[weiden] 14197: - correctly deny access to handles when rights requested can't be granted - Ros-diffs

19 Mar 2005

- correctly deny access to handles when rights requested can't be
granted
- map generic rights correctly
- various fixes where handles with inappropriate access rights were
created
Modified: trunk/reactos/include/ddk/cmtypes.h
Modified: trunk/reactos/lib/advapi32/reg/reg.c
Modified: trunk/reactos/lib/kernel32/file/dir.c
Modified: trunk/reactos/lib/ntdll/ldr/utils.c
Modified: trunk/reactos/lib/ntdll/rtl/path.c
Modified: trunk/reactos/lib/syssetup/wizard.c
Modified: trunk/reactos/ntoskrnl/cm/ntfunc.c
Modified: trunk/reactos/ntoskrnl/cm/registry.c
Modified: trunk/reactos/ntoskrnl/io/create.c
Modified: trunk/reactos/ntoskrnl/io/device.c
Modified: trunk/reactos/ntoskrnl/io/driver.c
Modified: trunk/reactos/ntoskrnl/io/file.c
Modified: trunk/reactos/ntoskrnl/io/iomgr.c
Modified: trunk/reactos/ntoskrnl/io/vpb.c
Modified: trunk/reactos/ntoskrnl/ke/i386/exp.c
Modified: trunk/reactos/ntoskrnl/ldr/sysdll.c
Modified: trunk/reactos/ntoskrnl/ob/handle.c
Modified: trunk/reactos/ntoskrnl/ob/object.c
Modified: trunk/reactos/ntoskrnl/se/token.c
Modified: trunk/reactos/subsys/smss/initwkdll.c
Modified: trunk/reactos/subsys/system/services/database.c
Modified: trunk/reactos/subsys/system/winlogon/setup.c
  _____  

Modified: trunk/reactos/include/ddk/cmtypes.h

--- trunk/reactos/include/ddk/cmtypes.h	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/include/ddk/cmtypes.h	2005-03-19 19:13:01 UTC (rev
14197)
@@ -10,7 +10,10 @@

 {
   KeyBasicInformation,
   KeyNodeInformation,
-  KeyFullInformation
+  KeyFullInformation,
+  KeyNameInformation,
+  KeyCachedInformation,
+  KeyFlagsInformation
 } KEY_INFORMATION_CLASS;
 
 typedef struct _KEY_BASIC_INFORMATION
  _____  

Modified: trunk/reactos/lib/advapi32/reg/reg.c
--- trunk/reactos/lib/advapi32/reg/reg.c	2005-03-19 18:31:14 UTC
(rev 14196)
+++ trunk/reactos/lib/advapi32/reg/reg.c	2005-03-19 19:13:01 UTC
(rev 14197)
@@ -222,7 +222,7 @@

 			      NULL,
 			      NULL);
   return NtOpenKey (KeyHandle,
-		    KEY_ALL_ACCESS,
+		    MAXIMUM_ALLOWED,
 		    &Attributes);
 }
 
  _____  

Modified: trunk/reactos/lib/kernel32/file/dir.c
--- trunk/reactos/lib/kernel32/file/dir.c	2005-03-19 18:31:14 UTC
(rev 14196)
+++ trunk/reactos/lib/kernel32/file/dir.c	2005-03-19 19:13:01 UTC
(rev 14197)
@@ -221,7 +221,7 @@

         DPRINT("NtPathU '%S'\n", NtPathU.Buffer);
 
         Status = NtCreateFile (&DirectoryHandle,
-                               FILE_WRITE_ATTRIBUTES,    /* 0x110080 */
+                               DELETE,
                                &ObjectAttributes,
                                &IoStatusBlock,
                                NULL,
  _____  

Modified: trunk/reactos/lib/ntdll/ldr/utils.c
--- trunk/reactos/lib/ntdll/ldr/utils.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/lib/ntdll/ldr/utils.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -682,7 +682,7 @@

