[BASESRV] Strengthen default permissions for DOS devices

This is linked to previous work done on DOS devices creation
in basesrv. If this DWORD is not set (or 0), DOS devices will
be created with an ACL that make the symlink readable by any
and modifiable by any.
With protection mode set, the symlink will be still readable by
any but not modifiable by anyone but the owner.

This should also affect some objects managed by session manager.

By default, on W2K3, that protection mode is set.

diff --git a/boot/bootdata/hivesys.inf b/boot/bootdata/hivesys.inf
index 68d23cf..081352f 100644 (file)
--- a/boot/bootdata/hivesys.inf
+++ b/boot/bootdata/hivesys.inf
@@ -1442,6 +1442,7 @@ HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager","GlobalFlag", 0x00010003
 HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager","ObjectDirectories",0x00010000, \
  "\Windows", \
  "\RPC Control"
+HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager","ProtectionMode", 0x00010003, 0x00000001
 
 ; DOS devices
 HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices","AUX",0x00000002,"\DosDevices\COM1"