Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-10-01 15:07:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOSKRNL]

Browse source 
- Add the check for ACESSS_SYSTEM_SECURITY.
- Keep the desired access rights that have not been granted yet in the variable RemainingAccess.
- Handle the MAXIMUM_ALLOWED case if the DACL is empty.

svn path=/trunk/; revision=46689
This commit is contained in:
Eric Kohl 2010-04-02 17:46:24 +00:00
parent 809944b668
commit 74e30b9093
1 changed files with 51 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
reactos/ntoskrnl/se/semgr.c
View file

@ -390,6 +390,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{ {
LUID_AND_ATTRIBUTES Privilege; LUID_AND_ATTRIBUTES Privilege;
ACCESS_MASK CurrentAccess, AccessMask; ACCESS_MASK CurrentAccess, AccessMask;
ACCESS_MASK RemainingAccess;
PACCESS_TOKEN Token; PACCESS_TOKEN Token;
ULONG i; ULONG i;
PACL Dacl; PACL Dacl;
@ -424,14 +425,43 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping); RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
CurrentAccess = PreviouslyGrantedAccess; CurrentAccess = PreviouslyGrantedAccess;
RemainingAccess = DesiredAccess;
Token = SubjectSecurityContext->ClientToken ? Token = SubjectSecurityContext->ClientToken ?
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken; SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
/* Check for system security access */
if (RemainingAccess & ACCESS_SYSTEM_SECURITY)
{
Privilege.Luid = SeSecurityPrivilege;
Privilege.Attributes = SE_PRIVILEGE_ENABLED;
/* Fail if we do not the SeSecurityPrivilege */
if (!SepPrivilegeCheck(Token,
&Privilege,
1,
PRIVILEGE_SET_ALL_NECESSARY,
AccessMode))
{
*AccessStatus = STATUS_PRIVILEGE_NOT_HELD;
return FALSE;
}
/* Adjust access rights */
RemainingAccess &= ~ACCESS_SYSTEM_SECURITY;
PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY;
/* Succeed if there are no more rights to grant */
if (RemainingAccess == 0)
{
*GrantedAccess = PreviouslyGrantedAccess;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
}
/* Get the DACL */ /* Get the DACL */
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
&Present, &Present,
@ -474,11 +504,15 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
PRIVILEGE_SET_ALL_NECESSARY, PRIVILEGE_SET_ALL_NECESSARY,
AccessMode)) AccessMode))
{ {
/* Adjust access rights */
RemainingAccess &= ~WRITE_OWNER;
PreviouslyGrantedAccess |= WRITE_OWNER;
CurrentAccess |= WRITE_OWNER; CurrentAccess |= WRITE_OWNER;
if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
(CurrentAccess & ~VALID_INHERIT_FLAGS)) /* Succeed if there are no more rights to grant */
if (RemainingAccess == 0)
{ {
*GrantedAccess = CurrentAccess; *GrantedAccess = PreviouslyGrantedAccess;
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
} }
@ -488,9 +522,18 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Deny access if the DACL is empty */ /* Deny access if the DACL is empty */
if (Dacl->AceCount == 0) if (Dacl->AceCount == 0)
{ {
*GrantedAccess = 0; if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
*AccessStatus = STATUS_ACCESS_DENIED; {
return FALSE; *GrantedAccess = PreviouslyGrantedAccess;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
else
{
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return FALSE;
}
} }
/* Fail if DACL is absent */ /* Fail if DACL is absent */