[hpoussin] 24533: Correctly return FALSE in SeAccessCheck if access is not granted Don't always check the first ace in the DACL
15 Oct
2006
15 Oct
'06
11:31 p.m.
Author: hpoussin
Date: Mon Oct 16 03:31:16 2006
New Revision: 24533
URL: http://svn.reactos.org/svn/reactos?rev=24533&view=rev
Log:
Correctly return FALSE in SeAccessCheck if access is not granted
Don't always check the first ace in the DACL
Modified:
trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=24…
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c Mon Oct 16 03:31:16 2006
@@ -997,7 +997,7 @@
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
- return TRUE;
+ return FALSE;
}
/* RULE 4: Grant rights according to the DACL */
@@ -1016,17 +1016,20 @@
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
- return TRUE;
+ return FALSE;
}
}
- if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
+ else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
CurrentAccess |= CurrentAce->AccessMask;
}
}
+ else
+ DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
if (SubjectContextLocked == FALSE)
@@ -1039,10 +1042,18 @@
*GrantedAccess = CurrentAccess & DesiredAccess;
- *AccessStatus =
- (*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
-
- return TRUE;
+ if (*GrantedAccess == DesiredAccess)
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
+ *GrantedAccess, DesiredAccess);
+ return TRUE; /* FIXME: should be FALSE */
+ }
}
6550
days inactive
6550
days old
0 comments
1 participants
participants (1)
-
hpoussin@svn.reactos.org