+Wed Dec 20 13:37:00 2000 Corinna Vinschen <corinna@vinschen.de>
+
+ * autoload.cc: Add load statemant for SetSecurityDescriptorControl.
+ * security.cc (alloc_sd): Always set SE_DACL_PROTECTED flag on
+ Win2K and higher.
+
Wed Dec 20 01:02:13 2000 Christopher Faylor <cgf@cygnus.com>
* exceptions.cc (reset_signal_arrived): Make global to avoid inlining.
LoadDLLfunc (ReportEventA, 36, advapi32)
LoadDLLfunc (RevertToSelf, 0, advapi32)
LoadDLLfunc (SetKernelObjectSecurity, 12, advapi32)
+LoadDLLfunc (SetSecurityDescriptorControl, 12, advapi32)
LoadDLLfunc (SetSecurityDescriptorDacl, 16, advapi32)
LoadDLLfunc (SetSecurityDescriptorGroup, 12, advapi32)
LoadDLLfunc (SetSecurityDescriptorOwner, 12, advapi32)
return NULL;
}
+ /*
+ * We set the SE_DACL_PROTECTED flag here to prevent the DACL from being modified
+ * by inheritable ACEs.
+ * This flag as well as the SetSecurityDescriptorControl call are available only
+ * since Win2K.
+ */
+ static int win2KorHigher = -1;
+ if (win2KorHigher == -1)
+ {
+ DWORD version = GetVersion ();
+ win2KorHigher = (version & 0x80000000) || (version & 0xff) < 5 ? 0 : 1;
+ }
+ if (win2KorHigher > 0)
+ SetSecurityDescriptorControl (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
+
/* Create owner for local security descriptor. */
if (! SetSecurityDescriptorOwner(&sd, owner_sid, FALSE))
{