+int setprocessacl(char *error)
+{
+ EXPLICIT_ACCESS ea[2];
+ int acl_err;
+ int ret=FALSE;
+ PACL acl = NULL;
+
+ static const DWORD nastyace=WRITE_DAC | WRITE_OWNER |
+ PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD |
+ PROCESS_DUP_HANDLE |
+ PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION |
+ PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
+ PROCESS_SUSPEND_RESUME;
+
+ if (!getsids(error))
+ goto cleanup;
+
+ memset(ea, 0, sizeof(ea));
+
+ /* Everyone: deny */
+ ea[0].grfAccessPermissions = nastyace;
+ ea[0].grfAccessMode = DENY_ACCESS;
+ ea[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
+ ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ ea[0].Trustee.ptstrName = (LPTSTR)worldsid;
+
+ /* User: user ace */
+ ea[1].grfAccessPermissions = ~nastyace & 0x1fff;
+ ea[1].grfAccessMode = GRANT_ACCESS;
+ ea[1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
+ ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ ea[1].Trustee.ptstrName = (LPTSTR)usersid;
+
+ acl_err = p_SetEntriesInAclA(2, ea, NULL, &acl);
+
+ if (acl_err != ERROR_SUCCESS || acl == NULL) {
+ error = dupprintf("unable to construct ACL: %s",
+ win_strerror(acl_err));
+ goto cleanup;
+ }
+
+ if (ERROR_SUCCESS != p_SetSecurityInfo
+ (GetCurrentProcess(), SE_KERNEL_OBJECT,
+ OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+ usersid, NULL, acl, NULL)) {
+ error=dupprintf("Unable to set process ACL: %s",
+ win_strerror(GetLastError()));
+ goto cleanup;
+ }
+
+
+ ret=TRUE;
+
+ cleanup:
+ if (!ret) {
+ if (acl) {
+ LocalFree(acl);
+ acl = NULL;
+ }
+ }
+ return ret;
+}