From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Tue, 20 Nov 2012 06:23:08 +0000 (-0500)
Subject: Windows: QuerySecurity deny access to SACL
X-Git-Tag: upstream/1.8.0_pre1^2~1796
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=5acf8b7f98ecd3daa721e60b49c7a582c7ce3b8d;p=packages%2Fo%2Fopenafs.git

Windows: QuerySecurity deny access to SACL

The SACL requires System Access Level.  Requests for SACL by
end user applications must be denied.  Permit access to Owner,
Group, DACL and Label but not SACL.

This change permits executables to be initiated from drive
letter mappings.

Change-Id: Ibf847261f0c36dc7b6175b0536657161158cd44f
Reviewed-on: http://gerrit.openafs.org/8483
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Rod Widdowson <rdw@steadingsoftware.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
---

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
index c15d32b8e..52990fcbd 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
@@ -82,16 +82,52 @@ AFSQuerySecurity( IN PDEVICE_OBJECT LibDeviceObject,
     PMDL pUserBufferMdl = NULL;
     void *pLockedUserBuffer = NULL;
     ULONG ulSDLength = 0;
+    SECURITY_INFORMATION SecurityInformation;
+    PFILE_OBJECT pFileObject;
+    AFSFcb *pFcb = NULL;
+    AFSCcb *pCcb = NULL;
 
     __try
     {
 
         pIrpSp = IoGetCurrentIrpStackLocation( Irp);
 
+        SecurityInformation = pIrpSp->Parameters.QuerySecurity.SecurityInformation;
+
+        pFileObject = pIrpSp->FileObject;
+
+        pFcb = (AFSFcb *)pFileObject->FsContext;
+
+        pCcb = (AFSCcb *)pFileObject->FsContext2;
+
         AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                       AFS_TRACE_LEVEL_VERBOSE,
-                      "AFSQuerySecurity Entry for FO %08lX\n",
-                      pIrpSp->FileObject);
+                      "AFSQuerySecurity (%08lX) Entry for FO %08lX SI %08lX\n",
+                      Irp,
+                      pFileObject,
+                      SecurityInformation);
+
+        if( pFcb == NULL)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) when pFcb == NULL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_INVALID_DEVICE_REQUEST);
+        }
+
+        if ( SecurityInformation & SACL_SECURITY_INFORMATION)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) SACL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_ACCESS_DENIED);
+        }
 
         if( AFSDefaultSD == NULL)
         {