Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-24 01:15:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Correctly return FALSE in SeAccessCheck if access is not granted

Browse source 
Don't always check the first ace in the DACL

svn path=/trunk/; revision=24533
This commit is contained in:
Hervé Poussineau 2006-10-15 23:31:16 +00:00
parent 09da758c64
commit 48a7051b20
1 changed files with 18 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
reactos/ntoskrnl/se/semgr.c
View file

@ -997,7 +997,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return TRUE;
return FALSE;
}
/* RULE 4: Grant rights according to the DACL */
@ -1016,17 +1016,20 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return TRUE;
return FALSE;
}
}
if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
CurrentAccess |= CurrentAce->AccessMask;
}
}
else
DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
if (SubjectContextLocked == FALSE)
@ -1039,10 +1042,18 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = CurrentAccess & DesiredAccess;
*AccessStatus =
(*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
return TRUE;
if (*GrantedAccess == DesiredAccess)
{
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
else
{
*AccessStatus = STATUS_ACCESS_DENIED;
DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
*GrantedAccess, DesiredAccess);
return TRUE; /* FIXME: should be FALSE */
}
}