[ros-diffs] [hpoussin] 24533: Correctly return FALSE in SeAccessCheck if access is not granted Don't always check the first ace in the DACL

Author: hpoussin Date: Mon Oct 16 03:31:16 2006 New Revision: 24533

URL: http://svn.reactos.org/svn/reactos?rev=24533&view=rev Log: Correctly return FALSE in SeAccessCheck if access is not granted Don't always check the first ace in the DACL

Modified: trunk/reactos/ntoskrnl/se/semgr.c

Modified: trunk/reactos/ntoskrnl/se/semgr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=245... ============================================================================== --- trunk/reactos/ntoskrnl/se/semgr.c (original) +++ trunk/reactos/ntoskrnl/se/semgr.c Mon Oct 16 03:31:16 2006 @@ -997,7 +997,7 @@

*GrantedAccess = 0; *AccessStatus = STATUS_ACCESS_DENIED; - return TRUE; + return FALSE; }

/* RULE 4: Grant rights according to the DACL */ @@ -1016,17 +1016,20 @@

*GrantedAccess = 0; *AccessStatus = STATUS_ACCESS_DENIED; - return TRUE; + return FALSE; } }

- if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) + else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { if (SepSidInToken(Token, Sid)) { CurrentAccess |= CurrentAce->AccessMask; } } + else + DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType); + CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize); }

if (SubjectContextLocked == FALSE) @@ -1039,10 +1042,18 @@

*GrantedAccess = CurrentAccess & DesiredAccess;

- *AccessStatus = - (*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED; - - return TRUE; + if (*GrantedAccess == DesiredAccess) + { + *AccessStatus = STATUS_SUCCESS; + return TRUE; + } + else + { + *AccessStatus = STATUS_ACCESS_DENIED; + DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n", + *GrantedAccess, DesiredAccess); + return TRUE; /* FIXME: should be FALSE */ + } }