search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
advapi32/tests: Allow ERROR_ACCESS_DENIED for newer Win10.
[wine.git] / dlls / advapi32 / tests / security.c
blob41b1fe0713bb6d4be1beab5741f132d01a20befd
1 /*
2 * Unit tests for security functions
3 *
4 * Copyright (c) 2004 Mike McCormack
5 * Copyright (c) 2011 Dmitry Timoshkov
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include <stdarg.h>
23 #include <stdio.h>
24
25 #include "ntstatus.h"
26 #define WIN32_NO_STATUS
27 #include "windef.h"
28 #include "winbase.h"
29 #include "winerror.h"
30 #include "winternl.h"
31 #include "aclapi.h"
32 #include "winnt.h"
33 #include "sddl.h"
34 #include "ntsecapi.h"
35 #include "lmcons.h"
36
37 #include "wine/test.h"
38
39 #ifndef PROCESS_QUERY_LIMITED_INFORMATION
40 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
41 #endif
42
43 /* PROCESS_ALL_ACCESS in Vista+ PSDKs is incompatible with older Windows versions */
44 #define PROCESS_ALL_ACCESS_NT4 (PROCESS_ALL_ACCESS & ~0xf000)
45 #define PROCESS_ALL_ACCESS_VISTA (PROCESS_ALL_ACCESS | 0xf000)
46
47 #ifndef EVENT_QUERY_STATE
48 #define EVENT_QUERY_STATE 0x0001
49 #endif
50
51 #ifndef SEMAPHORE_QUERY_STATE
52 #define SEMAPHORE_QUERY_STATE 0x0001
53 #endif
54
55 #ifndef THREAD_SET_LIMITED_INFORMATION
56 #define THREAD_SET_LIMITED_INFORMATION 0x0400
57 #define THREAD_QUERY_LIMITED_INFORMATION 0x0800
58 #endif
59
60 #define THREAD_ALL_ACCESS_NT4 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)
61 #define THREAD_ALL_ACCESS_VISTA (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)
62
63 #define expect_eq(expr, value, type, format) { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }
64
65 static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
66 static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
67 static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
68 static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
69 static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
70 static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
71 static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
72 POBJECTS_AND_NAME_A pObjName,
73 SE_OBJECT_TYPE ObjectType,
74 LPSTR ObjectTypeName,
75 LPSTR InheritedObjectTypeName,
76 LPSTR Name );
77 static VOID (WINAPI *pBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
78 POBJECTS_AND_SID pObjSid,
79 GUID* pObjectGuid,
80 GUID* pInheritedObjectGuid,
81 PSID pSid );
82 static LPSTR (WINAPI *pGetTrusteeNameA)( PTRUSTEEA pTrustee );
83 static BOOL (WINAPI *pMakeSelfRelativeSD)( PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, LPDWORD );
84 static BOOL (WINAPI *pConvertStringSidToSidA)( LPCSTR str, PSID pSid );
85 static BOOL (WINAPI *pCheckTokenMembership)(HANDLE, PSID, PBOOL);
86 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorA)(LPCSTR, DWORD,
87 PSECURITY_DESCRIPTOR*, PULONG );
88 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorW)(LPCWSTR, DWORD,
89 PSECURITY_DESCRIPTOR*, PULONG );
90 static BOOL (WINAPI *pConvertSecurityDescriptorToStringSecurityDescriptorA)(PSECURITY_DESCRIPTOR, DWORD,
91 SECURITY_INFORMATION, LPSTR *, PULONG );
92 static BOOL (WINAPI *pGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
93 PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
94 static BOOL (WINAPI *pSetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
95 PSECURITY_DESCRIPTOR);
96 static DWORD (WINAPI *pGetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
97 PSID*, PSID*, PACL*, PACL*,
98 PSECURITY_DESCRIPTOR*);
99 static DWORD (WINAPI *pSetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
100 PSID, PSID, PACL, PACL);
101 static PDWORD (WINAPI *pGetSidSubAuthority)(PSID, DWORD);
102 static PUCHAR (WINAPI *pGetSidSubAuthorityCount)(PSID);
103 static BOOL (WINAPI *pIsValidSid)(PSID);
104 static DWORD (WINAPI *pRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
105 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
106 static BOOL (WINAPI *pDuplicateTokenEx)(HANDLE,DWORD,LPSECURITY_ATTRIBUTES,
107 SECURITY_IMPERSONATION_LEVEL,TOKEN_TYPE,PHANDLE);
108
109 static NTSTATUS (WINAPI *pLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*);
110 static NTSTATUS (WINAPI *pLsaClose)(LSA_HANDLE);
111 static NTSTATUS (WINAPI *pLsaFreeMemory)(PVOID);
112 static NTSTATUS (WINAPI *pLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
113 static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
114 static DWORD (WINAPI *pSetEntriesInAclW)(ULONG, PEXPLICIT_ACCESSW, PACL, PACL*);
115 static DWORD (WINAPI *pSetEntriesInAclA)(ULONG, PEXPLICIT_ACCESSA, PACL, PACL*);
116 static BOOL (WINAPI *pSetSecurityDescriptorControl)(PSECURITY_DESCRIPTOR, SECURITY_DESCRIPTOR_CONTROL,
117 SECURITY_DESCRIPTOR_CONTROL);
118 static DWORD (WINAPI *pGetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
119 PSID*, PSID*, PACL*, PACL*, PSECURITY_DESCRIPTOR*);
120 static DWORD (WINAPI *pSetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
121 PSID, PSID, PACL, PACL);
122 static NTSTATUS (WINAPI *pNtAccessCheck)(PSECURITY_DESCRIPTOR, HANDLE, ACCESS_MASK, PGENERIC_MAPPING,
123 PPRIVILEGE_SET, PULONG, PULONG, NTSTATUS*);
124 static BOOL (WINAPI *pCreateRestrictedToken)(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
125 PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
126 static BOOL (WINAPI *pGetAclInformation)(PACL,LPVOID,DWORD,ACL_INFORMATION_CLASS);
127 static BOOL (WINAPI *pGetAce)(PACL,DWORD,LPVOID*);
128 static NTSTATUS (WINAPI *pNtSetSecurityObject)(HANDLE,SECURITY_INFORMATION,PSECURITY_DESCRIPTOR);
129 static NTSTATUS (WINAPI *pNtCreateFile)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG);
130 static BOOL (WINAPI *pRtlDosPathNameToNtPathName_U)(LPCWSTR,PUNICODE_STRING,PWSTR*,CURDIR*);
131 static NTSTATUS (WINAPI *pRtlAnsiStringToUnicodeString)(PUNICODE_STRING,PCANSI_STRING,BOOLEAN);
132 static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
133 static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
134 static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
135 static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
136 static DWORD (WINAPI *pGetExplicitEntriesFromAclW)(PACL,PULONG,PEXPLICIT_ACCESSW*);
137
138 static HMODULE hmod;
139 static int myARGC;
140 static char** myARGV;
141
142 struct strsid_entry
143 {
144 const char *str;
145 DWORD flags;
146 };
147 #define STRSID_OK 0
148 #define STRSID_OPT 1
149
150 #define SID_SLOTS 4
151 static char debugsid_str[SID_SLOTS][256];
152 static int debugsid_index = 0;
153 static const char* debugstr_sid(PSID sid)
154 {
155 LPSTR sidstr;
156 DWORD le = GetLastError();
157 char* res = debugsid_str[debugsid_index];
158 debugsid_index = (debugsid_index + 1) % SID_SLOTS;
159
160 if (!ConvertSidToStringSidA(sid, &sidstr))
161 sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
162 else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
163 {
164 memcpy(res, sidstr, sizeof(*debugsid_str) - 4);
165 strcpy(res + sizeof(*debugsid_str) - 4, "...");
166 LocalFree(sidstr);
167 }
168 else
169 {
170 strcpy(res, sidstr);
171 LocalFree(sidstr);
172 }
173 /* Restore the last error in case ConvertSidToStringSidA() modified it */
174 SetLastError(le);
175 return res;
176 }
177
178 struct sidRef
179 {
180 SID_IDENTIFIER_AUTHORITY auth;
181 const char *refStr;
182 };
183
184 static void init(void)
185 {
186 HMODULE hntdll;
187
188 hntdll = GetModuleHandleA("ntdll.dll");
189 pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
190 pNtAccessCheck = (void *)GetProcAddress( hntdll, "NtAccessCheck" );
191 pNtSetSecurityObject = (void *)GetProcAddress(hntdll, "NtSetSecurityObject");
192 pNtCreateFile = (void *)GetProcAddress(hntdll, "NtCreateFile");
193 pRtlDosPathNameToNtPathName_U = (void *)GetProcAddress(hntdll, "RtlDosPathNameToNtPathName_U");
194 pRtlAnsiStringToUnicodeString = (void *)GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
195 pRtlInitAnsiString = (void *)GetProcAddress(hntdll, "RtlInitAnsiString");
196 pRtlFreeUnicodeString = (void *)GetProcAddress(hntdll, "RtlFreeUnicodeString");
197
198 hmod = GetModuleHandleA("advapi32.dll");
199 pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
200 pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
201 pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
202 pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
203 pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
204 pConvertStringSecurityDescriptorToSecurityDescriptorA =
205 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
206 pConvertStringSecurityDescriptorToSecurityDescriptorW =
207 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorW" );
208 pConvertSecurityDescriptorToStringSecurityDescriptorA =
209 (void *)GetProcAddress(hmod, "ConvertSecurityDescriptorToStringSecurityDescriptorA" );
210 pGetFileSecurityA = (void *)GetProcAddress(hmod, "GetFileSecurityA" );
211 pSetFileSecurityA = (void *)GetProcAddress(hmod, "SetFileSecurityA" );
212 pCreateWellKnownSid = (void *)GetProcAddress( hmod, "CreateWellKnownSid" );
213 pGetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "GetNamedSecurityInfoA");
214 pSetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "SetNamedSecurityInfoA");
215 pGetSidSubAuthority = (void *)GetProcAddress(hmod, "GetSidSubAuthority");
216 pGetSidSubAuthorityCount = (void *)GetProcAddress(hmod, "GetSidSubAuthorityCount");
217 pIsValidSid = (void *)GetProcAddress(hmod, "IsValidSid");
218 pMakeSelfRelativeSD = (void *)GetProcAddress(hmod, "MakeSelfRelativeSD");
219 pSetEntriesInAclW = (void *)GetProcAddress(hmod, "SetEntriesInAclW");
220 pSetEntriesInAclA = (void *)GetProcAddress(hmod, "SetEntriesInAclA");
221 pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
222 pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
223 pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
224 pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
225 pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
226 pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
227 pGetAce = (void *)GetProcAddress(hmod, "GetAce");
228 pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
229 pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
230 pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
231 pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
232
233 myARGC = winetest_get_mainargs( &myARGV );
234 }
235
236 static SECURITY_DESCRIPTOR* test_get_security_descriptor(HANDLE handle, int line)
237 {
238 /* use HeapFree(GetProcessHeap(), 0, sd); when done */
239 DWORD ret, length, needed;
240 SECURITY_DESCRIPTOR *sd;
241
242 needed = 0xdeadbeef;
243 SetLastError(0xdeadbeef);
244 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
245 NULL, 0, &needed);
246 ok_(__FILE__, line)(!ret, "GetKernelObjectSecurity should fail\n");
247 ok_(__FILE__, line)(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
248 ok_(__FILE__, line)(needed != 0xdeadbeef, "GetKernelObjectSecurity should return required buffer length\n");
249
250 length = needed;
251 sd = HeapAlloc(GetProcessHeap(), 0, length);
252
253 needed = 0xdeadbeef;
254 SetLastError(0xdeadbeef);
255 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
256 sd, length, &needed);
257 ok_(__FILE__, line)(ret, "GetKernelObjectSecurity error %d\n", GetLastError());
258 ok_(__FILE__, line)(needed == length || needed == 0 /* file, pipe */, "GetKernelObjectSecurity should return %u instead of %u\n", length, needed);
259 return sd;
260 }
261
262 static void test_owner_equal(HANDLE Handle, PSID expected, int line)
263 {
264 BOOL res;
265 SECURITY_DESCRIPTOR *queriedSD = NULL;
266 PSID owner;
267 BOOL owner_defaulted;
268
269 queriedSD = test_get_security_descriptor( Handle, line );
270
271 res = GetSecurityDescriptorOwner(queriedSD, &owner, &owner_defaulted);
272 ok_(__FILE__, line)(res, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
273
274 ok_(__FILE__, line)(EqualSid(owner, expected), "Owner SIDs are not equal %s != %s\n",
275 debugstr_sid(owner), debugstr_sid(expected));
276 ok_(__FILE__, line)(!owner_defaulted, "Defaulted is true\n");
277
278 HeapFree(GetProcessHeap(), 0, queriedSD);
279 }
280
281 static void test_group_equal(HANDLE Handle, PSID expected, int line)
282 {
283 BOOL res;
284 SECURITY_DESCRIPTOR *queriedSD = NULL;
285 PSID group;
286 BOOL group_defaulted;
287
288 queriedSD = test_get_security_descriptor( Handle, line );
289
290 res = GetSecurityDescriptorGroup(queriedSD, &group, &group_defaulted);
291 ok_(__FILE__, line)(res, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
292
293 ok_(__FILE__, line)(EqualSid(group, expected), "Group SIDs are not equal %s != %s\n",
294 debugstr_sid(group), debugstr_sid(expected));
295 ok_(__FILE__, line)(!group_defaulted, "Defaulted is true\n");
296
297 HeapFree(GetProcessHeap(), 0, queriedSD);
298 }
299
300 static void test_sid(void)
301 {
302 struct sidRef refs[] = {
303 { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
304 { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1" },
305 { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1" },
306 { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1" },
307 { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1" },
308 { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1" },
309 };
310 struct strsid_entry strsid_table[] = {
311 {"AO", STRSID_OK}, {"RU", STRSID_OK}, {"AN", STRSID_OK}, {"AU", STRSID_OK},
312 {"BA", STRSID_OK}, {"BG", STRSID_OK}, {"BO", STRSID_OK}, {"BU", STRSID_OK},
313 {"CA", STRSID_OPT}, {"CG", STRSID_OK}, {"CO", STRSID_OK}, {"DA", STRSID_OPT},
314 {"DC", STRSID_OPT}, {"DD", STRSID_OPT}, {"DG", STRSID_OPT}, {"DU", STRSID_OPT},
315 {"EA", STRSID_OPT}, {"ED", STRSID_OK}, {"WD", STRSID_OK}, {"PA", STRSID_OPT},
316 {"IU", STRSID_OK}, {"LA", STRSID_OK}, {"LG", STRSID_OK}, {"LS", STRSID_OK},
317 {"SY", STRSID_OK}, {"NU", STRSID_OK}, {"NO", STRSID_OK}, {"NS", STRSID_OK},
318 {"PO", STRSID_OK}, {"PS", STRSID_OK}, {"PU", STRSID_OK}, {"RS", STRSID_OPT},
319 {"RD", STRSID_OK}, {"RE", STRSID_OK}, {"RC", STRSID_OK}, {"SA", STRSID_OPT},
320 {"SO", STRSID_OK}, {"SU", STRSID_OK}};
321
322 const char noSubAuthStr[] = "S-1-5";
323 unsigned int i;
324 PSID psid = NULL;
325 SID *pisid;
326 BOOL r;
327 LPSTR str = NULL;
328
329 if( !pConvertStringSidToSidA )
330 {
331 win_skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
332 return;
333 }
334
335 r = pConvertStringSidToSidA( NULL, NULL );
336 ok( !r, "expected failure with NULL parameters\n" );
337 if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
338 return;
339 ok( GetLastError() == ERROR_INVALID_PARAMETER,
340 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
341 GetLastError() );
342
343 r = pConvertStringSidToSidA( refs[0].refStr, NULL );
344 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
345 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
346 GetLastError() );
347
348 r = pConvertStringSidToSidA( NULL, &str );
349 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
350 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
351 GetLastError() );
352
353 r = pConvertStringSidToSidA( noSubAuthStr, &psid );
354 ok( !r,
355 "expected failure with no sub authorities\n" );
356 ok( GetLastError() == ERROR_INVALID_SID,
357 "expected GetLastError() is ERROR_INVALID_SID, got %d\n",
358 GetLastError() );
359
360 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid), "ConvertStringSidToSidA failed\n");
361 pisid = psid;
362 ok(pisid->SubAuthorityCount == 4, "Invalid sub authority count - expected 4, got %d\n", pisid->SubAuthorityCount);
363 ok(pisid->SubAuthority[0] == 21, "Invalid subauthority 0 - expected 21, got %d\n", pisid->SubAuthority[0]);
364 ok(pisid->SubAuthority[3] == 4576, "Invalid subauthority 0 - expected 4576, got %d\n", pisid->SubAuthority[3]);
365 LocalFree(str);
366 LocalFree(psid);
367
368 for( i = 0; i < ARRAY_SIZE(refs); i++ )
369 {
370 r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
371 &psid );
372 ok( r, "failed to allocate sid\n" );
373 r = ConvertSidToStringSidA( psid, &str );
374 ok( r, "failed to convert sid\n" );
375 if (r)
376 {
377 ok( !strcmp( str, refs[i].refStr ),
378 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
379 LocalFree( str );
380 }
381 if( psid )
382 FreeSid( psid );
383
384 r = pConvertStringSidToSidA( refs[i].refStr, &psid );
385 ok( r, "failed to parse sid string\n" );
386 pisid = psid;
387 ok( pisid &&
388 !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
389 sizeof(refs[i].auth) ),
390 "string sid %s didn't parse to expected value\n"
391 "(got 0x%04x%08x, expected 0x%04x%08x)\n",
392 refs[i].refStr,
393 MAKEWORD( pisid->IdentifierAuthority.Value[1],
394 pisid->IdentifierAuthority.Value[0] ),
395 MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
396 pisid->IdentifierAuthority.Value[4] ),
397 MAKEWORD( pisid->IdentifierAuthority.Value[3],
398 pisid->IdentifierAuthority.Value[2] ) ),
399 MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
400 MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
401 MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
