Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-02 23:56:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:SE] Add a documentation note about SeTokenIsWriteRestricted() and SeTokenIsAdmin(), and update the one for NtDuplicateToken().

Browse source 
[XDK] Move TOKEN_HAS_ADMIN_GROUP where appropriate.
This commit is contained in:
Hermès Bélusca-Maïto 2018-06-25 18:49:07 +02:00
parent f61694cfbb
commit 9594022ce1
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
3 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
ntoskrnl/se/token.c
View file

@ -1549,7 +1549,9 @@ SeTokenIsAdmin(IN PACCESS_TOKEN Token)
{ {
PAGED_CODE(); PAGED_CODE();
return (((PTOKEN)Token)->TokenFlags & TOKEN_WRITE_RESTRICTED) != 0; // NOTE: Win7+ instead really checks the list of groups in the token
// (since TOKEN_HAS_ADMIN_GROUP == TOKEN_WRITE_RESTRICTED ...)
return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_ADMIN_GROUP) != 0;
} }
/* /*
@ -1566,6 +1568,8 @@ SeTokenIsRestricted(IN PACCESS_TOKEN Token)
/* /*
* @implemented * @implemented
* @note First introduced in NT 5.1 SP2 x86 (5.1.2600.2622), absent in NT 5.2,
* then finally re-introduced in Vista+.
*/ */
BOOLEAN BOOLEAN
NTAPI NTAPI
@ -1573,7 +1577,9 @@ SeTokenIsWriteRestricted(IN PACCESS_TOKEN Token)
{ {
PAGED_CODE(); PAGED_CODE();
return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_RESTORE_PRIVILEGE) != 0; // NOTE: NT 5.1 SP2 x86 checks the SE_BACKUP_PRIVILEGES_CHECKED flag
// while Vista+ checks the TOKEN_WRITE_RESTRICTED flag as one expects.
return (((PTOKEN)Token)->TokenFlags & SE_BACKUP_PRIVILEGES_CHECKED) != 0;
} }
/* SYSTEM CALLS ***************************************************************/ /* SYSTEM CALLS ***************************************************************/
@ -2552,7 +2558,7 @@ Cleanup:
* is correct either. -Gunnar * is correct either. -Gunnar
* This is true. EffectiveOnly overrides SQOS.EffectiveOnly. - IAI * This is true. EffectiveOnly overrides SQOS.EffectiveOnly. - IAI
* NOTE for readers: http://hex.pp.ua/nt/NtDuplicateToken.php is therefore * NOTE for readers: http://hex.pp.ua/nt/NtDuplicateToken.php is therefore
* wrong in that regard. * wrong in that regard, while MSDN documentation is correct.
*/ */
NTSTATUS NTAPI NTSTATUS NTAPI
NtDuplicateToken(IN HANDLE ExistingTokenHandle, NtDuplicateToken(IN HANDLE ExistingTokenHandle,

2
sdk/include/xdk/ntifs.template.h
View file

@ -1360,8 +1360,6 @@ typedef struct _QUERY_PATH_RESPONSE {
/* end winnt.h */ /* end winnt.h */
#define TOKEN_HAS_ADMIN_GROUP 0x08
#if (VER_PRODUCTBUILD >= 1381) #if (VER_PRODUCTBUILD >= 1381)
#define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
#endif /* (VER_PRODUCTBUILD >= 1381) */ #endif /* (VER_PRODUCTBUILD >= 1381) */

1
sdk/include/xdk/setypes.h
View file

@ -1125,6 +1125,7 @@ typedef struct _TOKEN_ACCESS_INFORMATION {
#define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002
#define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004
#define TOKEN_WRITE_RESTRICTED 0x0008 #define TOKEN_WRITE_RESTRICTED 0x0008
#define TOKEN_HAS_ADMIN_GROUP TOKEN_WRITE_RESTRICTED
#define TOKEN_IS_RESTRICTED 0x0010 #define TOKEN_IS_RESTRICTED 0x0010
#define TOKEN_SESSION_NOT_REFERENCED 0x0020 #define TOKEN_SESSION_NOT_REFERENCED 0x0020
#define TOKEN_SANDBOX_INERT 0x0040 #define TOKEN_SANDBOX_INERT 0x0040