                            SECTION_ALL_ACCESS,
                            NULL,
                            NULL,
-                           PAGE_READWRITE,
+                           PAGE_READONLY,
                            SEC_COMMIT | (MapAsDataFile ? 0 :
SEC_IMAGE),
                            FileHandle);
   NtClose(FileHandle);
@@ -2048,7 +2048,7 @@
                                     &ViewSize,
                                     0,
                                     MEM_COMMIT,
-                                    PAGE_READWRITE);
+                                    PAGE_READONLY);
         if (!NT_SUCCESS(Status))
           {
             DPRINT1("map view of section failed (Status %x)\n",
Status);
@@ -2875,10 +2875,10 @@
   DPRINT ("LdrVerifyImageMatchesChecksum() called\n");
 
   Status = NtCreateSection (&SectionHandle,
-                            SECTION_MAP_EXECUTE,
+                            SECTION_MAP_READ,
                             NULL,
                             NULL,
-                            PAGE_EXECUTE,
+                            PAGE_READONLY,
                             SEC_COMMIT,
                             FileHandle);
   if (!NT_SUCCESS(Status))
@@ -2898,7 +2898,7 @@
                                &ViewSize,
                                ViewShare,
                                0,
-                               PAGE_EXECUTE);
+                               PAGE_READONLY);
   if (!NT_SUCCESS(Status))
     {
       DPRINT1 ("NtMapViewOfSection() failed (Status %lx)\n", Status);
  _____  

Modified: trunk/reactos/lib/ntdll/rtl/path.c
--- trunk/reactos/lib/ntdll/rtl/path.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/lib/ntdll/rtl/path.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -290,8 +290,8 @@

    }
 
    /* don't keep the directory handle open on removable media */
-   if (!NtQueryVolumeInformationFile( handle, &iosb, &device_info,
-                                    sizeof(device_info),
FileFsDeviceInformation ) &&
+   if (NT_SUCCESS(NtQueryVolumeInformationFile( handle, &iosb,
&device_info,
+                                                sizeof(device_info),
FileFsDeviceInformation )) &&
      (device_info.Characteristics & FILE_REMOVABLE_MEDIA))
    {
       DPRINT1("don't keep the directory handle open on removable
media\n");
  _____  

Modified: trunk/reactos/lib/syssetup/wizard.c
--- trunk/reactos/lib/syssetup/wizard.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/lib/syssetup/wizard.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -1133,7 +1133,7 @@

    */
   
   if(OpenProcessToken(GetCurrentProcess(),
-                      TOKEN_ADJUST_PRIVILEGES,
+                      TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                       &hToken))
   {
     priv.PrivilegeCount = 1;
  _____  

Modified: trunk/reactos/ntoskrnl/cm/ntfunc.c
--- trunk/reactos/ntoskrnl/cm/ntfunc.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/cm/ntfunc.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -460,9 +460,12 @@

   PKEY_FULL_INFORMATION  FullInformation;
   PDATA_CELL ClassCell;
   ULONG NameSize, ClassSize;
+  KPROCESSOR_MODE PreviousMode;
   NTSTATUS Status;
   
   PAGED_CODE();
+  
+  PreviousMode = ExGetPreviousMode();
 
   DPRINT("KH %x  I %d  KIC %x KI %x  L %d  RL %x\n",
 	 KeyHandle,
@@ -476,7 +479,7 @@
   Status = ObReferenceObjectByHandle(KeyHandle,
 		KEY_ENUMERATE_SUB_KEYS,
 		CmiKeyType,
-		UserMode,
+		PreviousMode,
 		(PVOID *) &KeyObject,
 		NULL);
   if (!NT_SUCCESS(Status))
@@ -1056,7 +1059,7 @@
 
   /* Verify that the handle is valid and is a registry key */
   Status = ObReferenceObjectByHandle(KeyHandle,
-				     KEY_QUERY_VALUE,
+				     0,
 				     CmiKeyType,
 				     PreviousMode,
 				     (PVOID *)&KeyObject,
@@ -1218,7 +1221,7 @@
 
