Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-24 09:25:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Correctly return FALSE in SeAccessCheck if access is not granted

Browse source 
Don't always check the first ace in the DACL

svn path=/trunk/; revision=24533
This commit is contained in:
Hervé Poussineau 2006-10-15 23:31:16 +00:00
parent 09da758c64
commit 48a7051b20
1 changed files with 18 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
reactos/ntoskrnl/se/semgr.c
View file

@ -997,7 +997,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = 0; *GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED; *AccessStatus = STATUS_ACCESS_DENIED;
return TRUE; return FALSE;
} }
/* RULE 4: Grant rights according to the DACL */ /* RULE 4: Grant rights according to the DACL */
@ -1016,17 +1016,20 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = 0; *GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED; *AccessStatus = STATUS_ACCESS_DENIED;
return TRUE; return FALSE;
} }
} }
if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{ {
if (SepSidInToken(Token, Sid)) if (SepSidInToken(Token, Sid))
{ {
CurrentAccess |= CurrentAce->AccessMask; CurrentAccess |= CurrentAce->AccessMask;
} }
} }
else
DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
} }
if (SubjectContextLocked == FALSE) if (SubjectContextLocked == FALSE)
@ -1039,10 +1042,18 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*GrantedAccess = CurrentAccess & DesiredAccess; *GrantedAccess = CurrentAccess & DesiredAccess;
*AccessStatus = if (*GrantedAccess == DesiredAccess)
(*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED; {
*AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
}
else
{
*AccessStatus = STATUS_ACCESS_DENIED;
DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
*GrantedAccess, DesiredAccess);
return TRUE; /* FIXME: should be FALSE */
}
} }