402 if( psid )
403 LocalFree( psid );
404 }
405
406 /* string constant format not supported before XP */
407 r = pConvertStringSidToSidA(strsid_table[0].str, &psid);
408 if(!r)
409 {
410 win_skip("String constant format not supported\n");
411 return;
412 }
413 LocalFree(psid);
414
415 for(i = 0; i < ARRAY_SIZE(strsid_table); i++)
416 {
417 char *temp;
418
419 SetLastError(0xdeadbeef);
420 r = pConvertStringSidToSidA(strsid_table[i].str, &psid);
421
422 if (!(strsid_table[i].flags & STRSID_OPT))
423 {
424 ok(r, "%s: got %u\n", strsid_table[i].str, GetLastError());
425 }
426
427 if (r)
428 {
429 if ((winetest_debug > 1) && (ConvertSidToStringSidA(psid, &temp)))
430 {
431 trace(" %s: %s\n", strsid_table[i].str, temp);
432 LocalFree(temp);
433 }
434 LocalFree(psid);
435 }
436 else
437 {
438 if (GetLastError() != ERROR_INVALID_SID)
439 trace(" %s: couldn't be converted, returned %d\n", strsid_table[i].str, GetLastError());
440 else
441 trace(" %s: couldn't be converted\n", strsid_table[i].str);
442 }
443 }
444 }
445
446 static void test_trustee(void)
447 {
448 GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
449 GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
450 GUID ZeroGuid;
451 OBJECTS_AND_NAME_A oan;
452 OBJECTS_AND_SID oas;
453 TRUSTEEA trustee;
454 PSID psid;
455 char szObjectTypeName[] = "ObjectTypeName";
456 char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
457 char szTrusteeName[] = "szTrusteeName";
458 SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
459
460 memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
461
462 pBuildTrusteeWithSidA = (void *)GetProcAddress( hmod, "BuildTrusteeWithSidA" );
463 pBuildTrusteeWithNameA = (void *)GetProcAddress( hmod, "BuildTrusteeWithNameA" );
464 pBuildTrusteeWithObjectsAndNameA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
465 pBuildTrusteeWithObjectsAndSidA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
466 pGetTrusteeNameA = (void *)GetProcAddress (hmod, "GetTrusteeNameA" );
467 if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
468 !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
469 !pGetTrusteeNameA )
470 return;
471
472 if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
473 {
474 trace( "failed to init SID\n" );
475 return;
476 }
477
478 /* test BuildTrusteeWithSidA */
479 memset( &trustee, 0xff, sizeof trustee );
480 pBuildTrusteeWithSidA( &trustee, psid );
481
482 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
483 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
484 "MultipleTrusteeOperation wrong\n");
485 ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
486 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
487 ok( trustee.ptstrName == psid, "ptstrName wrong\n" );
488
489 /* test BuildTrusteeWithObjectsAndSidA (test 1) */
490 memset( &trustee, 0xff, sizeof trustee );
491 memset( &oas, 0xff, sizeof(oas) );
492 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
493 &InheritedObjectType, psid);
494
495 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
496 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
497 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
498 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
499 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
500
501 ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
502 ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
503 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
504 ok(oas.pSid == psid, "pSid wrong\n");
505
506 /* test GetTrusteeNameA */
507 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
508
509 /* test BuildTrusteeWithObjectsAndSidA (test 2) */
510 memset( &trustee, 0xff, sizeof trustee );
511 memset( &oas, 0xff, sizeof(oas) );
512 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
513 &InheritedObjectType, psid);
514
515 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
516 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
517 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
518 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
519 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
520
521 ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
522 ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
523 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
524 ok(oas.pSid == psid, "pSid wrong\n");
525
526 FreeSid( psid );
527
528 /* test BuildTrusteeWithNameA */
529 memset( &trustee, 0xff, sizeof trustee );
530 pBuildTrusteeWithNameA( &trustee, szTrusteeName );
531
532 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
533 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
534 "MultipleTrusteeOperation wrong\n");
535 ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
536 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
537 ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
538
539 /* test BuildTrusteeWithObjectsAndNameA (test 1) */
540 memset( &trustee, 0xff, sizeof trustee );
541 memset( &oan, 0xff, sizeof(oan) );
542 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
543 szInheritedObjectTypeName, szTrusteeName);
544
545 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
546 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
547 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
548 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
549 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
550
551 ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
552 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
553 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
554 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
555
556 /* test GetTrusteeNameA */
557 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
558
559 /* test BuildTrusteeWithObjectsAndNameA (test 2) */
560 memset( &trustee, 0xff, sizeof trustee );
561 memset( &oan, 0xff, sizeof(oan) );
562 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
563 szInheritedObjectTypeName, szTrusteeName);
564
565 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
566 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
567 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
568 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
569 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
570
571 ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
572 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
573 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
574 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
575
576 /* test BuildTrusteeWithObjectsAndNameA (test 3) */
577 memset( &trustee, 0xff, sizeof trustee );
578 memset( &oan, 0xff, sizeof(oan) );
579 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
580 NULL, szTrusteeName);
581
582 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
583 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
584 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
585 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
586 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
587
588 ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
589 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
590 ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
591 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
592 }
593
594 /* If the first isn't defined, assume none is */
595 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
596 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2L
597 #define SE_CREATE_TOKEN_PRIVILEGE 2L
598 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3L
599 #define SE_LOCK_MEMORY_PRIVILEGE 4L
600 #define SE_INCREASE_QUOTA_PRIVILEGE 5L
601 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6L
602 #define SE_TCB_PRIVILEGE 7L
603 #define SE_SECURITY_PRIVILEGE 8L
604 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9L
605 #define SE_LOAD_DRIVER_PRIVILEGE 10L
606 #define SE_SYSTEM_PROFILE_PRIVILEGE 11L
607 #define SE_SYSTEMTIME_PRIVILEGE 12L
608 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
609 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14L
610 #define SE_CREATE_PAGEFILE_PRIVILEGE 15L
611 #define SE_CREATE_PERMANENT_PRIVILEGE 16L
612 #define SE_BACKUP_PRIVILEGE 17L
613 #define SE_RESTORE_PRIVILEGE 18L
614 #define SE_SHUTDOWN_PRIVILEGE 19L
615 #define SE_DEBUG_PRIVILEGE 20L
616 #define SE_AUDIT_PRIVILEGE 21L
617 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22L
618 #define SE_CHANGE_NOTIFY_PRIVILEGE 23L
619 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24L
620 #define SE_UNDOCK_PRIVILEGE 25L
621 #define SE_SYNC_AGENT_PRIVILEGE 26L
622 #define SE_ENABLE_DELEGATION_PRIVILEGE 27L
623 #define SE_MANAGE_VOLUME_PRIVILEGE 28L
624 #define SE_IMPERSONATE_PRIVILEGE 29L
625 #define SE_CREATE_GLOBAL_PRIVILEGE 30L
626 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
627 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
628
629 static void test_allocateLuid(void)
630 {
631 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
632 LUID luid1, luid2;
633 BOOL ret;
634
635 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
636 if (!pAllocateLocallyUniqueId) return;
637
638 ret = pAllocateLocallyUniqueId(&luid1);
639 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
640 return;
641
642 ok(ret,
643 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
644 ret = pAllocateLocallyUniqueId(&luid2);
645 ok( ret,
646 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
647 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
648 "AllocateLocallyUniqueId returned a well-known LUID\n");
649 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
650 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
651 ret = pAllocateLocallyUniqueId(NULL);
652 ok( !ret && GetLastError() == ERROR_NOACCESS,
653 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
654 GetLastError());
655 }
656
657 static void test_lookupPrivilegeName(void)
658 {
659 BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
660 char buf[MAX_PATH]; /* arbitrary, seems long enough */
661 DWORD cchName = sizeof(buf);
662 LUID luid = { 0, 0 };
663 LONG i;
664 BOOL ret;
665
666 /* check whether it's available first */
667 pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
668 if (!pLookupPrivilegeNameA) return;
669 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
670 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
671 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
672 return;
673
674 /* check with a short buffer */
675 cchName = 0;
676 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
677 ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
678 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
679 "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %d\n",
680 GetLastError());
681 ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
682 "LookupPrivilegeNameA returned an incorrect required length for\n"
683 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
684 lstrlenA("SeCreateTokenPrivilege") + 1);
685 /* check a known value and its returned length on success */
686 cchName = sizeof(buf);
687 ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
688 cchName == strlen("SeCreateTokenPrivilege"),
689 "LookupPrivilegeNameA returned an incorrect output length for\n"
690 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
691 (int)strlen("SeCreateTokenPrivilege"));
692 /* check known values */
693 for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i <= SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
694 {
695 luid.LowPart = i;
696 cchName = sizeof(buf);
697 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
698 ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
699 "LookupPrivilegeNameA(0.%d) failed: %d\n", i, GetLastError());
700 }
701 /* check a bogus LUID */
702 luid.LowPart = 0xdeadbeef;
703 cchName = sizeof(buf);
704 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
705 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
706 "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
707 GetLastError());
708 /* check on a bogus system */
709 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
710 cchName = sizeof(buf);
711 ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
712 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
713 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
714 "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
715 GetLastError());
716 }
717
718 struct NameToLUID
719 {
720 const char *name;
721 DWORD lowPart;
722 };
723
724 static void test_lookupPrivilegeValue(void)
725 {
726 static const struct NameToLUID privs[] = {
727 { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
728 { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
729 { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
730 { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
731 { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
732 { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
733 { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
734 { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
735 { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
736 { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
737 { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
738 { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
739 { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
740 { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
741 { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
742 { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
743 { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
744 { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
745 { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
746 { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
747 { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
748 { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILEGE },
749 { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
750 { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
751 { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
752 { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
753 { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
754 { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
755 { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
756 };
757 BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
758 unsigned int i;
759 LUID luid;
760 BOOL ret;
761
762 /* check whether it's available first */
763 pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
764 if (!pLookupPrivilegeValueA) return;
765 ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
766 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
767 return;
768
769 /* check a bogus system name */
770 ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
771 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
772 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
773 "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
774 GetLastError());
775 /* check a NULL string */
776 ret = pLookupPrivilegeValueA(NULL, 0, &luid);
777 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
778 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
779 GetLastError());
780 /* check a bogus privilege name */
781 ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
782 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
783 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
784 GetLastError());
785 /* check case insensitive */
786 ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
787 ok( ret,
788 "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %d\n",
789 GetLastError());
790 for (i = 0; i < ARRAY_SIZE(privs); i++)
791 {
792 /* Not all privileges are implemented on all Windows versions, so
793 * don't worry if the call fails
794 */
795 if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
796 {
797 ok(luid.LowPart == privs[i].lowPart,
798 "LookupPrivilegeValueA returned an invalid LUID for %s\n",
799 privs[i].name);
800 }
801 }
802 }
803
804 static void test_luid(void)
805 {
806 test_allocateLuid();
807 test_lookupPrivilegeName();
808 test_lookupPrivilegeValue();
809 }
810
811 static void test_FileSecurity(void)
812 {
813 char wintmpdir [MAX_PATH];
814 char path [MAX_PATH];
815 char file [MAX_PATH];
816 HANDLE fh, token;
817 DWORD sdSize, retSize, rc, granted, priv_set_len;
818 PRIVILEGE_SET priv_set;
819 BOOL status;
820 BYTE *sd;
821 GENERIC_MAPPING mapping = { FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, FILE_ALL_ACCESS };
822 const SECURITY_INFORMATION request = OWNER_SECURITY_INFORMATION
823 | GROUP_SECURITY_INFORMATION
824 | DACL_SECURITY_INFORMATION;
825
826 if (!pGetFileSecurityA) {
827 win_skip ("GetFileSecurity is not available\n");
828 return;
829 }
830
831 if (!pSetFileSecurityA) {
832 win_skip ("SetFileSecurity is not available\n");
833 return;
834 }
835
836 if (!GetTempPathA (sizeof (wintmpdir), wintmpdir)) {
837 win_skip ("GetTempPathA failed\n");
838 return;
839 }
840
