/* create PublicDefaultDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
- (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
GENERIC_ALL,
SeLocalSystemSid);
+ RtlAddAccessAllowedAce(SePublicDefaultDacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeAliasAdminsSid);
+
/* create PublicDefaultUnrestrictedDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
NTSTATUS
SepPropagateAcl(
- _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
+ _Out_writes_bytes_opt_(AclLength) PACL AclDest,
_Inout_ PULONG AclLength,
_In_reads_bytes_(AclSource->AclSize) PACL AclSource,
_In_ PSID Owner,
PSID Sid;
BOOLEAN WriteTwoAces;
- if (AclSource->AclRevision != ACL_REVISION)
- {
- NT_ASSERT(AclSource->AclRevision == ACL_REVISION);
- return STATUS_UNKNOWN_REVISION;
- }
-
- NT_ASSERT(AclSource->AclSize % sizeof(ULONG) == 0);
- NT_ASSERT(AclSource->Sbz1 == 0);
- NT_ASSERT(AclSource->Sbz2 == 0);
+ ASSERT(RtlValidAcl(AclSource));
+ ASSERT(AclSource->AclSize % sizeof(ULONG) == 0);
+ ASSERT(AclSource->Sbz1 == 0);
+ ASSERT(AclSource->Sbz2 == 0);
Written = 0;
if (*AclLength >= Written + sizeof(ACL))
CurrentSource = (PUCHAR)(AclSource + 1);
for (i = 0; i < AclSource->AceCount; i++)
{
- NT_ASSERT((ULONG_PTR)CurrentDest % sizeof(ULONG) == 0);
- NT_ASSERT((ULONG_PTR)CurrentSource % sizeof(ULONG) == 0);
+ ASSERT((ULONG_PTR)CurrentDest % sizeof(ULONG) == 0);
+ ASSERT((ULONG_PTR)CurrentSource % sizeof(ULONG) == 0);
AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
+ if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
+ {
+ /* FIXME: handle object & compound ACEs */
+ AceSize = AceSource->Header.AceSize;
+
+ if (*AclLength >= Written + AceSize)
+ {
+ RtlCopyMemory(AceDest, AceSource, AceSize);
+ }
+ CurrentDest += AceSize;
+ CurrentSource += AceSize;
+ Written += AceSize;
+ AceCount++;
+ continue;
+ }
+
/* These all have the same structure */
- NT_ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
- AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
- AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE);
+ ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
+ AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
+ AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
+ AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
- NT_ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
- NT_ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
+ ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
+ ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
if (!SepShouldPropagateAce(AceSource->Header.AceFlags,
&AceFlags,
IsInherited,
AceSize = AceSource->Header.AceSize;
Mask = AceSource->Mask;
Sid = (PSID)&AceSource->SidStart;
- NT_ASSERT(AceSize >= FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid));
+ ASSERT(AceSize >= FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid));
WriteTwoAces = FALSE;
/* Map effective ACE to specific rights */
*IsInherited,
IsDirectoryObject,
GenericMapping);
- NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
+ ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
/* Use the parent ACL only if it's not empty */
if (*AclLength != sizeof(ACL))
*IsInherited,
IsDirectoryObject,
GenericMapping);
- NT_ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
+ ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
}
return Acl;
}