   /* Verify that the handle is valid and is a registry key */
   Status = ObReferenceObjectByHandle(KeyHandle,
-		KEY_READ,
+		(KeyInformationClass != KeyNameInformation ?
KEY_QUERY_VALUE : 0),
 		CmiKeyType,
 		UserMode,
 		(PVOID *) &KeyObject,
@@ -1377,6 +1380,13 @@
 	  }
 	break;
 
+      case KeyNameInformation:
+      case KeyCachedInformation:
+      case KeyFlagsInformation:
+        DPRINT1("Key information class 0x%x not yet implemented!\n",
KeyInformationClass);
+        Status = STATUS_NOT_IMPLEMENTED;
+        break;
+
       default:
 	DPRINT1("Not handling 0x%x\n", KeyInformationClass);
 	Status = STATUS_INVALID_INFO_CLASS;
@@ -1658,14 +1668,12 @@
 	 KeyHandle, ValueName, Type);
 
   DesiredAccess = KEY_SET_VALUE;
-  if (Type == REG_LINK)
-    DesiredAccess |= KEY_CREATE_LINK;
 
   /* Verify that the handle is valid and is a registry key */
   Status = ObReferenceObjectByHandle(KeyHandle,
 				     DesiredAccess,
 				     CmiKeyType,
-				     UserMode,
+				     ExGetPreviousMode(),
 				     (PVOID *)&KeyObject,
 				     NULL);
   if (!NT_SUCCESS(Status))
  _____  

Modified: trunk/reactos/ntoskrnl/cm/registry.c
--- trunk/reactos/ntoskrnl/cm/registry.c	2005-03-19 18:31:14 UTC
(rev 14196)
+++ trunk/reactos/ntoskrnl/cm/registry.c	2005-03-19 19:13:01 UTC
(rev 14197)
@@ -423,7 +423,7 @@

   ASSERT(NT_SUCCESS(Status));
   Status = ObInsertObject(RootKey,
 			  NULL,
-			  STANDARD_RIGHTS_REQUIRED,
+			  KEY_ALL_ACCESS,
 			  0,
 			  NULL,
 			  &RootKeyHandle);
@@ -462,7 +462,7 @@
 			     RootKeyHandle,
 			     NULL);
   Status = ZwCreateKey(&KeyHandle,
-		       STANDARD_RIGHTS_REQUIRED,
+		       KEY_ALL_ACCESS,
 		       &ObjectAttributes,
 		       0,
 		       NULL,
@@ -479,7 +479,7 @@
 			     RootKeyHandle,
 			     NULL);
   Status = ZwCreateKey(&KeyHandle,
-		       STANDARD_RIGHTS_REQUIRED,
+		       KEY_ALL_ACCESS,
 		       &ObjectAttributes,
 		       0,
 		       NULL,
  _____  

Modified: trunk/reactos/ntoskrnl/io/create.c
--- trunk/reactos/ntoskrnl/io/create.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/create.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -448,9 +448,6 @@

 	return Status;
      }
 
-   RtlMapGenericMask(&DesiredAccess,
-                     BODY_TO_HEADER(FileObject)->ObjectType->Mapping);
-
    Status = ObInsertObject ((PVOID)FileObject,
 			    NULL,
 			    DesiredAccess,
  _____  

Modified: trunk/reactos/ntoskrnl/io/device.c
--- trunk/reactos/ntoskrnl/io/device.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/device.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -349,7 +349,10 @@

       FILE_NON_DIRECTORY_FILE);
 
    if (!NT_SUCCESS(Status))
+   {
+      DPRINT1("NtOpenFile failed, Status: 0x%x\n", Status);
       return Status;
+   }
 
    Status = ObReferenceObjectByHandle(
       FileHandle,
  _____  

Modified: trunk/reactos/ntoskrnl/io/driver.c
--- trunk/reactos/ntoskrnl/io/driver.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/driver.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -960,7 +960,7 @@

 			     NULL);
 
   Status = ZwOpenKey(&KeyHandle,
-		     0x10001,
+		     KEY_ENUMERATE_SUB_KEYS,
 		     &ObjectAttributes);
   if (!NT_SUCCESS(Status))
     {
  _____  

