From: Dmitry Timoshkov Subject: Re: [PATCH] kernel32: CreateDirectory shouldn't return ERROR_ACCESS_DENIED for the root of the drive. Message-Id: <20181211231904.98060f1658580b98c6b51479@baikal.ru> Date: Tue, 11 Dec 2018 23:19:04 +0300 In-Reply-To: <87r2endhwk.fsf@winehq.org> References: <20181211130332.df4244c0451dcacab0fe4803@baikal.ru> <87sgz4dvei.fsf@winehq.org> <20181211201105.76ef4080e7f8efe0f2fa7289@baikal.ru> <87ftv4dln2.fsf@winehq.org> <20181211203029.d3762dae4ee03b8ea1f8ebfe@baikal.ru> <87a7lcdktn.fsf@winehq.org> <20181211204947.a155ff764f266f9a7ce0b002@baikal.ru> <874lbkdjvj.fsf@winehq.org> <20181211211230.f8add8b3d9caa8e7587af17a@baikal.ru> <87y38wc4fp.fsf@winehq.org> <20181211212818.8896225eeabdde613c246766@baikal.ru> <87r2endhwk.fsf@winehq.org> Alexandre Julliard wrote: > >> >> >> >> >> > According to the testbot results CreateDirectory("C:\\", NULL) fails > >> >> >> >> >> > with ERROR_ACCESS_DENIED for not administrators. However with UAC enabled > >> >> >> >> >> > and not and administrator account I get ERROR_ALREADY_EXISTS in that case > >> >> >> >> >> > with Windows 7 64-bit running on real hardware. Moreover, Wine doesn't > >> >> >> >> >> > really perform any access checks in that case and blindly assumes that > >> >> >> >> >> > returning STATUS_ACCESS_DENIED is correct behaviour for the drive's root: > >> >> >> >> >> > dlls/ntdll/directory.c,lookup_unix_name(). > >> >> >> >> >> > > >> >> >> >> >> > This patch fixes an application that can't find its data files because > >> >> >> >> >> > after it receives ERROR_ACCESS_DENIED it stops further directory traversing. > >> >> >> >> >> > >> >> >> >> >> What app is that? Does it fail on Windows when not administrator? > >> >> >> >> > > >> >> >> >> > The application doesn't fail on Windows, and as I mentioned above under > >> >> >> >> > a not administrator account and UAC enabled I don't get ERROR_ACCESS_DENIED > >> >> >> >> > error with the tests included in the patch. > >> >> >> >> > >> >> >> >> Your tests get ERROR_ACCESS_DENIED on every single testbot vm except > >> >> >> >> w8adm, so that's not very convincing... Is the app going to fail on all > >> >> >> >> these vms? > >> >> >> > > >> >> >> > I'd guess if the CreateDirectory("C:\") returns ERROR_ACCESS_DENIED > >> >> >> > then the app would fail. It's not clear how the VMs are configured > >> >> >> > and why I don't get ERROR_ACCESS_DENIED on real hardware under a not > >> >> >> > admin account, but it should be pretty obvious that since Wine doesn't > >> >> >> > perform any real administrator access checks, and if it would the checks > >> >> >> > should be done on the server side, ntdll checks shouldn't return access > >> >> >> > denied error. > >> >> >> > >> >> >> It's also pretty obvious that this check was added for a reason, so it > >> >> >> would need a more convincing argument to remove it. > >> >> > > >> >> > Do you recall the reason why that check was added? I can't find any > >> >> > specific test case for this behaviour either. > >> >> > >> >> As far as I can tell, you added it ;-) > >> >> > >> >> https://source.winehq.org/git/wine.git/commit/d75aed2c92435e8ae4d5c260e31e815ee77db34b > >> > > >> > This doesn't look right, especially without any reasonable explanation. > >> > Considering that now we have an application that depends on this, can > >> > that change be reverted? > >> > >> I'd like to see some more convincing test cases. > > > > Sure, I can add more tests. Do you have a suggestion what kind of checks > > they should perform? I tried to find an existing test that somehow elevates > > privileges and then executes CreateDirecory tests, but couldn't find such > > a test. > > It's possible that elevating privileges would avoid the access denied > error, but that doesn't explain why the app would work on Windows, > unless it also elevates privileges itself. Does it? According to the log the doesn't elevate the privileges. > And FWIW I'm getting access denied on Vista even running as > administrator. If the behavior changed in recent Windows that would also > need specific tests. I just tested it under XP in a VM and I also get the access denied errors for both an ordinal user and an administrator. So it looks like the behaviour has changed (unless running in a VirtualBox changes the behaviour of a file system). -- Dmitry.