Robert Shearman wrote:
Vitaliy Margolen wrote:
- req->process_access = PROCESS_ALL_ACCESS; + req->process_access = MAXIMUM_ALLOWED | PROCESS_ALL_ACCESS; req->process_attr = (psa && (psa->nLength >= sizeof(*psa)) && psa->bInheritHandle) ? OBJ_INHERIT : 0; - req->thread_access = THREAD_ALL_ACCESS; + req->thread_access = MAXIMUM_ALLOWED | THREAD_ALL_ACCESS;
This looks wrong/confusing. I don't think MAXIMUM_ALLOWED does anything more when or'd with specific access rights.
Well that's the price to pay for not having security descriptor in every object. We can't use PROCESS_ALL_ACCESS here. I have few apps that purposely restrict some access. And fail when we can't create handle here. But we can't just use MAXIMUM_ALLOWED either. Because then it won't be mapped into access mask when no SD is specified for the object. Vitaliy.