Modified: trunk/reactos/ntoskrnl/io/file.c
--- trunk/reactos/ntoskrnl/io/file.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/file.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -50,7 +50,7 @@

    PreviousMode = ExGetPreviousMode();
 
    Status = ObReferenceObjectByHandle(FileHandle,
-				      FILE_READ_ATTRIBUTES,
+				      0, /* FIXME - access depends on
the information class! */
 				      IoFileObjectType,
 				      PreviousMode,
 				      (PVOID *)&FileObject,
@@ -402,7 +402,7 @@
 
    /*  Get the file object from the file handle  */
    Status = ObReferenceObjectByHandle(FileHandle,
-				      FILE_WRITE_ATTRIBUTES,
+				      0, /* FIXME - depends on the
information class */
 				      IoFileObjectType,
 				      PreviousMode,
 				      (PVOID *)&FileObject,
  _____  

Modified: trunk/reactos/ntoskrnl/io/iomgr.c
--- trunk/reactos/ntoskrnl/io/iomgr.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/iomgr.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -34,9 +34,9 @@

 ULONGLONG             IoOtherTransferCount = 0;
 KSPIN_LOCK   EXPORTED IoStatisticsLock = 0;
 
-static GENERIC_MAPPING IopFileMapping = {FILE_GENERIC_READ,
-					 FILE_GENERIC_WRITE,
-					 FILE_GENERIC_EXECUTE,
+static GENERIC_MAPPING IopFileMapping = {STANDARD_RIGHTS_READ |
SYNCHRONIZE | FILE_READ_DATA | FILE_READ_PROPERTIES,
+					 STANDARD_RIGHTS_WRITE |
SYNCHRONIZE | FILE_WRITE_DATA | FILE_APPEND_DATA |
FILE_WRITE_PROPERTIES,
+					 STANDARD_RIGHTS_EXECUTE |
SYNCHRONIZE | FILE_EXECUTE | FILE_READ_ATTRIBUTES,
 					 FILE_ALL_ACCESS};
 
 /* FUNCTIONS
****************************************************************/
  _____  

Modified: trunk/reactos/ntoskrnl/io/vpb.c
--- trunk/reactos/ntoskrnl/io/vpb.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/io/vpb.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -107,7 +107,7 @@

    PreviousMode = ExGetPreviousMode();
 
    Status = ObReferenceObjectByHandle(FileHandle,
-				      FILE_READ_ATTRIBUTES,
+				      0, /* FIXME - depends on the
information class! */
 				      IoFileObjectType,
 				      PreviousMode,
 				      (PVOID*)&FileObject,
  _____  

Modified: trunk/reactos/ntoskrnl/ke/i386/exp.c
--- trunk/reactos/ntoskrnl/ke/i386/exp.c	2005-03-19 18:31:14 UTC
(rev 14196)
+++ trunk/reactos/ntoskrnl/ke/i386/exp.c	2005-03-19 19:13:01 UTC
(rev 14197)
@@ -1,9 +1,9 @@

-/* 
+/*
  * COPYRIGHT:       See COPYING in the top level directory
  * PROJECT:         ReactOS kernel
  * FILE:            ntoskrnl/ke/i386/exp.c
  * PURPOSE:         Handling exceptions
- * 
+ *
  * PROGRAMMERS:     David Welch (welch(a)cwcom.net)
  *                  Skywing (skywing(a)valhallalegends.com)
  */
@@ -120,24 +120,31 @@
    MODULE_TEXT_SECTION* current;
    extern LIST_ENTRY ModuleTextListHead;
    ULONG_PTR RelativeAddress;
+   ULONG i = 0;
 
-   current_entry = ModuleTextListHead.Flink;
+   do
+   {
+     current_entry = ModuleTextListHead.Flink;
 