841 /* Create a temporary directory and in it a temporary file */
842 strcat (strcpy (path, wintmpdir), "rary");
843 SetLastError(0xdeadbeef);
844 rc = CreateDirectoryA (path, NULL);
845 ok (rc || GetLastError() == ERROR_ALREADY_EXISTS, "CreateDirectoryA "
846 "failed for '%s' with %d\n", path, GetLastError());
847
848 strcat (strcpy (file, path), "\\ess");
849 SetLastError(0xdeadbeef);
850 fh = CreateFileA (file, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
851 ok (fh != INVALID_HANDLE_VALUE, "CreateFileA "
852 "failed for '%s' with %d\n", file, GetLastError());
853 CloseHandle (fh);
854
855 /* For the temporary file ... */
856
857 /* Get size needed */
858 retSize = 0;
859 SetLastError(0xdeadbeef);
860 rc = pGetFileSecurityA (file, request, NULL, 0, &retSize);
861 if (!rc && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)) {
862 win_skip("GetFileSecurityA is not implemented\n");
863 goto cleanup;
864 }
865 ok (!rc, "GetFileSecurityA "
866 "was expected to fail for '%s'\n", file);
867 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
868 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
869 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
870
871 sdSize = retSize;
872 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
873
874 /* Get security descriptor for real */
875 retSize = -1;
876 SetLastError(0xdeadbeef);
877 rc = pGetFileSecurityA (file, request, sd, sdSize, &retSize);
878 ok (rc, "GetFileSecurityA "
879 "was not expected to fail '%s': %d\n", file, GetLastError());
880 ok (retSize == sdSize ||
881 broken(retSize == 0), /* NT4 */
882 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
883
884 /* Use it to set security descriptor */
885 SetLastError(0xdeadbeef);
886 rc = pSetFileSecurityA (file, request, sd);
887 ok (rc, "SetFileSecurityA "
888 "was not expected to fail '%s': %d\n", file, GetLastError());
889
890 HeapFree (GetProcessHeap (), 0, sd);
891
892 /* Repeat for the temporary directory ... */
893
894 /* Get size needed */
895 retSize = 0;
896 SetLastError(0xdeadbeef);
897 rc = pGetFileSecurityA (path, request, NULL, 0, &retSize);
898 ok (!rc, "GetFileSecurityA "
899 "was expected to fail for '%s'\n", path);
900 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
901 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
902 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
903
904 sdSize = retSize;
905 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
906
907 /* Get security descriptor for real */
908 retSize = -1;
909 SetLastError(0xdeadbeef);
910 rc = pGetFileSecurityA (path, request, sd, sdSize, &retSize);
911 ok (rc, "GetFileSecurityA "
912 "was not expected to fail '%s': %d\n", path, GetLastError());
913 ok (retSize == sdSize ||
914 broken(retSize == 0), /* NT4 */
915 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
916
917 /* Use it to set security descriptor */
918 SetLastError(0xdeadbeef);
919 rc = pSetFileSecurityA (path, request, sd);
920 ok (rc, "SetFileSecurityA "
921 "was not expected to fail '%s': %d\n", path, GetLastError());
922 HeapFree (GetProcessHeap (), 0, sd);
923
924 /* Old test */
925 strcpy (wintmpdir, "\\Should not exist");
926 SetLastError(0xdeadbeef);
927 rc = pGetFileSecurityA (wintmpdir, OWNER_SECURITY_INFORMATION, NULL, 0, &sdSize);
928 ok (!rc, "GetFileSecurityA should fail for not existing directories/files\n");
929 ok (GetLastError() == ERROR_FILE_NOT_FOUND,
930 "last error ERROR_FILE_NOT_FOUND expected, got %d\n", GetLastError());
931
932 cleanup:
933 /* Remove temporary file and directory */
934 DeleteFileA(file);
935 RemoveDirectoryA(path);
936
937 /* Test file access permissions for a file with FILE_ATTRIBUTE_ARCHIVE */
938 SetLastError(0xdeadbeef);
939 rc = GetTempPathA(sizeof(wintmpdir), wintmpdir);
940 ok(rc, "GetTempPath error %d\n", GetLastError());
941
942 SetLastError(0xdeadbeef);
943 rc = GetTempFileNameA(wintmpdir, "tmp", 0, file);
944 ok(rc, "GetTempFileName error %d\n", GetLastError());
945
946 rc = GetFileAttributesA(file);
947 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
948 ok(rc == FILE_ATTRIBUTE_ARCHIVE, "expected FILE_ATTRIBUTE_ARCHIVE got %#x\n", rc);
949
950 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
951 NULL, 0, &sdSize);
952 ok(!rc, "GetFileSecurity should fail\n");
953 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
954 "expected ERROR_INSUFFICIENT_BUFFER got %d\n", GetLastError());
955 ok(sdSize > sizeof(SECURITY_DESCRIPTOR), "got sd size %d\n", sdSize);
956
957 sd = HeapAlloc(GetProcessHeap (), 0, sdSize);
958 retSize = 0xdeadbeef;
959 SetLastError(0xdeadbeef);
960 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
961 sd, sdSize, &retSize);
962 ok(rc, "GetFileSecurity error %d\n", GetLastError());
963 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
964
965 SetLastError(0xdeadbeef);
966 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
967 ok(!rc, "OpenThreadToken should fail\n");
968 ok(GetLastError() == ERROR_NO_TOKEN, "expected ERROR_NO_TOKEN, got %d\n", GetLastError());
969
970 SetLastError(0xdeadbeef);
971 rc = ImpersonateSelf(SecurityIdentification);
972 ok(rc, "ImpersonateSelf error %d\n", GetLastError());
973
974 SetLastError(0xdeadbeef);
975 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
976 ok(rc, "OpenThreadToken error %d\n", GetLastError());
977
978 SetLastError(0xdeadbeef);
979 rc = RevertToSelf();
980 ok(rc, "RevertToSelf error %d\n", GetLastError());
981
982 priv_set_len = sizeof(priv_set);
983 granted = 0xdeadbeef;
984 status = 0xdeadbeef;
985 SetLastError(0xdeadbeef);
986 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
987 ok(rc, "AccessCheck error %d\n", GetLastError());
988 ok(status == 1, "expected 1, got %d\n", status);
989 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
990
991 granted = 0xdeadbeef;
992 status = 0xdeadbeef;
993 SetLastError(0xdeadbeef);
994 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
995 ok(rc, "AccessCheck error %d\n", GetLastError());
996 ok(status == 1, "expected 1, got %d\n", status);
997 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
998
999 granted = 0xdeadbeef;
1000 status = 0xdeadbeef;
1001 SetLastError(0xdeadbeef);
1002 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1003 ok(rc, "AccessCheck error %d\n", GetLastError());
1004 ok(status == 1, "expected 1, got %d\n", status);
1005 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1006
1007 granted = 0xdeadbeef;
1008 status = 0xdeadbeef;
1009 SetLastError(0xdeadbeef);
1010 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1011 ok(rc, "AccessCheck error %d\n", GetLastError());
1012 ok(status == 1, "expected 1, got %d\n", status);
1013 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1014
1015 granted = 0xdeadbeef;
1016 status = 0xdeadbeef;
1017 SetLastError(0xdeadbeef);
1018 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1019 ok(rc, "AccessCheck error %d\n", GetLastError());
1020 ok(status == 1, "expected 1, got %d\n", status);
1021 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1022
1023 granted = 0xdeadbeef;
1024 status = 0xdeadbeef;
1025 SetLastError(0xdeadbeef);
1026 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1027 ok(rc, "AccessCheck error %d\n", GetLastError());
1028 ok(status == 1, "expected 1, got %d\n", status);
1029 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1030
1031 granted = 0xdeadbeef;
1032 status = 0xdeadbeef;
1033 SetLastError(0xdeadbeef);
1034 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1035 ok(rc, "AccessCheck error %d\n", GetLastError());
1036 ok(status == 1, "expected 1, got %d\n", status);
1037 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1038
1039 SetLastError(0xdeadbeef);
1040 rc = AccessCheck(sd, token, 0xffffffff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1041 ok(!rc, "AccessCheck should fail\n");
1042 ok(GetLastError() == ERROR_GENERIC_NOT_MAPPED, "expected ERROR_GENERIC_NOT_MAPPED, got %d\n", GetLastError());
1043
1044 /* Test file access permissions for a file with FILE_ATTRIBUTE_READONLY */
1045 SetLastError(0xdeadbeef);
1046 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1047 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1048 retSize = 0xdeadbeef;
1049 SetLastError(0xdeadbeef);
1050 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1051 ok(!rc, "WriteFile should fail\n");
1052 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1053 ok(retSize == 0, "expected 0, got %d\n", retSize);
1054 CloseHandle(fh);
1055
1056 rc = GetFileAttributesA(file);
1057 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1058 todo_wine
1059 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1060 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1061
1062 SetLastError(0xdeadbeef);
1063 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1064 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1065 SetLastError(0xdeadbeef);
1066 rc = DeleteFileA(file);
1067 ok(rc, "DeleteFile error %d\n", GetLastError());
1068
1069 SetLastError(0xdeadbeef);
1070 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1071 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1072 retSize = 0xdeadbeef;
1073 SetLastError(0xdeadbeef);
1074 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1075 ok(!rc, "WriteFile should fail\n");
1076 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1077 ok(retSize == 0, "expected 0, got %d\n", retSize);
1078 CloseHandle(fh);
1079
1080 rc = GetFileAttributesA(file);
1081 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1082 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1083 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1084
1085 retSize = 0xdeadbeef;
1086 SetLastError(0xdeadbeef);
1087 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
1088 sd, sdSize, &retSize);
1089 ok(rc, "GetFileSecurity error %d\n", GetLastError());
1090 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
1091
1092 priv_set_len = sizeof(priv_set);
1093 granted = 0xdeadbeef;
1094 status = 0xdeadbeef;
1095 SetLastError(0xdeadbeef);
1096 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1097 ok(rc, "AccessCheck error %d\n", GetLastError());
1098 ok(status == 1, "expected 1, got %d\n", status);
1099 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
1100
1101 granted = 0xdeadbeef;
1102 status = 0xdeadbeef;
1103 SetLastError(0xdeadbeef);
1104 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1105 ok(rc, "AccessCheck error %d\n", GetLastError());
1106 todo_wine {
1107 ok(status == 1, "expected 1, got %d\n", status);
1108 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
1109 }
1110 granted = 0xdeadbeef;
1111 status = 0xdeadbeef;
1112 SetLastError(0xdeadbeef);
1113 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1114 ok(rc, "AccessCheck error %d\n", GetLastError());
1115 ok(status == 1, "expected 1, got %d\n", status);
1116 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1117
1118 granted = 0xdeadbeef;
1119 status = 0xdeadbeef;
1120 SetLastError(0xdeadbeef);
1121 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1122 ok(rc, "AccessCheck error %d\n", GetLastError());
1123 todo_wine {
1124 ok(status == 1, "expected 1, got %d\n", status);
1125 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1126 }
1127 granted = 0xdeadbeef;
1128 status = 0xdeadbeef;
1129 SetLastError(0xdeadbeef);
1130 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1131 ok(rc, "AccessCheck error %d\n", GetLastError());
1132 todo_wine {
1133 ok(status == 1, "expected 1, got %d\n", status);
1134 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1135 }
1136 granted = 0xdeadbeef;
1137 status = 0xdeadbeef;
1138 SetLastError(0xdeadbeef);
1139 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1140 ok(rc, "AccessCheck error %d\n", GetLastError());
1141 todo_wine {
1142 ok(status == 1, "expected 1, got %d\n", status);
1143 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1144 }
1145 granted = 0xdeadbeef;
1146 status = 0xdeadbeef;
1147 SetLastError(0xdeadbeef);
1148 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1149 ok(rc, "AccessCheck error %d\n", GetLastError());
1150 todo_wine {
1151 ok(status == 1, "expected 1, got %d\n", status);
1152 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1153 }
1154 SetLastError(0xdeadbeef);
1155 rc = DeleteFileA(file);
1156 ok(!rc, "DeleteFile should fail\n");
1157 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1158 SetLastError(0xdeadbeef);
1159 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1160 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1161 SetLastError(0xdeadbeef);
1162 rc = DeleteFileA(file);
1163 ok(rc, "DeleteFile error %d\n", GetLastError());
1164
1165 CloseHandle(token);
1166 HeapFree(GetProcessHeap(), 0, sd);
1167 }
1168
1169 static void test_AccessCheck(void)
1170 {
1171 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
1172 PACL Acl = NULL;
1173 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
1174 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
1175 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
1176 GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
1177 ACCESS_MASK Access;
1178 BOOL AccessStatus;
1179 HANDLE Token;
1180 HANDLE ProcessToken;
1181 BOOL ret;
1182 DWORD PrivSetLen;
1183 PRIVILEGE_SET *PrivSet;
1184 BOOL res;
1185 HMODULE NtDllModule;
1186 BOOLEAN Enabled;
1187 DWORD err;
1188 NTSTATUS ntret, ntAccessStatus;
1189
1190 NtDllModule = GetModuleHandleA("ntdll.dll");
1191 if (!NtDllModule)
1192 {
1193 skip("not running on NT, skipping test\n");
1194 return;
1195 }
1196 pRtlAdjustPrivilege = (void *)GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
1197 if (!pRtlAdjustPrivilege)
1198 {
1199 win_skip("missing RtlAdjustPrivilege, skipping test\n");
1200 return;
1201 }
1202
1203 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
1204 res = InitializeAcl(Acl, 256, ACL_REVISION);
1205 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1206 {
1207 skip("ACLs not implemented - skipping tests\n");
1208 HeapFree(GetProcessHeap(), 0, Acl);
1209 return;
1210 }
1211 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
1212
1213 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1214 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1215
1216 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1217 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
1218 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1219
1220 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1221 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1222 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1223
1224 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
1225
1226 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
1227 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
1228
1229 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1230 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1231
1232 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1233 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
1234 PrivSet->PrivilegeCount = 16;
1235
1236 res = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &ProcessToken);
1237 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
1238
1239 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
1240
1241 res = DuplicateToken(ProcessToken, SecurityImpersonation, &Token);
1242 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1243
1244 /* SD without owner/group */
1245 SetLastError(0xdeadbeef);
1246 Access = AccessStatus = 0x1abe11ed;
1247 ret = AccessCheck(SecurityDescriptor, Token, KEY_QUERY_VALUE, &Mapping,
1248 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1249 err = GetLastError();
1250 ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
1251 "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
1252 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1253 "Access and/or AccessStatus were changed!\n");
1254
1255 /* Set owner and group */
1256 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
1257 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
1258 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
1259 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
1260
1261 /* Generic access mask */
1262 SetLastError(0xdeadbeef);
1263 Access = AccessStatus = 0x1abe11ed;
1264 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1265 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1266 err = GetLastError();
1267 ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
1268 "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
1269 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1270 "Access and/or AccessStatus were changed!\n");
1271
1272 /* Generic access mask - no privilegeset buffer */
1273 SetLastError(0xdeadbeef);
1274 Access = AccessStatus = 0x1abe11ed;
1275 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1276 NULL, &PrivSetLen, &Access, &AccessStatus);
1277 err = GetLastError();
1278 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1279 "with ERROR_NOACCESS, instead of %d\n", err);
