Move the restricted_acl flag into winsecur.c.

It's silly to set it at each call site of restrict_process_acl() if that function returns success! More sensible to have it be a flag in the same source file as restrict_process_acl(), set as an automatic _side effect_ of success. I've renamed the variable itself, and the global name 'restricted_acl' is now a query function that asks winsecur.c whether that operation has been (successfully) performed.
2025-01-09 09:27:59 +00:00 · 2020-02-02 10:00:42 +00:00 · 2020-02-02 10:00:42 +00:00 · 3cb86d9fa8
commit 3cb86d9fa8
parent 6f0adb243a
6 changed files with 9 additions and 8 deletions
--- a/cmdline.c
+++ b/cmdline.c
@ -845,7 +845,6 @@ int cmdline_process_param(const char *p, char *value,
        !strcmp(p, "-restrictacl")) {
        RETURN(1);
        restrict_process_acl();
-        restricted_acl = true;
    }
 #endif

--- a/windows/window.c
+++ b/windows/window.c
@ -561,7 +561,6 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
            (!p[2] || p[2] == '@' || p[2] == '&')) {
            /* &R restrict-acl prefix */
            restrict_process_acl();
-            restricted_acl = true;
            p += 2;
        }

@ -866,7 +865,7 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
        }
    }

-    if (restricted_acl) {
+    if (restricted_acl()) {
        lp_eventlog(win_gui_logpolicy, "Running with restricted process ACL");
    }

@ -2224,7 +2223,7 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
                PROCESS_INFORMATION pi;
                HANDLE filemap = NULL;

-                if (restricted_acl)
+                if (restricted_acl())
                    argprefix = "&R";
                else
                    argprefix = "";
--- a/windows/winplink.c
+++ b/windows/winplink.c
@ -404,7 +404,7 @@ int main(int argc, char **argv)
            return 1;
    }

-    if (restricted_acl) {
+    if (restricted_acl()) {
        lp_eventlog(console_cli_logpolicy,
                    "Running with restricted process ACL");
    }
--- a/windows/winsecur.c
+++ b/windows/winsecur.c
@ -228,6 +228,9 @@ bool make_private_security_descriptor(DWORD permissions,
    return ret;
 }

+static bool acl_restricted = false;
+bool restricted_acl(void) { return acl_restricted; }
+
 static bool really_restrict_process_acl(char **error)
 {
    EXPLICIT_ACCESS ea[2];
@ -278,7 +281,7 @@ static bool really_restrict_process_acl(char **error)
        goto cleanup;
    }

-
+    acl_restricted = true;
    ret=true;

  cleanup:
--- a/windows/winsftp.c
+++ b/windows/winsftp.c
@ -714,7 +714,7 @@ char *ssh_sftp_get_cmdline(const char *prompt, bool no_fds_ok)

 void platform_psftp_pre_conn_setup(LogPolicy *lp)
 {
-    if (restricted_acl) {
+    if (restricted_acl()) {
        lp_eventlog(lp, "Running with restricted process ACL");
    }
 }
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@ -587,7 +587,7 @@ void dll_hijacking_protection(void);
 HMODULE load_system32_dll(const char *libname);
 const char *win_strerror(int error);
 void restrict_process_acl(void);
-GLOBAL bool restricted_acl;
+bool restricted_acl(void);
 void escape_registry_key(const char *in, strbuf *out);
 void unescape_registry_key(const char *in, strbuf *out);