-   while (current_entry != &ModuleTextListHead &&
-	  current_entry != NULL)
-     {
-	current =
-	  CONTAINING_RECORD(current_entry, MODULE_TEXT_SECTION,
ListEntry);
+     while (current_entry != &ModuleTextListHead &&
+            current_entry != NULL)
+       {
+          current =
+            CONTAINING_RECORD(current_entry, MODULE_TEXT_SECTION,
ListEntry);
 
-	if (address >= (PVOID)current->Base &&
-	    address < (PVOID)(current->Base + current->Length))
-	  {
-            RelativeAddress = (ULONG_PTR) address - current->Base;
-	    DbgPrint("<%ws: %x>", current->Name, RelativeAddress);
-	    return(TRUE);
-	  }
-	current_entry = current_entry->Flink;
-     }
+          if (address >= (PVOID)current->Base &&
+              address < (PVOID)(current->Base + current->Length))
+            {
+              RelativeAddress = (ULONG_PTR) address - current->Base;
+              DbgPrint("<%ws: %x>", current->Name, RelativeAddress);
+              return(TRUE);
+            }
+          current_entry = current_entry->Flink;
+       }
+
+     address = (PVOID)((ULONG_PTR)address & ~0xC0000000);
+   } while(++i <= 1);
+
    return(FALSE);
 }
 #endif /* KDBG */
@@ -511,9 +518,9 @@
 
    if (ExceptionNr == 15)
      {
-       /* 
+       /*
         * FIXME:
-        *   This exception should never occur. The P6 has a bug, which
does sometimes deliver 
+        *   This exception should never occur. The P6 has a bug, which
does sometimes deliver
         *   the apic spurious interrupt as exception 15. On an
athlon64, I get one exception
         *   in the early boot phase in apic mode (using the smp build).
I've looked to the linux
         *   sources. Linux does ignore this exception.
@@ -941,7 +948,7 @@
     } _SEH_HANDLE {
         return(ExceptionCode);
     } _SEH_END;
-            
+
    OldEip = Thread->TrapFrame->Eip;
    Thread->TrapFrame->Eip =
(ULONG_PTR)LdrpGetSystemDllRaiseExceptionDispatcher();
    return((NTSTATUS)OldEip);
@@ -972,7 +979,7 @@
     /* Restore the user context */
     Thread->TrapFrame = PrevTrapFrame;
     __asm__("mov %%ebx, %%esp;\n" "jmp _KiServiceExit": :
"b"
(TrapFrame));
-    
+
     /* We never get here */
     return(STATUS_SUCCESS);
 }
  _____  

Modified: trunk/reactos/ntoskrnl/ldr/sysdll.c
--- trunk/reactos/ntoskrnl/ldr/sysdll.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/ldr/sysdll.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -144,7 +144,7 @@

 			    SECTION_ALL_ACCESS,
 			    NULL,
 			    NULL,
-			    PAGE_READWRITE,
+			    PAGE_READONLY,
 			    SEC_IMAGE | SEC_COMMIT,
 			    FileHandle);
    if (!NT_SUCCESS(Status))
  _____  

Modified: trunk/reactos/ntoskrnl/ob/handle.c
--- trunk/reactos/ntoskrnl/ob/handle.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/ob/handle.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -40,6 +40,8 @@

   ~(EX_HANDLE_ENTRY_PROTECTFROMCLOSE | EX_HANDLE_ENTRY_INHERITABLE |
\
   EX_HANDLE_ENTRY_AUDITONCLOSE)))
 
+#define GENERIC_ANY (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE |
GENERIC_ALL)
+
 /* FUNCTIONS
***************************************************************/
 
 VOID
@@ -548,7 +550,19 @@
    ObjectHeader = BODY_TO_HEADER(ObjectBody);
 
    ASSERT((ULONG_PTR)ObjectHeader & EX_HANDLE_ENTRY_LOCKED);
+   
+   if (GrantedAccess & MAXIMUM_ALLOWED)
+     {
+        GrantedAccess &= ~MAXIMUM_ALLOWED;
+        GrantedAccess |= GENERIC_ALL;
+     }
 