1280 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1281 "Access and/or AccessStatus were changed!\n");
1282
1283 /* Generic access mask - no returnlength */
1284 SetLastError(0xdeadbeef);
1285 Access = AccessStatus = 0x1abe11ed;
1286 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1287 PrivSet, NULL, &Access, &AccessStatus);
1288 err = GetLastError();
1289 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1290 "with ERROR_NOACCESS, instead of %d\n", err);
1291 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1292 "Access and/or AccessStatus were changed!\n");
1293
1294 /* Generic access mask - no privilegeset buffer, no returnlength */
1295 SetLastError(0xdeadbeef);
1296 Access = AccessStatus = 0x1abe11ed;
1297 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1298 NULL, NULL, &Access, &AccessStatus);
1299 err = GetLastError();
1300 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1301 "with ERROR_NOACCESS, instead of %d\n", err);
1302 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1303 "Access and/or AccessStatus were changed!\n");
1304
1305 /* sd with no dacl present */
1306 Access = AccessStatus = 0x1abe11ed;
1307 ret = SetSecurityDescriptorDacl(SecurityDescriptor, FALSE, NULL, FALSE);
1308 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1309 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1310 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1311 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1312 ok(AccessStatus && (Access == KEY_READ),
1313 "AccessCheck failed to grant access with error %d\n",
1314 GetLastError());
1315
1316 /* sd with no dacl present - no privilegeset buffer */
1317 SetLastError(0xdeadbeef);
1318 Access = AccessStatus = 0x1abe11ed;
1319 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1320 NULL, &PrivSetLen, &Access, &AccessStatus);
1321 err = GetLastError();
1322 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1323 "with ERROR_NOACCESS, instead of %d\n", err);
1324 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1325 "Access and/or AccessStatus were changed!\n");
1326
1327 if(pNtAccessCheck)
1328 {
1329 /* Generic access mask - no privilegeset buffer */
1330 SetLastError(0xdeadbeef);
1331 Access = ntAccessStatus = 0x1abe11ed;
1332 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1333 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1334 err = GetLastError();
1335 ok(ntret == STATUS_ACCESS_VIOLATION,
1336 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1337 ok(err == 0xdeadbeef,
1338 "NtAccessCheck shouldn't set last error, got %d\n", err);
1339 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1340 "Access and/or AccessStatus were changed!\n");
1341
1342 /* Generic access mask - no returnlength */
1343 SetLastError(0xdeadbeef);
1344 Access = ntAccessStatus = 0x1abe11ed;
1345 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1346 PrivSet, NULL, &Access, &ntAccessStatus);
1347 err = GetLastError();
1348 ok(ntret == STATUS_ACCESS_VIOLATION,
1349 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1350 ok(err == 0xdeadbeef,
1351 "NtAccessCheck shouldn't set last error, got %d\n", err);
1352 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1353 "Access and/or AccessStatus were changed!\n");
1354
1355 /* Generic access mask - no privilegeset buffer, no returnlength */
1356 SetLastError(0xdeadbeef);
1357 Access = ntAccessStatus = 0x1abe11ed;
1358 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1359 NULL, NULL, &Access, &ntAccessStatus);
1360 err = GetLastError();
1361 ok(ntret == STATUS_ACCESS_VIOLATION,
1362 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1363 ok(err == 0xdeadbeef,
1364 "NtAccessCheck shouldn't set last error, got %d\n", err);
1365 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1366 "Access and/or AccessStatus were changed!\n");
1367 }
1368 else
1369 win_skip("NtAccessCheck unavailable. Skipping.\n");
1370
1371 /* sd with NULL dacl */
1372 Access = AccessStatus = 0x1abe11ed;
1373 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, NULL, FALSE);
1374 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1375 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1376 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1377 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1378 ok(AccessStatus && (Access == KEY_READ),
1379 "AccessCheck failed to grant access with error %d\n",
1380 GetLastError());
1381 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1382 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1383 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1384 ok(AccessStatus && (Access == KEY_ALL_ACCESS),
1385 "AccessCheck failed to grant access with error %d\n",
1386 GetLastError());
1387
1388 /* sd with blank dacl */
1389 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1390 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1391 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1392 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1393 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1394 err = GetLastError();
1395 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1396 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1397 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1398
1399 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
1400 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
1401
1402 res = AddAccessDeniedAce(Acl, ACL_REVISION, KEY_SET_VALUE, AdminSid);
1403 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
1404
1405 /* sd with dacl */
1406 Access = AccessStatus = 0x1abe11ed;
1407 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1408 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1409 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1410 ok(AccessStatus && (Access == KEY_READ),
1411 "AccessCheck failed to grant access with error %d\n",
1412 GetLastError());
1413
1414 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1415 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1416 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1417 ok(AccessStatus,
1418 "AccessCheck failed to grant any access with error %d\n",
1419 GetLastError());
1420 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
1421
1422 /* Null PrivSet with null PrivSetLen pointer */
1423 SetLastError(0xdeadbeef);
1424 Access = AccessStatus = 0x1abe11ed;
1425 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1426 NULL, NULL, &Access, &AccessStatus);
1427 err = GetLastError();
1428 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1429 "failed with ERROR_NOACCESS, instead of %d\n", err);
1430 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1431 "Access and/or AccessStatus were changed!\n");
1432
1433 /* Null PrivSet with zero PrivSetLen */
1434 SetLastError(0xdeadbeef);
1435 Access = AccessStatus = 0x1abe11ed;
1436 PrivSetLen = 0;
1437 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1438 0, &PrivSetLen, &Access, &AccessStatus);
1439 err = GetLastError();
1440 todo_wine
1441 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1442 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1443 todo_wine
1444 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1445 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1446 "Access and/or AccessStatus were changed!\n");
1447
1448 /* Null PrivSet with insufficient PrivSetLen */
1449 SetLastError(0xdeadbeef);
1450 Access = AccessStatus = 0x1abe11ed;
1451 PrivSetLen = 1;
1452 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1453 0, &PrivSetLen, &Access, &AccessStatus);
1454 err = GetLastError();
1455 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1456 "failed with ERROR_NOACCESS, instead of %d\n", err);
1457 ok(PrivSetLen == 1, "PrivSetLen returns %d\n", PrivSetLen);
1458 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1459 "Access and/or AccessStatus were changed!\n");
1460
1461 /* Null PrivSet with insufficient PrivSetLen */
1462 SetLastError(0xdeadbeef);
1463 Access = AccessStatus = 0x1abe11ed;
1464 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1465 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1466 0, &PrivSetLen, &Access, &AccessStatus);
1467 err = GetLastError();
1468 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1469 "failed with ERROR_NOACCESS, instead of %d\n", err);
1470 ok(PrivSetLen == sizeof(PRIVILEGE_SET) - 1, "PrivSetLen returns %d\n", PrivSetLen);
1471 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1472 "Access and/or AccessStatus were changed!\n");
1473
1474 /* Null PrivSet with minimal sufficient PrivSetLen */
1475 SetLastError(0xdeadbeef);
1476 Access = AccessStatus = 0x1abe11ed;
1477 PrivSetLen = sizeof(PRIVILEGE_SET);
1478 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1479 0, &PrivSetLen, &Access, &AccessStatus);
1480 err = GetLastError();
1481 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1482 "failed with ERROR_NOACCESS, instead of %d\n", err);
1483 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1484 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1485 "Access and/or AccessStatus were changed!\n");
1486
1487 /* Valid PrivSet with zero PrivSetLen */
1488 SetLastError(0xdeadbeef);
1489 Access = AccessStatus = 0x1abe11ed;
1490 PrivSetLen = 0;
1491 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1492 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1493 err = GetLastError();
1494 todo_wine
1495 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1496 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1497 todo_wine
1498 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1499 todo_wine
1500 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1501 "Access and/or AccessStatus were changed!\n");
1502
1503 /* Valid PrivSet with insufficient PrivSetLen */
1504 SetLastError(0xdeadbeef);
1505 Access = AccessStatus = 0x1abe11ed;
1506 PrivSetLen = 1;
1507 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1508 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1509 err = GetLastError();
1510 todo_wine
1511 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1512 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1513 todo_wine
1514 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1515 todo_wine
1516 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1517 "Access and/or AccessStatus were changed!\n");
1518
1519 /* Valid PrivSet with insufficient PrivSetLen */
1520 SetLastError(0xdeadbeef);
1521 Access = AccessStatus = 0x1abe11ed;
1522 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1523 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1524 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1525 err = GetLastError();
1526 todo_wine
1527 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1528 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1529 todo_wine
1530 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1531 todo_wine
1532 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1533 "Access and/or AccessStatus were changed!\n");
1534
1535 /* Valid PrivSet with minimal sufficient PrivSetLen */
1536 SetLastError(0xdeadbeef);
1537 Access = AccessStatus = 0x1abe11ed;
1538 PrivSetLen = sizeof(PRIVILEGE_SET);
1539 memset(PrivSet, 0xcc, PrivSetLen);
1540 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1541 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1542 err = GetLastError();
1543 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1544 todo_wine
1545 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1546 ok(AccessStatus && (Access == KEY_READ),
1547 "AccessCheck failed to grant access with error %d\n", GetLastError());
1548 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1549 PrivSet->PrivilegeCount);
1550
1551 /* Valid PrivSet with sufficient PrivSetLen */
1552 SetLastError(0xdeadbeef);
1553 Access = AccessStatus = 0x1abe11ed;
1554 PrivSetLen = sizeof(PRIVILEGE_SET) + 1;
1555 memset(PrivSet, 0xcc, PrivSetLen);
1556 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1557 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1558 err = GetLastError();
1559 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1560 todo_wine
1561 ok(PrivSetLen == sizeof(PRIVILEGE_SET) + 1, "PrivSetLen returns %d\n", PrivSetLen);
1562 ok(AccessStatus && (Access == KEY_READ),
1563 "AccessCheck failed to grant access with error %d\n", GetLastError());
1564 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1565 PrivSet->PrivilegeCount);
1566
1567 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1568
1569 /* Null PrivSet with valid PrivSetLen */
1570 SetLastError(0xdeadbeef);
1571 Access = AccessStatus = 0x1abe11ed;
1572 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1573 0, &PrivSetLen, &Access, &AccessStatus);
1574 err = GetLastError();
1575 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1576 "failed with ERROR_NOACCESS, instead of %d\n", err);
1577 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1578 "Access and/or AccessStatus were changed!\n");
1579
1580 /* Access denied by SD */
1581 SetLastError(0xdeadbeef);
1582 Access = AccessStatus = 0x1abe11ed;
1583 ret = AccessCheck(SecurityDescriptor, Token, KEY_WRITE, &Mapping,
1584 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1585 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1586 err = GetLastError();
1587 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1588 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1589 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1590
1591 SetLastError(0xdeadbeef);
1592 PrivSet->PrivilegeCount = 16;
1593 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1594 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1595 ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
1596 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1597 GetLastError());
1598
1599 ret = ImpersonateLoggedOnUser(Token);
1600 ok(ret, "ImpersonateLoggedOnUser failed with error %d\n", GetLastError());
1601 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
1602 if (!ret)
1603 {
1604 /* Valid PrivSet with zero PrivSetLen */
1605 SetLastError(0xdeadbeef);
1606 Access = AccessStatus = 0x1abe11ed;
1607 PrivSetLen = 0;
1608 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1609 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1610 err = GetLastError();
1611 todo_wine
1612 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1613 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1614 todo_wine
1615 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1616 todo_wine
1617 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1618 "Access and/or AccessStatus were changed!\n");
1619
1620 /* Valid PrivSet with insufficient PrivSetLen */
1621 SetLastError(0xdeadbeef);
1622 Access = AccessStatus = 0x1abe11ed;
1623 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1624 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1625 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1626 err = GetLastError();
1627 todo_wine
1628 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1629 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1630 todo_wine
1631 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1632 todo_wine
1633 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1634 "Access and/or AccessStatus were changed!\n");
1635
1636 /* Valid PrivSet with minimal sufficient PrivSetLen */
1637 SetLastError(0xdeadbeef);
1638 Access = AccessStatus = 0x1abe11ed;
1639 PrivSetLen = sizeof(PRIVILEGE_SET);
1640 memset(PrivSet, 0xcc, PrivSetLen);
1641 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1642 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1643 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1644 "AccessCheck should have succeeded, error %d\n",
1645 GetLastError());
1646 ok(Access == ACCESS_SYSTEM_SECURITY,
1647 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1648 Access);
1649 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1650 PrivSet->PrivilegeCount);
1651
1652 /* Valid PrivSet with large PrivSetLen */
1653 SetLastError(0xdeadbeef);
1654 Access = AccessStatus = 0x1abe11ed;
1655 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1656 memset(PrivSet, 0xcc, PrivSetLen);
1657 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1658 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1659 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1660 "AccessCheck should have succeeded, error %d\n",
1661 GetLastError());
1662 ok(Access == ACCESS_SYSTEM_SECURITY,
1663 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1664 Access);
1665 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1666 PrivSet->PrivilegeCount);
1667 }
1668 else
1669 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
1670 ret);
1671 ret = RevertToSelf();
1672 ok(ret, "RevertToSelf failed with error %d\n", GetLastError());
1673
1674 /* test INHERIT_ONLY_ACE */
1675 ret = InitializeAcl(Acl, 256, ACL_REVISION);
1676 ok(ret, "InitializeAcl failed with error %d\n", GetLastError());
1677
1678 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1679 * the next ones.
