Re: kernel32: Don't require full access to the newly created process and thread.
Vitaliy Margolen wrote:
- req->process_access = PROCESS_ALL_ACCESS; + req->process_access = MAXIMUM_ALLOWED | PROCESS_ALL_ACCESS; req->process_attr = (psa && (psa->nLength >= sizeof(*psa)) && psa->bInheritHandle) ? OBJ_INHERIT : 0; - req->thread_access = THREAD_ALL_ACCESS; + req->thread_access = MAXIMUM_ALLOWED | THREAD_ALL_ACCESS;
This looks wrong/confusing. I don't think MAXIMUM_ALLOWED does anything more when or'd with specific access rights. -- Rob Shearman
Robert Shearman wrote:
Vitaliy Margolen wrote:
- req->process_access = PROCESS_ALL_ACCESS; + req->process_access = MAXIMUM_ALLOWED | PROCESS_ALL_ACCESS; req->process_attr = (psa && (psa->nLength >= sizeof(*psa)) && psa->bInheritHandle) ? OBJ_INHERIT : 0; - req->thread_access = THREAD_ALL_ACCESS; + req->thread_access = MAXIMUM_ALLOWED | THREAD_ALL_ACCESS;
This looks wrong/confusing. I don't think MAXIMUM_ALLOWED does anything more when or'd with specific access rights.
Well that's the price to pay for not having security descriptor in every object. We can't use PROCESS_ALL_ACCESS here. I have few apps that purposely restrict some access. And fail when we can't create handle here. But we can't just use MAXIMUM_ALLOWED either. Because then it won't be mapped into access mask when no SD is specified for the object. Vitaliy.
Robert Shearman wrote:
Vitaliy Margolen wrote:
- req->process_access = PROCESS_ALL_ACCESS; + req->process_access = MAXIMUM_ALLOWED | PROCESS_ALL_ACCESS; req->process_attr = (psa && (psa->nLength >= sizeof(*psa)) && psa->bInheritHandle) ? OBJ_INHERIT : 0; - req->thread_access = THREAD_ALL_ACCESS; + req->thread_access = MAXIMUM_ALLOWED | THREAD_ALL_ACCESS;
This looks wrong/confusing. I don't think MAXIMUM_ALLOWED does anything more when or'd with specific access rights.
I will replace it with another patch. Thank you. Vitaliy.
participants (2)
-
Robert Shearman -
Vitaliy Margolen