]> git.michaelhowe.org Git - packages/o/openafs.git/commitdiff
projects / packages / o / openafs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6d37315)
Windows: QuerySecurity deny access to SACL
authorJeffrey Altman <jaltman@your-file-system.com>
Tue, 20 Nov 2012 06:23:08 +0000 (01:23 -0500)
committerJeffrey Altman <jaltman@your-file-system.com>
Fri, 23 Nov 2012 15:48:49 +0000 (07:48 -0800)
The SACL requires System Access Level.  Requests for SACL by
end user applications must be denied.  Permit access to Owner,
Group, DACL and Label but not SACL.

This change permits executables to be initiated from drive
letter mappings.

Change-Id: Ibf847261f0c36dc7b6175b0536657161158cd44f
Reviewed-on: http://gerrit.openafs.org/8483
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Rod Widdowson <rdw@steadingsoftware.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp patch | blob | history

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
index c15d32b8e88efe2a041885bc744dd51a23f648a2..52990fcbdc7262c67ac450b3b0c7c63c2d074642 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
@@ -82,16 +82,52 @@ AFSQuerySecurity( IN PDEVICE_OBJECT LibDeviceObject,
     PMDL pUserBufferMdl = NULL;
     void *pLockedUserBuffer = NULL;
     ULONG ulSDLength = 0;
+    SECURITY_INFORMATION SecurityInformation;
+    PFILE_OBJECT pFileObject;
+    AFSFcb *pFcb = NULL;
+    AFSCcb *pCcb = NULL;
 
     __try
     {
 
         pIrpSp = IoGetCurrentIrpStackLocation( Irp);
 
+        SecurityInformation = pIrpSp->Parameters.QuerySecurity.SecurityInformation;
+
+        pFileObject = pIrpSp->FileObject;
+
+        pFcb = (AFSFcb *)pFileObject->FsContext;
+
+        pCcb = (AFSCcb *)pFileObject->FsContext2;
+
         AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                       AFS_TRACE_LEVEL_VERBOSE,
-                      "AFSQuerySecurity Entry for FO %08lX\n",
-                      pIrpSp->FileObject);
+                      "AFSQuerySecurity (%08lX) Entry for FO %08lX SI %08lX\n",
+                      Irp,
+                      pFileObject,
+                      SecurityInformation);
+
+        if( pFcb == NULL)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) when pFcb == NULL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_INVALID_DEVICE_REQUEST);
+        }
+
+        if ( SecurityInformation & SACL_SECURITY_INFORMATION)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) SACL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_ACCESS_DENIED);
+        }
 
         if( AFSDefaultSD == NULL)
         {