1680 */
1681 if (pAddAccessAllowedAceEx)
1682 {
1683 ret = pAddAccessAllowedAceEx(Acl, ACL_REVISION, INHERIT_ONLY_ACE, KEY_READ, EveryoneSid);
1684 ok(ret, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
1685 }
1686 else
1687 win_skip("AddAccessAllowedAceEx is not available\n");
1688
1689 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1690 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1691 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1692 err = GetLastError();
1693 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1694 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1695 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1696
1697 CloseHandle(Token);
1698
1699 res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
1700 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1701
1702 SetLastError(0xdeadbeef);
1703 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1704 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1705 err = GetLastError();
1706 ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
1707 "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
1708
1709 CloseHandle(Token);
1710
1711 SetLastError(0xdeadbeef);
1712 ret = AccessCheck(SecurityDescriptor, ProcessToken, KEY_READ, &Mapping,
1713 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1714 err = GetLastError();
1715 ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
1716 "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
1717
1718 CloseHandle(ProcessToken);
1719
1720 if (EveryoneSid)
1721 FreeSid(EveryoneSid);
1722 if (AdminSid)
1723 FreeSid(AdminSid);
1724 if (UsersSid)
1725 FreeSid(UsersSid);
1726 HeapFree(GetProcessHeap(), 0, Acl);
1727 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
1728 HeapFree(GetProcessHeap(), 0, PrivSet);
1729 }
1730
1731 /* test GetTokenInformation for the various attributes */
1732 static void test_token_attr(void)
1733 {
1734 HANDLE Token, ImpersonationToken;
1735 DWORD Size, Size2;
1736 TOKEN_PRIVILEGES *Privileges;
1737 TOKEN_GROUPS *Groups;
1738 TOKEN_USER *User;
1739 TOKEN_DEFAULT_DACL *Dacl;
1740 BOOL ret;
1741 DWORD i, GLE;
1742 LPSTR SidString;
1743 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
1744 ACL *acl;
1745
1746 /* cygwin-like use case */
1747 SetLastError(0xdeadbeef);
1748 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Token);
1749 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
1750 {
1751 win_skip("OpenProcessToken is not implemented\n");
1752 return;
1753 }
1754 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1755 if (ret)
1756 {
1757 DWORD buf[256]; /* GetTokenInformation wants a dword-aligned buffer */
1758 Size = sizeof(buf);
1759 ret = GetTokenInformation(Token, TokenUser,(void*)buf, Size, &Size);
1760 ok(ret, "GetTokenInformation failed with error %d\n", GetLastError());
1761 Size = sizeof(ImpersonationLevel);
1762 ret = GetTokenInformation(Token, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1763 GLE = GetLastError();
1764 ok(!ret && (GLE == ERROR_INVALID_PARAMETER), "GetTokenInformation(TokenImpersonationLevel) on primary token should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GLE);
1765 CloseHandle(Token);
1766 }
1767
1768 SetLastError(0xdeadbeef);
1769 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &Token);
1770 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1771
1772 /* groups */
1773 /* insufficient buffer length */
1774 SetLastError(0xdeadbeef);
1775 Size2 = 0;
1776 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size2);
1777 ok(Size2 > 1, "got %d\n", Size2);
1778 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1779 "%d with error %d\n", ret, GetLastError());
1780 Size2 -= 1;
1781 Groups = HeapAlloc(GetProcessHeap(), 0, Size2);
1782 memset(Groups, 0xcc, Size2);
1783 Size = 0;
1784 ret = GetTokenInformation(Token, TokenGroups, Groups, Size2, &Size);
1785 ok(Size > 1, "got %d\n", Size);
1786 ok((!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER) || broken(ret) /* wow64 */,
1787 "%d with error %d\n", ret, GetLastError());
1788 if(!ret)
1789 ok(*((BYTE*)Groups) == 0xcc, "buffer altered\n");
1790
1791 HeapFree(GetProcessHeap(), 0, Groups);
1792
1793 SetLastError(0xdeadbeef);
1794 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
1795 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1796 "GetTokenInformation(TokenGroups) %s with error %d\n",
1797 ret ? "succeeded" : "failed", GetLastError());
1798 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1799 SetLastError(0xdeadbeef);
1800 ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
1801 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
1802 ok(GetLastError() == 0xdeadbeef,
1803 "GetTokenInformation shouldn't have set last error to %d\n",
1804 GetLastError());
1805 trace("TokenGroups:\n");
1806 for (i = 0; i < Groups->GroupCount; i++)
1807 {
1808 DWORD NameLength = 255;
1809 CHAR Name[255];
1810 DWORD DomainLength = 255;
1811 CHAR Domain[255];
1812 SID_NAME_USE SidNameUse;
1813 Name[0] = '\0';
1814 Domain[0] = '\0';
1815 ret = LookupAccountSidA(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
1816 if (ret)
1817 {
1818 ConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
1819 trace("%s, %s\\%s use: %d attr: 0x%08x\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
1820 LocalFree(SidString);
1821 }
1822 else trace("attr: 0x%08x LookupAccountSid failed with error %d\n", Groups->Groups[i].Attributes, GetLastError());
1823 }
1824 HeapFree(GetProcessHeap(), 0, Groups);
1825
1826 /* user */
1827 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
1828 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1829 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1830 User = HeapAlloc(GetProcessHeap(), 0, Size);
1831 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
1832 ok(ret,
1833 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1834
1835 ConvertSidToStringSidA(User->User.Sid, &SidString);
1836 trace("TokenUser: %s attr: 0x%08x\n", SidString, User->User.Attributes);
1837 LocalFree(SidString);
1838 HeapFree(GetProcessHeap(), 0, User);
1839
1840 /* logon */
1841 ret = GetTokenInformation(Token, TokenLogonSid, NULL, 0, &Size);
1842 if (!ret && (GetLastError() == ERROR_INVALID_PARAMETER))
1843 todo_wine win_skip("TokenLogonSid not supported. Skipping tests\n");
1844 else
1845 {
1846 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1847 "GetTokenInformation(TokenLogonSid) failed with error %d\n", GetLastError());
1848 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1849 ret = GetTokenInformation(Token, TokenLogonSid, Groups, Size, &Size);
1850 ok(ret,
1851 "GetTokenInformation(TokenLogonSid) failed with error %d\n", GetLastError());
1852 if (ret)
1853 {
1854 ok(Groups->GroupCount == 1, "got %d\n", Groups->GroupCount);
1855 if(Groups->GroupCount == 1)
1856 {
1857 ConvertSidToStringSidA(Groups->Groups[0].Sid, &SidString);
1858 trace("TokenLogon: %s\n", SidString);
1859 LocalFree(SidString);
1860
1861 /* S-1-5-5-0-XXXXXX */
1862 ret = IsWellKnownSid(Groups->Groups[0].Sid, WinLogonIdsSid);
1863 ok(ret, "Unknown SID\n");
1864 }
1865 }
1866
1867 HeapFree(GetProcessHeap(), 0, Groups);
1868 }
1869
1870 /* privileges */
1871 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
1872 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1873 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1874 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
1875 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
1876 ok(ret,
1877 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1878 trace("TokenPrivileges:\n");
1879 for (i = 0; i < Privileges->PrivilegeCount; i++)
1880 {
1881 CHAR Name[256];
1882 DWORD NameLen = ARRAY_SIZE(Name);
1883 LookupPrivilegeNameA(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
1884 trace("\t%s, 0x%x\n", Name, Privileges->Privileges[i].Attributes);
1885 }
1886 HeapFree(GetProcessHeap(), 0, Privileges);
1887
1888 ret = DuplicateToken(Token, SecurityAnonymous, &ImpersonationToken);
1889 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
1890
1891 Size = sizeof(ImpersonationLevel);
1892 ret = GetTokenInformation(ImpersonationToken, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1893 ok(ret, "GetTokenInformation(TokenImpersonationLevel) failed with error %d\n", GetLastError());
1894 ok(ImpersonationLevel == SecurityAnonymous, "ImpersonationLevel should have been SecurityAnonymous instead of %d\n", ImpersonationLevel);
1895
1896 CloseHandle(ImpersonationToken);
1897
1898 /* default dacl */
1899 ret = GetTokenInformation(Token, TokenDefaultDacl, NULL, 0, &Size);
1900 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1901 "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1902
1903 Dacl = HeapAlloc(GetProcessHeap(), 0, Size);
1904 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size);
1905 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1906
1907 SetLastError(0xdeadbeef);
1908 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, 0);
1909 GLE = GetLastError();
1910 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1911 ok(GLE == ERROR_BAD_LENGTH, "expected ERROR_BAD_LENGTH got %u\n", GLE);
1912
1913 SetLastError(0xdeadbeef);
1914 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, Size);
1915 GLE = GetLastError();
1916 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1917 ok(GLE == ERROR_NOACCESS, "expected ERROR_NOACCESS got %u\n", GLE);
1918
1919 acl = Dacl->DefaultDacl;
1920 Dacl->DefaultDacl = NULL;
1921
1922 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1923 ok(ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1924
1925 Size2 = 0;
1926 Dacl->DefaultDacl = (ACL *)0xdeadbeef;
1927 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1928 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1929 ok(Dacl->DefaultDacl == NULL, "expected NULL, got %p\n", Dacl->DefaultDacl);
1930 ok(Size2 == sizeof(TOKEN_DEFAULT_DACL) || broken(Size2 == 2*sizeof(TOKEN_DEFAULT_DACL)), /* WoW64 */
1931 "got %u expected sizeof(TOKEN_DEFAULT_DACL)\n", Size2);
1932
1933 Dacl->DefaultDacl = acl;
1934 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1935 ok(ret, "SetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1936
1937 if (Size2 == sizeof(TOKEN_DEFAULT_DACL)) {
1938 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1939 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1940 } else
1941 win_skip("TOKEN_DEFAULT_DACL size too small on WoW64\n");
1942
1943 HeapFree(GetProcessHeap(), 0, Dacl);
1944 CloseHandle(Token);
1945 }
1946
1947 static void test_GetTokenInformation(void)
1948 {
1949 DWORD is_app_container, size;
1950 HANDLE token;
1951 BOOL ret;
1952
1953 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
1954 ok(ret, "OpenProcessToken failed: %u\n", GetLastError());
1955
1956 size = 0;
1957 is_app_container = 0xdeadbeef;
1958 ret = GetTokenInformation(token, TokenIsAppContainer, &is_app_container,
1959 sizeof(is_app_container), &size);
1960 ok(ret || broken(GetLastError() == ERROR_INVALID_PARAMETER ||
1961 GetLastError() == ERROR_INVALID_FUNCTION), /* pre-win8 */
1962 "GetTokenInformation failed: %u\n", GetLastError());
1963 if(ret) {
1964 ok(size == sizeof(is_app_container), "size = %u\n", size);
1965 ok(!is_app_container, "is_app_container = %x\n", is_app_container);
1966 }
1967
1968 CloseHandle(token);
1969 }
1970
1971 typedef union _MAX_SID
1972 {
1973 SID sid;
1974 char max[SECURITY_MAX_SID_SIZE];
1975 } MAX_SID;
1976
1977 static void test_sid_str(PSID * sid)
1978 {
1979 char *str_sid;
1980 BOOL ret = ConvertSidToStringSidA(sid, &str_sid);
1981 ok(ret, "ConvertSidToStringSidA() failed: %d\n", GetLastError());
1982 if (ret)
1983 {
1984 char account[MAX_PATH], domain[MAX_PATH];
1985 SID_NAME_USE use;
1986 DWORD acc_size = MAX_PATH;
1987 DWORD dom_size = MAX_PATH;
1988 ret = LookupAccountSidA (NULL, sid, account, &acc_size, domain, &dom_size, &use);
1989 ok(ret || GetLastError() == ERROR_NONE_MAPPED,
1990 "LookupAccountSid(%s) failed: %d\n", str_sid, GetLastError());
1991 if (ret)
1992 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
1993 else if (GetLastError() == ERROR_NONE_MAPPED)
1994 trace(" %s couldn't be mapped\n", str_sid);
1995 LocalFree(str_sid);
1996 }
1997 }
1998
1999 static const struct well_known_sid_value
2000 {
2001 BOOL without_domain;
2002 const char *sid_string;
2003 } well_known_sid_values[] = {
2004 /* 0 */ {TRUE, "S-1-0-0"}, {TRUE, "S-1-1-0"}, {TRUE, "S-1-2-0"}, {TRUE, "S-1-3-0"},
2005 /* 4 */ {TRUE, "S-1-3-1"}, {TRUE, "S-1-3-2"}, {TRUE, "S-1-3-3"}, {TRUE, "S-1-5"},
2006 /* 8 */ {FALSE, "S-1-5-1"}, {TRUE, "S-1-5-2"}, {TRUE, "S-1-5-3"}, {TRUE, "S-1-5-4"},