+   if (GrantedAccess & GENERIC_ANY)
+     {
+       RtlMapGenericMask(&GrantedAccess,
+		         ObjectHeader->ObjectType->Mapping);
+     }
+
    NewEntry.u1.Object = ObjectHeader;
    if(Inherit)
      NewEntry.u1.ObAttributes |= EX_HANDLE_ENTRY_INHERITABLE;
@@ -644,7 +658,6 @@
    POBJECT_HEADER ObjectHeader;
    PVOID ObjectBody;
    ACCESS_MASK GrantedAccess;
-   PGENERIC_MAPPING GenericMapping;
    ULONG Attributes;
    NTSTATUS Status;
    LONG ExHandle = HANDLE_TO_EX_HANDLE(Handle);
@@ -714,6 +727,13 @@
 	return(STATUS_OBJECT_TYPE_MISMATCH);
      }
    
+   /* desire as much access rights as possible */
+   if (DesiredAccess & MAXIMUM_ALLOWED)
+     {
+        DesiredAccess &= ~MAXIMUM_ALLOWED;
+        DesiredAccess |= GENERIC_ALL;
+     }
+   
    KeEnterCriticalRegion();
    
    HandleEntry =
ExMapHandleToPointer(PsGetCurrentProcess()->ObjectTable,
@@ -729,48 +749,53 @@
    ObjectBody = HEADER_TO_BODY(ObjectHeader);
    
    DPRINT("locked1: ObjectHeader: 0x%x [HT:0x%x]\n", ObjectHeader,
PsGetCurrentProcess()->ObjectTable);
-
-   ObReferenceObjectByPointer(ObjectBody,
-			      0,
-			      NULL,
-			      UserMode);
-   Attributes = HandleEntry->u1.ObAttributes &
(EX_HANDLE_ENTRY_PROTECTFROMCLOSE |
-
EX_HANDLE_ENTRY_INHERITABLE |
-
EX_HANDLE_ENTRY_AUDITONCLOSE);
-   GrantedAccess = HandleEntry->u2.GrantedAccess;
-   GenericMapping = ObjectHeader->ObjectType->Mapping;
-
+   
    if (ObjectType != NULL && ObjectType != ObjectHeader->ObjectType)
      {
         DPRINT("ObjectType mismatch: %wZ vs %wZ (handle 0x%x)\n",
&ObjectType->TypeName, ObjectHeader->ObjectType ?
&ObjectHeader->ObjectType->TypeName : NULL, Handle);
-        
+
         ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
                                  HandleEntry);
 
         KeLeaveCriticalRegion();
-        ObDereferenceObject(ObjectBody);
-        
+
         return(STATUS_OBJECT_TYPE_MISMATCH);
      }
 
-   ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
-                            HandleEntry);
+   /* map the generic access masks if the caller asks for generic
access */
+   if (DesiredAccess & GENERIC_ANY)
+     {
+        RtlMapGenericMask(&DesiredAccess,
+
BODY_TO_HEADER(ObjectBody)->ObjectType->Mapping);
+     }
    
-   KeLeaveCriticalRegion();
+   GrantedAccess = HandleEntry->u2.GrantedAccess;
    
-   if (DesiredAccess && AccessMode != KernelMode)
+   /* Unless running as KernelMode, deny access if caller desires more
access
+      rights than the handle can grant */
+   if(AccessMode != KernelMode && (~GrantedAccess & DesiredAccess))
      {
-	RtlMapGenericMask(&DesiredAccess, GenericMapping);
+        ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
+                                 HandleEntry);
 
-	if (!(GrantedAccess & DesiredAccess) &&
-	    !((~GrantedAccess) & DesiredAccess))
-	  {
-             ObDereferenceObject(ObjectBody);
-	     CHECKPOINT;
-	     return(STATUS_ACCESS_DENIED);
-	  }
+        KeLeaveCriticalRegion();
+
+        return(STATUS_ACCESS_DENIED);
      }
 
