https://git.reactos.org/?p=reactos.git;a=commitdiff;h=9594022ce141965e672ce… commit 9594022ce141965e672ce975bf4d71a5f0e46730 Author: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org> AuthorDate: Mon Jun 25 18:49:07 2018 +0200 Commit: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org> CommitDate: Wed Jun 27 23:40:15 2018 +0200 [NTOS:SE] Add a documentation note about SeTokenIsWriteRestricted() and SeTokenIsAdmin(), and update the one for NtDuplicateToken(). [XDK] Move TOKEN_HAS_ADMIN_GROUP where appropriate. --- ntoskrnl/se/token.c | 12 +++++++++--- sdk/include/xdk/ntifs.template.h | 2 -- sdk/include/xdk/setypes.h | 1 + 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index 75ab43d21e..9523fbf8aa 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -1549,7 +1549,9 @@ SeTokenIsAdmin(IN PACCESS_TOKEN Token) { PAGED_CODE(); - return (((PTOKEN)Token)->TokenFlags & TOKEN_WRITE_RESTRICTED) != 0; + // NOTE: Win7+ instead really checks the list of groups in the token + // (since TOKEN_HAS_ADMIN_GROUP == TOKEN_WRITE_RESTRICTED ...) + return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_ADMIN_GROUP) != 0; } /* @@ -1566,6 +1568,8 @@ SeTokenIsRestricted(IN PACCESS_TOKEN Token) /* * @implemented + * @note First introduced in NT 5.1 SP2 x86 (5.1.2600.2622), absent in NT 5.2, + * then finally re-introduced in Vista+. */ BOOLEAN NTAPI @@ -1573,7 +1577,9 @@ SeTokenIsWriteRestricted(IN PACCESS_TOKEN Token) { PAGED_CODE(); - return (((PTOKEN)Token)->TokenFlags & TOKEN_HAS_RESTORE_PRIVILEGE) != 0; + // NOTE: NT 5.1 SP2 x86 checks the SE_BACKUP_PRIVILEGES_CHECKED flag + // while Vista+ checks the TOKEN_WRITE_RESTRICTED flag as one expects. + return (((PTOKEN)Token)->TokenFlags & SE_BACKUP_PRIVILEGES_CHECKED) != 0; } /* SYSTEM CALLS ***************************************************************/ @@ -2552,7 +2558,7 @@ Cleanup: * is correct either. -Gunnar * This is true. EffectiveOnly overrides SQOS.EffectiveOnly. - IAI * NOTE for readers: http://hex.pp.ua/nt/NtDuplicateToken.php is therefore - * wrong in that regard. + * wrong in that regard, while MSDN documentation is correct. */ NTSTATUS NTAPI NtDuplicateToken(IN HANDLE ExistingTokenHandle, diff --git a/sdk/include/xdk/ntifs.template.h b/sdk/include/xdk/ntifs.template.h index 642193fe36..7ad62ca88d 100644 --- a/sdk/include/xdk/ntifs.template.h +++ b/sdk/include/xdk/ntifs.template.h @@ -1360,8 +1360,6 @@ typedef struct _QUERY_PATH_RESPONSE { /* end winnt.h */ -#define TOKEN_HAS_ADMIN_GROUP 0x08 - #if (VER_PRODUCTBUILD >= 1381) #define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS) #endif /* (VER_PRODUCTBUILD >= 1381) */ diff --git a/sdk/include/xdk/setypes.h b/sdk/include/xdk/setypes.h index 5dbf75edf0..699e71bd7d 100644 --- a/sdk/include/xdk/setypes.h +++ b/sdk/include/xdk/setypes.h @@ -1125,6 +1125,7 @@ typedef struct _TOKEN_ACCESS_INFORMATION { #define TOKEN_HAS_BACKUP_PRIVILEGE 0x0002 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x0004 #define TOKEN_WRITE_RESTRICTED 0x0008 +#define TOKEN_HAS_ADMIN_GROUP TOKEN_WRITE_RESTRICTED #define TOKEN_IS_RESTRICTED 0x0010 #define TOKEN_SESSION_NOT_REFERENCED 0x0020 #define TOKEN_SANDBOX_INERT 0x0040