From: Joris van der Wel <joris@jorisvanderwel.com>
Subject: [1/4] server: A new function "set_sd_defaults_from_token".
Message-Id: <CA+CeSBdDpnf=yy06kzzr1drwYZOxCKj4WMHcDfryC8sbxvmm7w@mail.gmail.com>
Date: Wed, 17 Sep 2014 16:18:01 +0200

server: A new function "set_sd_defaults_from_token".

It sets the security descriptor along with a token that will be used
to gather defaults, instead of always using the primary token.

Some objects take their defaults not from a primary token but from a
different one (such as from the impersonation token or the process
token).
This function can be used to create the various set_sd implementations
for the objects that need it.
As a bonus, a NULL token will skip setting any defaults, this is
useful for object implementations that would like to set their
defaults _only_ upon creation.
---
 server/object.c | 25 ++++++++++++++++---------
 server/object.h |  2 ++
 2 files changed, 18 insertions(+), 9 deletions(-)

From cc97171400f5a8b1a92ce814983ae8ad512b3111 Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Wed, 17 Sep 2014 15:35:26 +0200
Subject: server: A new function "set_sd_defaults_from_token".

It sets the security descriptor along with a token that will be used to gather defaults, instead of always using the primary token.

Some objects take their defaults not from a primary token but from a different one (such as from the impersonation token or the process token).
This function can be used to create the various set_sd implementations for the objects that need it.
As a bonus, a NULL token will skip setting any defaults, this is useful for object implementations that would like to set their defaults _only_ upon creation.
---
 server/object.c | 25 ++++++++++++++++---------
 server/object.h |  2 ++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/server/object.c b/server/object.c
index 11ef0ce..ec196c1 100644
--- a/server/object.c
+++ b/server/object.c
@@ -423,12 +423,12 @@ struct security_descriptor *default_get_sd( struct object *obj )
     return obj->sd;
 }
 
-int default_set_sd( struct object *obj, const struct security_descriptor *sd,
-                    unsigned int set_info )
+int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd,
+                                unsigned int set_info, struct token *token )
 {
     struct security_descriptor new_sd, *new_sd_ptr;
     int present;
-    const SID *owner, *group;
+    const SID *owner = NULL, *group = NULL;
     const ACL *sacl, *dacl;
     char *ptr;
 
@@ -446,9 +446,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
         owner = sd_get_owner( obj->sd );
         new_sd.owner_len = obj->sd->owner_len;
     }
-    else
+    else if (token)
     {
-        owner = token_get_user( current->process->token );
+        owner = token_get_user( token );
         new_sd.owner_len = security_sid_len( owner );
     }
 
@@ -462,9 +462,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
         group = sd_get_group( obj->sd );
         new_sd.group_len = obj->sd->group_len;
     }
-    else
+    else if (token)
     {
-        group = token_get_primary_group( current->process->token );
+        group = token_get_primary_group( token );
         new_sd.group_len = security_sid_len( group );
     }
 
@@ -494,9 +494,9 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
 
         if (obj->sd && present)
             new_sd.dacl_len = obj->sd->dacl_len;
-        else
+        else if (token)
         {
-            dacl = token_get_default_dacl( current->process->token );
+            dacl = token_get_default_dacl( token );
             new_sd.dacl_len = dacl->AclSize;
         }
     }
@@ -521,6 +521,13 @@ int default_set_sd( struct object *obj, const struct security_descriptor *sd,
     return 1;
 }
 
+/** Set the security descriptor using the current primary token for defaults. */
+int default_set_sd( struct object *obj, const struct security_descriptor *sd,
+                    unsigned int set_info )
+{
+    return set_sd_defaults_from_token( obj, sd, set_info, current->process->token );
+}
+
 struct object *no_lookup_name( struct object *obj, struct unicode_str *name,
                                unsigned int attr )
 {
diff --git a/server/object.h b/server/object.h
index bb3ff21..7201ff9 100644
--- a/server/object.h
+++ b/server/object.h
@@ -139,6 +139,8 @@ extern struct fd *no_get_fd( struct object *obj );
 extern unsigned int no_map_access( struct object *obj, unsigned int access );
 extern struct security_descriptor *default_get_sd( struct object *obj );
 extern int default_set_sd( struct object *obj, const struct security_descriptor *sd, unsigned int set_info );
+extern int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd, 
+                                       unsigned int set_info, struct token *token );
 extern struct object *no_lookup_name( struct object *obj, struct unicode_str *name, unsigned int attributes );
 extern struct object *no_open_file( struct object *obj, unsigned int access, unsigned int sharing,
                                     unsigned int options );
-- 
1.8.1.msysgit.1