On 03/26/15 17:59, Erich E. Hoover wrote:
I do not believe this is the correct place to make this change. Inheritance still needs to occur even when SetSecurityInfo is not used, which pretty much means it has to be within the wineserver itself so that the same code can be used for CreateFile. The code I put together for this (as written it is somewhat dependent on my other ACL code) can be found here: https://github.com/wine-compholio/wine-staging/tree/master/patches/server-In...
The first patch is for CreateFile and the second one is for SetSecurityInfo. I'm happy to try and change this to help you solve your problem without my other ACL code, it's been on my TODO list anyway - I've just been too busy with work lately :/
On windows the inheritance code is inside ntmarta.dll (according to some Microsoft docs). Probably Microsoft uses ntmarta.dll inside advapi. But I don't think we want to be compatible with native dlls in this case.
The inheritance doesn't occur when function from ntdll are used for setting DACL. This makes your code inside server incorrect. Also your code is not checking handle permissions correctly. If you try to test it keep in mind that if correct inheritance flags are set in security descriptor control field the permissions will be filled when you right-click on file and display security properties on windows.
I see 3 ways of implementing the DACLs inheritance: 1) add a server call that does the inheritance in this case there's no code duplication between CreateFile and SetFileInformation, also it's possible to skip the inheritance when NtSetSecurityObject is used directly 2) duplicate inheritance code inside advapi and ntdll/server I think this is the best solution. The code that merges 2 DACLs has only ~36 lines in my implementation. The code for getting parent directory DACL is also not long (~30 lines). This code may get longer in future (when we have complete support for security descriptors). 3) implement something like ntmarta.dll This will need much more testing. I'm also not sure if it can be used from ntdll at all.
What do you think about it?
Thanks, Piotr
P.S. this patches fixes some real installers (TEMSInvestigation 16.1.1 (fails), Uru - Ages Beyond Myst (fails to remove some temporary files))