2007 /* 12 */ {TRUE, "S-1-5-6"}, {TRUE, "S-1-5-7"}, {TRUE, "S-1-5-8"}, {TRUE, "S-1-5-9"},
2008 /* 16 */ {TRUE, "S-1-5-10"}, {TRUE, "S-1-5-11"}, {TRUE, "S-1-5-12"}, {TRUE, "S-1-5-13"},
2009 /* 20 */ {TRUE, "S-1-5-14"}, {FALSE, NULL}, {TRUE, "S-1-5-18"}, {TRUE, "S-1-5-19"},
2010 /* 24 */ {TRUE, "S-1-5-20"}, {TRUE, "S-1-5-32"},
2011 /* 26 */ {FALSE, "S-1-5-32-544"}, {TRUE, "S-1-5-32-545"}, {TRUE, "S-1-5-32-546"},
2012 /* 29 */ {TRUE, "S-1-5-32-547"}, {TRUE, "S-1-5-32-548"}, {TRUE, "S-1-5-32-549"},
2013 /* 32 */ {TRUE, "S-1-5-32-550"}, {TRUE, "S-1-5-32-551"}, {TRUE, "S-1-5-32-552"},
2014 /* 35 */ {TRUE, "S-1-5-32-554"}, {TRUE, "S-1-5-32-555"}, {TRUE, "S-1-5-32-556"},
2015 /* 38 */ {FALSE, "S-1-5-21-12-23-34-45-56-500"}, {FALSE, "S-1-5-21-12-23-34-45-56-501"},
2016 /* 40 */ {FALSE, "S-1-5-21-12-23-34-45-56-502"}, {FALSE, "S-1-5-21-12-23-34-45-56-512"},
2017 /* 42 */ {FALSE, "S-1-5-21-12-23-34-45-56-513"}, {FALSE, "S-1-5-21-12-23-34-45-56-514"},
2018 /* 44 */ {FALSE, "S-1-5-21-12-23-34-45-56-515"}, {FALSE, "S-1-5-21-12-23-34-45-56-516"},
2019 /* 46 */ {FALSE, "S-1-5-21-12-23-34-45-56-517"}, {FALSE, "S-1-5-21-12-23-34-45-56-518"},
2020 /* 48 */ {FALSE, "S-1-5-21-12-23-34-45-56-519"}, {FALSE, "S-1-5-21-12-23-34-45-56-520"},
2021 /* 50 */ {FALSE, "S-1-5-21-12-23-34-45-56-553"},
2022 /* Added in Windows Server 2003 */
2023 /* 51 */ {TRUE, "S-1-5-64-10"}, {TRUE, "S-1-5-64-21"}, {TRUE, "S-1-5-64-14"},
2024 /* 54 */ {TRUE, "S-1-5-15"}, {TRUE, "S-1-5-1000"}, {FALSE, "S-1-5-32-557"},
2025 /* 57 */ {TRUE, "S-1-5-32-558"}, {TRUE, "S-1-5-32-559"}, {TRUE, "S-1-5-32-560"},
2026 /* 60 */ {TRUE, "S-1-5-32-561"}, {TRUE, "S-1-5-32-562"},
2027 /* Added in Windows Vista: */
2028 /* 62 */ {TRUE, "S-1-5-32-568"},
2029 /* 63 */ {TRUE, "S-1-5-17"}, {FALSE, "S-1-5-32-569"}, {TRUE, "S-1-16-0"},
2030 /* 66 */ {TRUE, "S-1-16-4096"}, {TRUE, "S-1-16-8192"}, {TRUE, "S-1-16-12288"},
2031 /* 69 */ {TRUE, "S-1-16-16384"}, {TRUE, "S-1-5-33"}, {TRUE, "S-1-3-4"},
2032 /* 72 */ {FALSE, "S-1-5-21-12-23-34-45-56-571"}, {FALSE, "S-1-5-21-12-23-34-45-56-572"},
2033 /* 74 */ {TRUE, "S-1-5-22"}, {FALSE, "S-1-5-21-12-23-34-45-56-521"}, {TRUE, "S-1-5-32-573"},
2034 /* 77 */ {FALSE, "S-1-5-21-12-23-34-45-56-498"}, {TRUE, "S-1-5-32-574"}, {TRUE, "S-1-16-8448"},
2035 /* 80 */ {FALSE, NULL}, {TRUE, "S-1-2-1"}, {TRUE, "S-1-5-65-1"}, {FALSE, NULL},
2036 /* 84 */ {TRUE, "S-1-15-2-1"},
2037 };
2038
2039 static void test_CreateWellKnownSid(void)
2040 {
2041 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2042 PSID domainsid, sid;
2043 DWORD size, error;
2044 BOOL ret;
2045 unsigned int i;
2046
2047 if (!pCreateWellKnownSid)
2048 {
2049 win_skip("CreateWellKnownSid not available\n");
2050 return;
2051 }
2052
2053 size = 0;
2054 SetLastError(0xdeadbeef);
2055 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2056 error = GetLastError();
2057 ok(!ret, "CreateWellKnownSid succeeded\n");
2058 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2059 ok(size, "expected size > 0\n");
2060
2061 SetLastError(0xdeadbeef);
2062 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2063 error = GetLastError();
2064 ok(!ret, "CreateWellKnownSid succeeded\n");
2065 ok(error == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %u\n", error);
2066
2067 sid = HeapAlloc(GetProcessHeap(), 0, size);
2068 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, sid, &size);
2069 ok(ret, "CreateWellKnownSid failed %u\n", GetLastError());
2070 HeapFree(GetProcessHeap(), 0, sid);
2071
2072 /* a domain sid usually have three subauthorities but we test that CreateWellKnownSid doesn't check it */
2073 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2074
2075 for (i = 0; i < ARRAY_SIZE(well_known_sid_values); i++)
2076 {
2077 const struct well_known_sid_value *value = &well_known_sid_values[i];
2078 char sid_buffer[SECURITY_MAX_SID_SIZE];
2079 LPSTR str;
2080 DWORD cb;
2081
2082 if (value->sid_string == NULL)
2083 continue;
2084
2085 /* some SIDs aren't implemented by all Windows versions - detect it */
2086 cb = sizeof(sid_buffer);
2087 if (!pCreateWellKnownSid(i, NULL, sid_buffer, &cb))
2088 {
2089 skip("Well known SID %u not implemented\n", i);
2090 continue;
2091 }
2092
2093 cb = sizeof(sid_buffer);
2094 ok(pCreateWellKnownSid(i, value->without_domain ? NULL : domainsid, sid_buffer, &cb), "Couldn't create well known sid %u\n", i);
2095 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2096 ok(IsValidSid(sid_buffer), "The sid is not valid\n");
2097 ok(ConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
2098 ok(strcmp(str, value->sid_string) == 0, "%d: SID mismatch - expected %s, got %s\n", i,
2099 value->sid_string, str);
2100 LocalFree(str);
2101
2102 if (value->without_domain)
2103 {
2104 char buf2[SECURITY_MAX_SID_SIZE];
2105 cb = sizeof(buf2);
2106 ok(pCreateWellKnownSid(i, domainsid, buf2, &cb), "Couldn't create well known sid %u with optional domain\n", i);
2107 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2108 ok(memcmp(buf2, sid_buffer, cb) == 0, "SID create with domain is different than without (%u)\n", i);
2109 }
2110 }
2111
2112 FreeSid(domainsid);
2113 }
2114
2115 static void test_LookupAccountSid(void)
2116 {
2117 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
2118 CHAR accountA[MAX_PATH], domainA[MAX_PATH], usernameA[MAX_PATH];
2119 DWORD acc_sizeA, dom_sizeA, user_sizeA;
2120 DWORD real_acc_sizeA, real_dom_sizeA;
2121 WCHAR accountW[MAX_PATH], domainW[MAX_PATH];
2122 DWORD acc_sizeW, dom_sizeW;
2123 DWORD real_acc_sizeW, real_dom_sizeW;
2124 PSID pUsersSid = NULL;
2125 SID_NAME_USE use;
2126 BOOL ret;
2127 DWORD error, size, cbti = 0;
2128 MAX_SID max_sid;
2129 CHAR *str_sidA;
2130 int i;
2131 HANDLE hToken;
2132 PTOKEN_USER ptiUser = NULL;
2133
2134 /* native windows crashes if account size, domain size, or name use is NULL */
2135
2136 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
2137 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
2138 ok(ret || (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED),
2139 "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2140
2141 /* not running on NT so give up */
2142 if (!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2143 return;
2144
2145 real_acc_sizeA = MAX_PATH;
2146 real_dom_sizeA = MAX_PATH;
2147 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2148 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2149
2150 /* try NULL account */
2151 acc_sizeA = MAX_PATH;
2152 dom_sizeA = MAX_PATH;
2153 ret = LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2154 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2155
2156 /* try NULL domain */
2157 acc_sizeA = MAX_PATH;
2158 dom_sizeA = MAX_PATH;
2159 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2160 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2161
2162 /* try a small account buffer */
2163 acc_sizeA = 1;
2164 dom_sizeA = MAX_PATH;
2165 accountA[0] = 0;
2166 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2167 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2168 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2169 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2170
2171 /* try a 0 sized account buffer */
2172 acc_sizeA = 0;
2173 dom_sizeA = MAX_PATH;
2174 accountA[0] = 0;
2175 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2176 /* this can fail or succeed depending on OS version but the size will always be returned */
2177 ok(acc_sizeA == real_acc_sizeA + 1,
2178 "LookupAccountSidA() Expected acc_size = %u, got %u\n",
2179 real_acc_sizeA + 1, acc_sizeA);
2180
2181 /* try a 0 sized account buffer */
2182 acc_sizeA = 0;
2183 dom_sizeA = MAX_PATH;
2184 LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2185 /* this can fail or succeed depending on OS version but the size will always be returned */
2186 ok(acc_sizeA == real_acc_sizeA + 1,
2187 "LookupAccountSid() Expected acc_size = %u, got %u\n",
2188 real_acc_sizeA + 1, acc_sizeA);
2189
2190 /* try a small domain buffer */
2191 dom_sizeA = 1;
2192 acc_sizeA = MAX_PATH;
2193 accountA[0] = 0;
2194 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2195 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2196 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2197 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2198
2199 /* try a 0 sized domain buffer */
2200 dom_sizeA = 0;
2201 acc_sizeA = MAX_PATH;
2202 accountA[0] = 0;
2203 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2204 /* this can fail or succeed depending on OS version but the size will always be returned */
2205 ok(dom_sizeA == real_dom_sizeA + 1,
2206 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2207 real_dom_sizeA + 1, dom_sizeA);
2208
2209 /* try a 0 sized domain buffer */
2210 dom_sizeA = 0;
2211 acc_sizeA = MAX_PATH;
2212 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2213 /* this can fail or succeed depending on OS version but the size will always be returned */
2214 ok(dom_sizeA == real_dom_sizeA + 1,
2215 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2216 real_dom_sizeA + 1, dom_sizeA);
2217
2218 real_acc_sizeW = MAX_PATH;
2219 real_dom_sizeW = MAX_PATH;
2220 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &real_acc_sizeW, domainW, &real_dom_sizeW, &use);
2221 ok(ret, "LookupAccountSidW() Expected TRUE, got FALSE\n");
2222
2223 /* try an invalid system name */
2224 real_acc_sizeA = MAX_PATH;
2225 real_dom_sizeA = MAX_PATH;
2226 ret = LookupAccountSidA("deepthought", pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2227 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2228 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2229 "LookupAccountSidA() Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %u\n", GetLastError());
2230
2231 /* native windows crashes if domainW or accountW is NULL */
2232
2233 /* try a small account buffer */
2234 acc_sizeW = 1;
2235 dom_sizeW = MAX_PATH;
2236 accountW[0] = 0;
2237 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2238 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2239 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2240 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2241
2242 /* try a 0 sized account buffer */
2243 acc_sizeW = 0;
2244 dom_sizeW = MAX_PATH;
2245 accountW[0] = 0;
2246 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2247 /* this can fail or succeed depending on OS version but the size will always be returned */
2248 ok(acc_sizeW == real_acc_sizeW + 1,
2249 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2250 real_acc_sizeW + 1, acc_sizeW);
2251
2252 /* try a 0 sized account buffer */
2253 acc_sizeW = 0;
2254 dom_sizeW = MAX_PATH;
2255 LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, domainW, &dom_sizeW, &use);
2256 /* this can fail or succeed depending on OS version but the size will always be returned */
2257 ok(acc_sizeW == real_acc_sizeW + 1,
2258 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2259 real_acc_sizeW + 1, acc_sizeW);
2260
2261 /* try a small domain buffer */
2262 dom_sizeW = 1;
2263 acc_sizeW = MAX_PATH;
2264 accountW[0] = 0;
2265 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2266 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2267 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2268 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2269
2270 /* try a 0 sized domain buffer */
2271 dom_sizeW = 0;
2272 acc_sizeW = MAX_PATH;
2273 accountW[0] = 0;
2274 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2275 /* this can fail or succeed depending on OS version but the size will always be returned */
2276 ok(dom_sizeW == real_dom_sizeW + 1,
2277 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2278 real_dom_sizeW + 1, dom_sizeW);
2279
2280 /* try a 0 sized domain buffer */
2281 dom_sizeW = 0;
2282 acc_sizeW = MAX_PATH;
2283 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, NULL, &dom_sizeW, &use);
2284 /* this can fail or succeed depending on OS version but the size will always be returned */
2285 ok(dom_sizeW == real_dom_sizeW + 1,
2286 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2287 real_dom_sizeW + 1, dom_sizeW);
2288
2289 acc_sizeW = dom_sizeW = use = 0;
2290 SetLastError(0xdeadbeef);
2291 ret = LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, NULL, &dom_sizeW, &use);
2292 error = GetLastError();
2293 ok(!ret, "LookupAccountSidW failed %u\n", GetLastError());
2294 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2295 ok(acc_sizeW, "expected non-zero account size\n");
2296 ok(dom_sizeW, "expected non-zero domain size\n");
2297 ok(!use, "expected zero use %u\n", use);
2298
2299 FreeSid(pUsersSid);
2300
2301 /* Test LookupAccountSid with Sid retrieved from token information.
