From: Alexandre Julliard Subject: Re: [PATCH] kernel32: CreateDirectory shouldn't return ERROR_ACCESS_DENIED for the root of the drive. Message-Id: <87r2endhwk.fsf@winehq.org> Date: Tue, 11 Dec 2018 19:42:35 +0100 In-Reply-To: <20181211212818.8896225eeabdde613c246766@baikal.ru> (Dmitry Timoshkov's message of "Tue, 11 Dec 2018 21:28:18 +0300") References: <20181211130332.df4244c0451dcacab0fe4803@baikal.ru> <87sgz4dvei.fsf@winehq.org> <20181211201105.76ef4080e7f8efe0f2fa7289@baikal.ru> <87ftv4dln2.fsf@winehq.org> <20181211203029.d3762dae4ee03b8ea1f8ebfe@baikal.ru> <87a7lcdktn.fsf@winehq.org> <20181211204947.a155ff764f266f9a7ce0b002@baikal.ru> <874lbkdjvj.fsf@winehq.org> <20181211211230.f8add8b3d9caa8e7587af17a@baikal.ru> <87y38wc4fp.fsf@winehq.org> <20181211212818.8896225eeabdde613c246766@baikal.ru> Dmitry Timoshkov writes: > Alexandre Julliard wrote: > >> >> >> >> >> > According to the testbot results CreateDirectory("C:\\", NULL) fails >> >> >> >> >> > with ERROR_ACCESS_DENIED for not administrators. However with UAC enabled >> >> >> >> >> > and not and administrator account I get ERROR_ALREADY_EXISTS in that case >> >> >> >> >> > with Windows 7 64-bit running on real hardware. Moreover, Wine doesn't >> >> >> >> >> > really perform any access checks in that case and blindly assumes that >> >> >> >> >> > returning STATUS_ACCESS_DENIED is correct behaviour for the drive's root: >> >> >> >> >> > dlls/ntdll/directory.c,lookup_unix_name(). >> >> >> >> >> > >> >> >> >> >> > This patch fixes an application that can't find its data files because >> >> >> >> >> > after it receives ERROR_ACCESS_DENIED it stops further directory traversing. >> >> >> >> >> >> >> >> >> >> What app is that? Does it fail on Windows when not administrator? >> >> >> >> > >> >> >> >> > The application doesn't fail on Windows, and as I mentioned above under >> >> >> >> > a not administrator account and UAC enabled I don't get ERROR_ACCESS_DENIED >> >> >> >> > error with the tests included in the patch. >> >> >> >> >> >> >> >> Your tests get ERROR_ACCESS_DENIED on every single testbot vm except >> >> >> >> w8adm, so that's not very convincing... Is the app going to fail on all >> >> >> >> these vms? >> >> >> > >> >> >> > I'd guess if the CreateDirectory("C:\") returns ERROR_ACCESS_DENIED >> >> >> > then the app would fail. It's not clear how the VMs are configured >> >> >> > and why I don't get ERROR_ACCESS_DENIED on real hardware under a not >> >> >> > admin account, but it should be pretty obvious that since Wine doesn't >> >> >> > perform any real administrator access checks, and if it would the checks >> >> >> > should be done on the server side, ntdll checks shouldn't return access >> >> >> > denied error. >> >> >> >> >> >> It's also pretty obvious that this check was added for a reason, so it >> >> >> would need a more convincing argument to remove it. >> >> > >> >> > Do you recall the reason why that check was added? I can't find any >> >> > specific test case for this behaviour either. >> >> >> >> As far as I can tell, you added it ;-) >> >> >> >> https://source.winehq.org/git/wine.git/commit/d75aed2c92435e8ae4d5c260e31e815ee77db34b >> > >> > This doesn't look right, especially without any reasonable explanation. >> > Considering that now we have an application that depends on this, can >> > that change be reverted? >> >> I'd like to see some more convincing test cases. > > Sure, I can add more tests. Do you have a suggestion what kind of checks > they should perform? I tried to find an existing test that somehow elevates > privileges and then executes CreateDirecory tests, but couldn't find such > a test. It's possible that elevating privileges would avoid the access denied error, but that doesn't explain why the app would work on Windows, unless it also elevates privileges itself. Does it? And FWIW I'm getting access denied on Vista even running as administrator. If the behavior changed in recent Windows that would also need specific tests. -- Alexandre Julliard julliard@winehq.org