13 +185,12 @@ todo_wine
             if ((1 << i) == ACCESS_SYSTEM_SECURITY)
                 todo_wine ok(GetLastError() == ERROR_PRIVILEGE_NOT_HELD, "wrong error %u, access %x\n", GetLastError(), 1 << i);
             else
-                todo_wine ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u, , access %x\n", GetLastError(), 1 << i);
+                ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u, , access %x\n", GetLastError(), 1 << i);
             ReleaseMutex(hCreated);
             failed |=0x1 << i;
         }
     }
 
-todo_wine
     ok( failed == 0x0de0fffe, "open succeeded when it shouldn't: %x\n", failed);
 
     SetLastError(0xdeadbeef);
diff --git a/server/token.c b/server/token.c
index a0ec143..bb39592 100644
--- a/server/token.c
+++ b/server/token.c
@@ -835,20 +835,29 @@ static unsigned int token_access_check( struct token *token,
         return STATUS_GENERIC_NOT_MAPPED;
     }
 
-    dacl = sd_get_dacl( sd, &dacl_present );
-    owner = sd_get_owner( sd );
-    if (!owner || !sd_get_group( sd ))
+    if (sd)
     {
-        *priv_count = 0;
-        return STATUS_INVALID_SECURITY_DESCR;
+        dacl = sd_get_dacl( sd, &dacl_present );
+        owner = sd_get_owner( sd );
+        if (!owner || !sd_get_group( sd ))
+        {
+            *priv_count = 0;
+            return STATUS_INVALID_SECURITY_DESCR;
+        }
+    }
+    else
+    {
+        dacl = token->default_dacl;
+        dacl_present = dacl ? TRUE : FALSE;
+        owner = token->user;
     }
 
     /* 1: Grant desired access if the object is unprotected */
     if (!dacl_present || !dacl)
     {
         *priv_count = 0;
-        *granted_access = desired_access;
-        return *status = STATUS_SUCCESS;
+        current_access = mapping->GenericAll;
+        goto done;
     }
 
     /* 2: Check if caller wants access to system security part. Note: access
@@ -990,14 +999,6 @@ int check_object_access(struct object *obj, unsigned int *access)
     int res;
 
     mapping.GenericAll = obj->ops->map_access( obj, GENERIC_ALL );
-
-    if (!obj->sd)
-    {
-        if (*access & MAXIMUM_ALLOWED)
-            *access = mapping.GenericAll;
-        return TRUE;
-    }
-
     mapping.GenericRead  = obj->ops->map_access( obj, GENERIC_READ );
     mapping.GenericWrite = obj->ops->map_access( obj, GENERIC_WRITE );
     mapping.GenericExecute = obj->ops->map_access( obj, GENERIC_EXECUTE );
-- 
1.7.9.4




More information about the wine-patches mailing list