2302 This assumes this process is running under the account of the current user.*/
2303 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_DUPLICATE, &hToken);
2304 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
2305 ret = GetTokenInformation(hToken, TokenUser, NULL, 0, &cbti);
2306 ok(!ret, "GetTokenInformation failed with error %d\n", GetLastError());
2307 ptiUser = HeapAlloc(GetProcessHeap(), 0, cbti);
2308 if (GetTokenInformation(hToken, TokenUser, ptiUser, cbti, &cbti))
2309 {
2310 acc_sizeA = dom_sizeA = MAX_PATH;
2311 ret = LookupAccountSidA(NULL, ptiUser->User.Sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2312 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2313 user_sizeA = MAX_PATH;
2314 ret = GetUserNameA(usernameA , &user_sizeA);
2315 ok(ret, "GetUserNameA() Expected TRUE, got FALSE\n");
2316 ok(lstrcmpA(usernameA, accountA) == 0, "LookupAccountSidA() Expected account name: %s got: %s\n", usernameA, accountA );
2317 }
2318 HeapFree(GetProcessHeap(), 0, ptiUser);
2319
2320 if (pCreateWellKnownSid)
2321 {
2322 trace("Well Known SIDs:\n");
2323 for (i = 0; i <= 60; i++)
2324 {
2325 size = SECURITY_MAX_SID_SIZE;
2326 if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
2327 {
2328 if (ConvertSidToStringSidA(&max_sid.sid, &str_sidA))
2329 {
2330 acc_sizeA = MAX_PATH;
2331 dom_sizeA = MAX_PATH;
2332 if (LookupAccountSidA(NULL, &max_sid.sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use))
2333 trace(" %d: %s %s\\%s %d\n", i, str_sidA, domainA, accountA, use);
2334 LocalFree(str_sidA);
2335 }
2336 }
2337 else
2338 {
2339 if (GetLastError() != ERROR_INVALID_PARAMETER)
2340 trace(" CreateWellKnownSid(%d) failed: %d\n", i, GetLastError());
2341 else
2342 trace(" %d: not supported\n", i);
2343 }
2344 }
2345
2346 pLsaQueryInformationPolicy = (void *)GetProcAddress( hmod, "LsaQueryInformationPolicy");
2347 pLsaOpenPolicy = (void *)GetProcAddress( hmod, "LsaOpenPolicy");
2348 pLsaFreeMemory = (void *)GetProcAddress( hmod, "LsaFreeMemory");
2349 pLsaClose = (void *)GetProcAddress( hmod, "LsaClose");
2350
2351 if (pLsaQueryInformationPolicy && pLsaOpenPolicy && pLsaFreeMemory && pLsaClose)
2352 {
2353 NTSTATUS status;
2354 LSA_HANDLE handle;
2355 LSA_OBJECT_ATTRIBUTES object_attributes;
2356
2357 ZeroMemory(&object_attributes, sizeof(object_attributes));
2358 object_attributes.Length = sizeof(object_attributes);
2359
2360 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
2361 ok(status == STATUS_SUCCESS || status == STATUS_ACCESS_DENIED,
2362 "LsaOpenPolicy(POLICY_ALL_ACCESS) returned 0x%08x\n", status);
2363
2364 /* try a more restricted access mask if necessary */
2365 if (status == STATUS_ACCESS_DENIED) {
2366 trace("LsaOpenPolicy(POLICY_ALL_ACCESS) failed, trying POLICY_VIEW_LOCAL_INFORMATION\n");
2367 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_VIEW_LOCAL_INFORMATION, &handle);
2368 ok(status == STATUS_SUCCESS, "LsaOpenPolicy(POLICY_VIEW_LOCAL_INFORMATION) returned 0x%08x\n", status);
2369 }
2370
2371 if (status == STATUS_SUCCESS)
2372 {
2373 PPOLICY_ACCOUNT_DOMAIN_INFO info;
2374 status = pLsaQueryInformationPolicy(handle, PolicyAccountDomainInformation, (PVOID*)&info);
2375 ok(status == STATUS_SUCCESS, "LsaQueryInformationPolicy() failed, returned 0x%08x\n", status);
2376 if (status == STATUS_SUCCESS)
2377 {
2378 ok(info->DomainSid!=0, "LsaQueryInformationPolicy(PolicyAccountDomainInformation) missing SID\n");
2379 if (info->DomainSid)
2380 {
2381 int count = *GetSidSubAuthorityCount(info->DomainSid);
2382 CopySid(GetSidLengthRequired(count), &max_sid, info->DomainSid);
2383 test_sid_str((PSID)&max_sid.sid);
2384 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_ADMIN;
2385 max_sid.sid.SubAuthorityCount = count + 1;
2386 test_sid_str((PSID)&max_sid.sid);
2387 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_GUEST;
2388 test_sid_str((PSID)&max_sid.sid);
2389 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ADMINS;
2390 test_sid_str((PSID)&max_sid.sid);
2391 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_USERS;
2392 test_sid_str((PSID)&max_sid.sid);
2393 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_GUESTS;
2394 test_sid_str((PSID)&max_sid.sid);
2395 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_COMPUTERS;
2396 test_sid_str((PSID)&max_sid.sid);
2397 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CONTROLLERS;
2398 test_sid_str((PSID)&max_sid.sid);
2399 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CERT_ADMINS;
2400 test_sid_str((PSID)&max_sid.sid);
2401 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_SCHEMA_ADMINS;
2402 test_sid_str((PSID)&max_sid.sid);
2403 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS;
2404 test_sid_str((PSID)&max_sid.sid);
2405 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_POLICY_ADMINS;
2406 test_sid_str((PSID)&max_sid.sid);
2407 max_sid.sid.SubAuthority[count] = DOMAIN_ALIAS_RID_RAS_SERVERS;
2408 test_sid_str((PSID)&max_sid.sid);
2409 max_sid.sid.SubAuthority[count] = 1000; /* first user account */
2410 test_sid_str((PSID)&max_sid.sid);
2411 }
2412
2413 pLsaFreeMemory((LPVOID)info);
2414 }
2415
2416 status = pLsaClose(handle);
2417 ok(status == STATUS_SUCCESS, "LsaClose() failed, returned 0x%08x\n", status);
2418 }
2419 }
2420 }
2421 }
2422
2423 static BOOL get_sid_info(PSID psid, LPSTR *user, LPSTR *dom)
2424 {
2425 static CHAR account[UNLEN + 1];
2426 static CHAR domain[UNLEN + 1];
2427 DWORD size, dom_size;
2428 SID_NAME_USE use;
2429
2430 *user = account;
2431 *dom = domain;
2432
2433 size = dom_size = UNLEN + 1;
2434 account[0] = '\0';
2435 domain[0] = '\0';
2436 SetLastError(0xdeadbeef);
2437 return LookupAccountSidA(NULL, psid, account, &size, domain, &dom_size, &use);
2438 }
2439
2440 static void check_wellknown_name(const char* name, WELL_KNOWN_SID_TYPE result)
2441 {
2442 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2443 PSID domainsid = NULL;
2444 char wk_sid[SECURITY_MAX_SID_SIZE];
2445 DWORD cb;
2446
2447 DWORD sid_size, domain_size;
2448 SID_NAME_USE sid_use;
2449 LPSTR domain, account, sid_domain, wk_domain, wk_account;
2450 PSID psid;
2451 BOOL ret ,ret2;
2452
2453 sid_size = 0;
2454 domain_size = 0;
2455 ret = LookupAccountNameA(NULL, name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2456 ok(!ret, " %s Should have failed to lookup account name\n", name);
2457 psid = HeapAlloc(GetProcessHeap(),0,sid_size);
2458 domain = HeapAlloc(GetProcessHeap(),0,domain_size);
2459 ret = LookupAccountNameA(NULL, name, psid, &sid_size, domain, &domain_size, &sid_use);
2460
2461 if (!result)
2462 {
2463 ok(!ret, " %s Should have failed to lookup account name\n",name);
2464 goto cleanup;
2465 }
2466
2467 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2468 cb = sizeof(wk_sid);
2469 if (!pCreateWellKnownSid(result, domainsid, wk_sid, &cb))
2470 {
2471 win_skip("SID %i is not available on the system\n",result);
2472 goto cleanup;
2473 }
2474
2475 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2476 if (!ret2 && GetLastError() == ERROR_NONE_MAPPED)
2477 {
2478 win_skip("CreateWellKnownSid() succeeded but the account '%s' is not present (W2K)\n", name);
2479 goto cleanup;
2480 }
2481
2482 get_sid_info(psid, &account, &sid_domain);
2483
2484 ok(ret, "Failed to lookup account name %s\n",name);
2485 ok(sid_size != 0, "sid_size was zero\n");
2486
2487 ok(EqualSid(psid,wk_sid),"%s Sid %s fails to match well known sid %s!\n",
2488 name, debugstr_sid(psid), debugstr_sid(wk_sid));
2489
2490 ok(!lstrcmpA(account, wk_account), "Expected %s , got %s\n", account, wk_account);
2491 ok(!lstrcmpA(domain, wk_domain), "Expected %s, got %s\n", wk_domain, domain);
2492 ok(sid_use == SidTypeWellKnownGroup , "Expected Use (5), got %d\n", sid_use);
2493
2494 cleanup:
2495 FreeSid(domainsid);
2496 HeapFree(GetProcessHeap(),0,psid);
2497 HeapFree(GetProcessHeap(),0,domain);
2498 }
2499
2500 static void test_LookupAccountName(void)
2501 {
2502 DWORD sid_size, domain_size, user_size;
2503 DWORD sid_save, domain_save;
2504 CHAR user_name[UNLEN + 1];
2505 CHAR computer_name[UNLEN + 1];
2506 SID_NAME_USE sid_use;
2507 LPSTR domain, account, sid_dom;
2508 PSID psid;
2509 BOOL ret;
2510
2511 /* native crashes if (assuming all other parameters correct):
2512 * - peUse is NULL
2513 * - Sid is NULL and cbSid is > 0
2514 * - cbSid or cchReferencedDomainName are NULL
2515 * - ReferencedDomainName is NULL and cchReferencedDomainName is the correct size
2516 */
2517
2518 user_size = UNLEN + 1;
2519 SetLastError(0xdeadbeef);
2520 ret = GetUserNameA(user_name, &user_size);
2521 ok(ret, "Failed to get user name : %d\n", GetLastError());
2522
2523 /* get sizes */
2524 sid_size = 0;
2525 domain_size = 0;
2526 sid_use = 0xcafebabe;
2527 SetLastError(0xdeadbeef);
2528 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2529 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2530 {
2531 win_skip("LookupAccountNameA is not implemented\n");
2532 return;
2533 }
2534 ok(!ret, "Expected 0, got %d\n", ret);
2535 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2536 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2537 ok(sid_size != 0, "Expected non-zero sid size\n");
2538 ok(domain_size != 0, "Expected non-zero domain size\n");
2539 ok(sid_use == (SID_NAME_USE)0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2540
2541 sid_save = sid_size;
2542 domain_save = domain_size;
2543
2544 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2545 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2546
2547 /* try valid account name */
2548 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, domain, &domain_size, &sid_use);
2549 get_sid_info(psid, &account, &sid_dom);
2550 ok(ret, "Failed to lookup account name\n");
2551 ok(sid_size == GetLengthSid(psid), "Expected %d, got %d\n", GetLengthSid(psid), sid_size);
2552 ok(!lstrcmpA(account, user_name), "Expected %s, got %s\n", user_name, account);
2553 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2554 ok(domain_size == domain_save - 1, "Expected %d, got %d\n", domain_save - 1, domain_size);
2555 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2556 ok(sid_use == SidTypeUser, "Expected SidTypeUser (%d), got %d\n", SidTypeUser, sid_use);
2557 domain_size = domain_save;
2558 sid_size = sid_save;
2559
2560 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2561 {
2562 skip("Non-English locale (test with hardcoded 'Everyone')\n");
2563 }
2564 else
2565 {
2566 ret = LookupAccountNameA(NULL, "Everyone", psid, &sid_size, domain, &domain_size, &sid_use);
2567 get_sid_info(psid, &account, &sid_dom);
2568 ok(ret, "Failed to lookup account name\n");
2569 ok(sid_size != 0, "sid_size was zero\n");
2570 ok(!lstrcmpA(account, "Everyone"), "Expected Everyone, got %s\n", account);
2571 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2572 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2573 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2574 ok(sid_use == SidTypeWellKnownGroup, "Expected SidTypeWellKnownGroup (%d), got %d\n", SidTypeWellKnownGroup, sid_use);
2575 domain_size = domain_save;
2576 }
2577
2578 /* NULL Sid with zero sid size */
2579 SetLastError(0xdeadbeef);
2580 sid_size = 0;
2581 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2582 ok(!ret, "Expected 0, got %d\n", ret);
2583 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2584 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2585 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2586 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2587
2588 /* try cchReferencedDomainName - 1 */
2589 SetLastError(0xdeadbeef);
2590 domain_size--;
2591 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2592 ok(!ret, "Expected 0, got %d\n", ret);
2593 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2594 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2595 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2596 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2597
2598 /* NULL ReferencedDomainName with zero domain name size */
2599 SetLastError(0xdeadbeef);
2600 domain_size = 0;
2601 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, NULL, &domain_size, &sid_use);
2602 ok(!ret, "Expected 0, got %d\n", ret);
2603 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2604 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2605 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2606 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2607
