[3/6] server: A new function "set_sd_defaults_from_token" that sets the security descriptor along with a token that will be used to gather defaults, instead of always using the primary token

Joris van der Wel joris at jorisvanderwel.com
Sun Jul 6 13:18:07 CDT 2014 

server: A new function "set_sd_defaults_from_token" that sets the
security descriptor along with a token that will be used to gather
defaults, instead of always using the primary token.

Some objects take their defaults not from a primary token but from a
different one (such as from the impersonation token or the process
token).
This function can be used to create the various set_sd implementations
for the objects that need it. As a bonus, a NULL token will skip
setting any defaults.

---
 server/object.c | 23 +++++++++++++++--------
 server/object.h |  2 ++
 2 files changed, 17 insertions(+), 8 deletions(-)
-------------- next part --------------
From a06685284e79f2f7c60b3c297cd0e3bf9d037b1f Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris at jorisvanderwel.com>
Date: Sun, 6 Jul 2014 12:59:24 +0200
Subject: =?UTF-8?q?server:=20A=20new=20function=20"set=5Fsd=5Fdefaults=5Ff?=
 =?UTF-8?q?rom=5Ftoken"=20that=20sets=20the=20security=20descriptor=20alon?=
 =?UTF-8?q?g=20with=20a=20token=20that=20will=20be=20used=20to=20gather=20?=
 =?UTF-8?q?defaults,=20instead=20of=20always=20using=20the=20primary=20tok?=
 =?UTF-8?q?en.=0ASome=20objects=20take=20their=20defaults=20not=20from=20a?=
 =?UTF-8?q?=20primary=20token=20but=20from=20a=20different=20one=20(such?=
 =?UTF-8?q?=20as=20from=20the=20impersonation=20token=20or=20the=20process?=
 =?UTF-8?q?=20token).=0AThis=20function=20can=20be=20used=20to=20create=20?=
 =?UTF-8?q?the=20various=20set=5Fsd=20implementations=20for=20the=20object?=
 =?UTF-8?q?s=20that=20need=20it.=20As=20a=20bonus,=20a=20NULL=20token=20wi?=
 =?UTF-8?q?ll=20skip=20setting=20any=20defaults.?=

---
 server/object.c | 23 +++++++++++++++--------
 server/object.h |  2 ++
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/server/object.c b/server/object.c
index c0d9818..f8342fc 100644
--- a/server/object.c
+++ b/server/object.c
@@ -423,8 +423,8 @@ struct security_descriptor *default_get_sd( struct object *obj )
     return obj->sd;
 }
 
-int default_set_sd( struct object *obj, const struct security_descriptor *sd,
-                    unsigned int set_info )
+int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd,
+                                unsigned int set_info, struct token *token )
 {
     struct security_descriptor new_sd, *new_sd_ptr;
     int present;
@@ -447,9 +447,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
         {
             new_sd.owner_len = obj->sd->owner_len;
         }
-        else
+        else if (token)
         {
-            owner = token_get_user( current->process->token );
+            owner = token_get_user( token );
             new_sd.owner_len = security_sid_len( owner );
         }
     }
@@ -464,9 +464,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
         {
             new_sd.group_len = obj->sd->group_len;
         }
-        else
+        else if (token)
         {
-            group = token_get_primary_group( current->process->token );
+            group = token_get_primary_group( token );
             new_sd.group_len = security_sid_len( group );
         }
     }
@@ -497,9 +497,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
 
         if (obj->sd && present)
             new_sd.dacl_len = obj->sd->dacl_len;
-        else
+        else if (token)
         {
-            dacl = token_get_default_dacl( current->process->token );
+            dacl = token_get_default_dacl( token );
             new_sd.dacl_len = dacl->AclSize;
         }
     }
@@ -524,6 +524,13 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
     return 1;
 }
 
+/** Set the security descriptor using the current primary token for defaults. */
+int default_set_sd( struct object *obj, const struct security_descriptor *sd,
+                    unsigned int set_info )
+{
+    return set_sd_defaults_from_token( obj, sd, set_info, current ? current->process->token : NULL );
+}
+
 struct object *no_lookup_name( struct object *obj, struct unicode_str *name,
                                unsigned int attr )
 {
diff --git a/server/object.h b/server/object.h
index bb3ff21..7201ff9 100644
--- a/server/object.h
+++ b/server/object.h
@@ -139,6 +139,8 @@ extern struct fd *no_get_fd( struct object *obj );
 extern unsigned int no_map_access( struct object *obj, unsigned int access );
 extern struct security_descriptor *default_get_sd( struct object *obj );
 extern int default_set_sd( struct object *obj, const struct security_descriptor *sd, unsigned int set_info );
+extern int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd, 
+                                       unsigned int set_info, struct token *token );
 extern struct object *no_lookup_name( struct object *obj, struct unicode_str *name, unsigned int attributes );
 extern struct object *no_open_file( struct object *obj, unsigned int access, unsigned int sharing,
                                     unsigned int options );
-- 
1.8.1.msysgit.1

More information about the wine-patches mailing list