+   ObReferenceObjectByPointer(ObjectBody,
+			      0,
+			      NULL,
+			      UserMode);
+   Attributes = HandleEntry->u1.ObAttributes &
(EX_HANDLE_ENTRY_PROTECTFROMCLOSE |
+
EX_HANDLE_ENTRY_INHERITABLE |
+
EX_HANDLE_ENTRY_AUDITONCLOSE);
+
+   ExUnlockHandleTableEntry(PsGetCurrentProcess()->ObjectTable,
+                            HandleEntry);
+   
+   KeLeaveCriticalRegion();
+
    if (HandleInformation != NULL)
      {
 	HandleInformation->HandleAttributes = Attributes;
@@ -838,9 +863,6 @@
   Access = DesiredAccess;
   ObjectHeader = BODY_TO_HEADER(Object);
 
-  RtlMapGenericMask(&Access,
-		    ObjectHeader->ObjectType->Mapping);
-
   return(ObCreateHandle(PsGetCurrentProcess(),
 			Object,
 			Access,
  _____  

Modified: trunk/reactos/ntoskrnl/ob/object.c
--- trunk/reactos/ntoskrnl/ob/object.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/ob/object.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -412,7 +412,7 @@

   else
     {
       Status =
ObReferenceObjectByHandle(ObjectAttributes->RootDirectory,
-					 DIRECTORY_TRAVERSE,
+					 0,
 					 NULL,
 					 UserMode,
 					 &CurrentObject,
  _____  

Modified: trunk/reactos/ntoskrnl/se/token.c
--- trunk/reactos/ntoskrnl/se/token.c	2005-03-19 18:31:14 UTC (rev
14196)
+++ trunk/reactos/ntoskrnl/se/token.c	2005-03-19 19:13:01 UTC (rev
14197)
@@ -1663,7 +1663,7 @@

 //				  &Length);
 
   Status = ObReferenceObjectByHandle (TokenHandle,
-				      TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY,
+				      TOKEN_ADJUST_PRIVILEGES |
(PreviousState != NULL ? TOKEN_QUERY : 0),
 				      SepTokenObjectType,
 				      PreviousMode,
 				      (PVOID*)&Token,
  _____  

Modified: trunk/reactos/subsys/smss/initwkdll.c
--- trunk/reactos/subsys/smss/initwkdll.c	2005-03-19 18:31:14 UTC
(rev 14196)
+++ trunk/reactos/subsys/smss/initwkdll.c	2005-03-19 19:13:01 UTC
(rev 14197)
@@ -60,7 +60,7 @@

 			     (HANDLE)Context,
 			     NULL);
   Status = NtOpenFile(&FileHandle,
-		      SYNCHRONIZE | FILE_EXECUTE,
+		      SYNCHRONIZE | FILE_EXECUTE | FILE_READ_DATA,
 		      &ObjectAttributes,
 		      &IoStatusBlock,
 		      FILE_SHARE_READ,
  _____  

Modified: trunk/reactos/subsys/system/services/database.c
--- trunk/reactos/subsys/system/services/database.c	2005-03-19
18:31:14 UTC (rev 14196)
+++ trunk/reactos/subsys/system/services/database.c	2005-03-19
19:13:01 UTC (rev 14197)
@@ -327,7 +327,7 @@

 			     NULL);
 
   Status = RtlpNtOpenKey(&ServicesKey,
-			 0x10001,
+			 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS,
 			 &ObjectAttributes,
 			 0);
   if (!NT_SUCCESS(Status))
  _____  

Modified: trunk/reactos/subsys/system/winlogon/setup.c
--- trunk/reactos/subsys/system/winlogon/setup.c	2005-03-19
18:31:14 UTC (rev 14196)
+++ trunk/reactos/subsys/system/winlogon/setup.c	2005-03-19
19:13:01 UTC (rev 14197)
@@ -84,7 +84,7 @@

   dwError = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
 			 L"SYSTEM\\Setup", //TEXT("SYSTEM\\Setup"),
 			 0,
-			 KEY_QUERY_VALUE,
+			 KEY_SET_VALUE,
 			 &hKey);
   if (dwError != ERROR_SUCCESS)
     {



    