2608 HeapFree(GetProcessHeap(), 0, psid);
2609 HeapFree(GetProcessHeap(), 0, domain);
2610
2611 /* get sizes for NULL account name */
2612 sid_size = 0;
2613 domain_size = 0;
2614 sid_use = 0xcafebabe;
2615 SetLastError(0xdeadbeef);
2616 ret = LookupAccountNameA(NULL, NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2617 if (!ret && GetLastError() == ERROR_NONE_MAPPED)
2618 win_skip("NULL account name doesn't work on NT4\n");
2619 else
2620 {
2621 ok(!ret, "Expected 0, got %d\n", ret);
2622 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2623 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2624 ok(sid_size != 0, "Expected non-zero sid size\n");
2625 ok(domain_size != 0, "Expected non-zero domain size\n");
2626 ok(sid_use == (SID_NAME_USE)0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2627
2628 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2629 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2630
2631 /* try NULL account name */
2632 ret = LookupAccountNameA(NULL, NULL, psid, &sid_size, domain, &domain_size, &sid_use);
2633 get_sid_info(psid, &account, &sid_dom);
2634 ok(ret, "Failed to lookup account name\n");
2635 /* Using a fixed string will not work on different locales */
2636 ok(!lstrcmpiA(account, domain),
2637 "Got %s for account and %s for domain, these should be the same\n", account, domain);
2638 ok(sid_use == SidTypeDomain, "Expected SidTypeDomain (%d), got %d\n", SidTypeDomain, sid_use);
2639
2640 HeapFree(GetProcessHeap(), 0, psid);
2641 HeapFree(GetProcessHeap(), 0, domain);
2642 }
2643
2644 /* try an invalid account name */
2645 SetLastError(0xdeadbeef);
2646 sid_size = 0;
2647 domain_size = 0;
2648 ret = LookupAccountNameA(NULL, "oogabooga", NULL, &sid_size, NULL, &domain_size, &sid_use);
2649 ok(!ret, "Expected 0, got %d\n", ret);
2650 ok(GetLastError() == ERROR_NONE_MAPPED ||
2651 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE),
2652 "Expected ERROR_NONE_MAPPED, got %d\n", GetLastError());
2653 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2654 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2655
2656 /* try an invalid system name */
2657 SetLastError(0xdeadbeef);
2658 sid_size = 0;
2659 domain_size = 0;
2660 ret = LookupAccountNameA("deepthought", NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2661 ok(!ret, "Expected 0, got %d\n", ret);
2662 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2663 "Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %d\n", GetLastError());
2664 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2665 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2666
2667 /* try with the computer name as the account name */
2668 domain_size = sizeof(computer_name);
2669 GetComputerNameA(computer_name, &domain_size);
2670 sid_size = 0;
2671 domain_size = 0;
2672 ret = LookupAccountNameA(NULL, computer_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2673 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER ||
2674 GetLastError() == ERROR_NONE_MAPPED /* in a domain */ ||
2675 broken(GetLastError() == ERROR_TRUSTED_DOMAIN_FAILURE) ||
2676 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE)),
2677 "LookupAccountNameA failed: %d\n", GetLastError());
2678 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
2679 {
2680 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2681 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2682 ret = LookupAccountNameA(NULL, computer_name, psid, &sid_size, domain, &domain_size, &sid_use);
2683 ok(ret, "LookupAccountNameA failed: %d\n", GetLastError());
2684 ok(sid_use == SidTypeDomain ||
2685 (sid_use == SidTypeUser && ! strcmp(computer_name, user_name)), "expected SidTypeDomain for %s, got %d\n", computer_name, sid_use);
2686 HeapFree(GetProcessHeap(), 0, domain);
2687 HeapFree(GetProcessHeap(), 0, psid);
2688 }
2689
2690 /* Well Known names */
2691 if (!pCreateWellKnownSid)
2692 {
2693 win_skip("CreateWellKnownSid not available\n");
2694 return;
2695 }
2696
2697 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2698 {
2699 skip("Non-English locale (skipping well known name creation tests)\n");
2700 return;
2701 }
2702
2703 check_wellknown_name("LocalService", WinLocalServiceSid);
2704 check_wellknown_name("Local Service", WinLocalServiceSid);
2705 /* 2 spaces */
2706 check_wellknown_name("Local Service", 0);
2707 check_wellknown_name("NetworkService", WinNetworkServiceSid);
2708 check_wellknown_name("Network Service", WinNetworkServiceSid);
2709
2710 /* example of some names where the spaces are not optional */
2711 check_wellknown_name("Terminal Server User", WinTerminalServerSid);
2712 check_wellknown_name("TerminalServer User", 0);
2713 check_wellknown_name("TerminalServerUser", 0);
2714 check_wellknown_name("Terminal ServerUser", 0);
2715
2716 check_wellknown_name("enterprise domain controllers",WinEnterpriseControllersSid);
2717 check_wellknown_name("enterprisedomain controllers", 0);
2718 check_wellknown_name("enterprise domaincontrollers", 0);
2719 check_wellknown_name("enterprisedomaincontrollers", 0);
2720
2721 /* case insensitivity */
2722 check_wellknown_name("lOCAlServICE", WinLocalServiceSid);
2723
2724 /* fully qualified account names */
2725 check_wellknown_name("NT AUTHORITY\\LocalService", WinLocalServiceSid);
2726 check_wellknown_name("nt authority\\Network Service", WinNetworkServiceSid);
2727 check_wellknown_name("nt authority test\\Network Service", 0);
2728 check_wellknown_name("Dummy\\Network Service", 0);
2729 check_wellknown_name("ntauthority\\Network Service", 0);
2730 }
2731
2732 static void test_security_descriptor(void)
2733 {
2734 SECURITY_DESCRIPTOR sd, *sd_rel, *sd_rel2, *sd_abs;
2735 char buf[8192];
2736 DWORD size, size_dacl, size_sacl, size_owner, size_group;
2737 BOOL isDefault, isPresent, ret;
2738 PACL pacl, dacl, sacl;
2739 PSID psid, owner, group;
2740
2741 SetLastError(0xdeadbeef);
2742 ret = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
2743 if (ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2744 {
2745 win_skip("InitializeSecurityDescriptor is not implemented\n");
2746 return;
2747 }
2748
2749 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2750 expect_eq(psid, NULL, PSID, "%p");
2751 expect_eq(isDefault, FALSE, BOOL, "%d");
2752 sd.Control |= SE_DACL_PRESENT | SE_SACL_PRESENT;
2753
2754 SetLastError(0xdeadbeef);
2755 size = 5;
2756 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), FALSE, BOOL, "%d");
2757 expect_eq(GetLastError(), ERROR_INSUFFICIENT_BUFFER, DWORD, "%u");
2758 ok(size > 5, "Size not increased\n");
2759 if (size <= 8192)
2760 {
2761 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), TRUE, BOOL, "%d");
2762 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2763 expect_eq(psid, NULL, PSID, "%p");
2764 expect_eq(isDefault, FALSE, BOOL, "%d");
2765 ok(GetSecurityDescriptorGroup(&sd, &psid, &isDefault), "GetSecurityDescriptorGroup failed\n");
2766 expect_eq(psid, NULL, PSID, "%p");
2767 expect_eq(isDefault, FALSE, BOOL, "%d");
2768 ok(GetSecurityDescriptorDacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorDacl failed\n");
2769 expect_eq(isPresent, TRUE, BOOL, "%d");
2770 expect_eq(psid, NULL, PSID, "%p");
2771 expect_eq(isDefault, FALSE, BOOL, "%d");
2772 ok(GetSecurityDescriptorSacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorSacl failed\n");
2773 expect_eq(isPresent, TRUE, BOOL, "%d");
2774 expect_eq(psid, NULL, PSID, "%p");
2775 expect_eq(isDefault, FALSE, BOOL, "%d");
2776 }
2777
2778 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
2779 "O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
2780 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)"
2781 "(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, (void **)&sd_rel, NULL);
2782 ok(ret, "got %u\n", GetLastError());
2783
2784 size = 0;
2785 ret = MakeSelfRelativeSD(sd_rel, NULL, &size);
2786 todo_wine ok(!ret && GetLastError() == ERROR_BAD_DESCRIPTOR_FORMAT, "got %u\n", GetLastError());
2787
2788 /* convert to absolute form */
2789 size = size_dacl = size_sacl = size_owner = size_group = 0;
2790 ret = MakeAbsoluteSD(sd_rel, NULL, &size, NULL, &size_dacl, NULL, &size_sacl, NULL, &size_owner, NULL,
2791 &size_group);
2792 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %u\n", GetLastError());
2793
2794 sd_abs = HeapAlloc(GetProcessHeap(), 0, size + size_dacl + size_sacl + size_owner + size_group);
2795 dacl = (PACL)(sd_abs + 1);
2796 sacl = (PACL)((char *)dacl + size_dacl);
2797 owner = (PSID)((char *)sacl + size_sacl);
2798 group = (PSID)((char *)owner + size_owner);
2799 ret = MakeAbsoluteSD(sd_rel, sd_abs, &size, dacl, &size_dacl, sacl, &size_sacl, owner, &size_owner,
2800 group, &size_group);
2801 ok(ret, "got %u\n", GetLastError());
2802
2803 size = 0;
2804 ret = MakeSelfRelativeSD(sd_abs, NULL, &size);
2805 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %u\n", GetLastError());
2806 ok(size == 184, "got %u\n", size);
2807
2808 size += 4;
2809 sd_rel2 = HeapAlloc(GetProcessHeap(), 0, size);
2810 ret = MakeSelfRelativeSD(sd_abs, sd_rel2, &size);
2811 ok(ret, "got %u\n", GetLastError());
2812 ok(size == 188, "got %u\n", size);
2813
2814 HeapFree(GetProcessHeap(), 0, sd_abs);
2815 HeapFree(GetProcessHeap(), 0, sd_rel2);
2816 LocalFree(sd_rel);
2817 }
2818
2819 #define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,0,__LINE__)
2820 #define TEST_GRANTED_ACCESS2(a,b,c) test_granted_access(a,b,c,__LINE__)
2821 static void test_granted_access(HANDLE handle, ACCESS_MASK access,
2822 ACCESS_MASK alt, int line)
2823 {
2824 OBJECT_BASIC_INFORMATION obj_info;
2825 NTSTATUS status;
2826
2827 if (!pNtQueryObject)
2828 {
2829 skip_(__FILE__, line)("Not NT platform - skipping tests\n");
2830 return;
2831 }
2832
2833 status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
2834 sizeof(obj_info), NULL );
2835 ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
2836 if (alt)
2837 ok_(__FILE__, line)(obj_info.GrantedAccess == access ||
2838 obj_info.GrantedAccess == alt, "Granted access should be 0x%08x "
2839 "or 0x%08x, instead of 0x%08x\n", access, alt, obj_info.GrantedAccess);
2840 else
2841 ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Granted access should "
2842 "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
2843 }
2844
2845 #define CHECK_SET_SECURITY(o,i,e) \
2846 do{ \
2847 BOOL res_; \
2848 DWORD err; \
2849 SetLastError( 0xdeadbeef ); \
2850 res_ = SetKernelObjectSecurity( o, i, SecurityDescriptor ); \
2851 err = GetLastError(); \
2852 if (e == ERROR_SUCCESS) \
2853 ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
2854 else \
2855 ok(!res_ && err == e, "SetKernelObjectSecurity should have failed " \
2856 "with %s, instead of %d\n", #e, err); \
2857 }while(0)
2858
2859 static void test_process_security(void)
2860 {
2861 BOOL res;
2862 PTOKEN_OWNER owner;
2863 PTOKEN_PRIMARY_GROUP group;
2864 PSID AdminSid = NULL, UsersSid = NULL;
2865 PACL Acl = NULL;
2866 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
2867 char buffer[MAX_PATH];
2868 PROCESS_INFORMATION info;
2869 STARTUPINFOA startup;
2870 SECURITY_ATTRIBUTES psa;
2871 HANDLE token, event;
2872 DWORD size;
2873 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
2874 PSID EveryoneSid = NULL;
2875
2876 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
2877 res = InitializeAcl(Acl, 256, ACL_REVISION);
2878 if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2879 {
2880 win_skip("ACLs not implemented - skipping tests\n");
2881 HeapFree(GetProcessHeap(), 0, Acl);
2882 return;
2883 }
2884 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
2885
2886 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
2887 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2888
2889 /* get owner from the token we might be running as a user not admin */
2890 res = OpenProcessToken( GetCurrentProcess(), MAXIMUM_ALLOWED, &token );
2891 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
2892 if (!res)
2893 {
2894 HeapFree(GetProcessHeap(), 0, Acl);
2895 return;
2896 }
2897
2898 res = GetTokenInformation( token, TokenOwner, NULL, 0, &size );
2899 ok(!res, "Expected failure, got %d\n", res);
2900 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2901 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2902
2903 owner = HeapAlloc(GetProcessHeap(), 0, size);
2904 res = GetTokenInformation( token, TokenOwner, owner, size, &size );
2905 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2906 AdminSid = ((TOKEN_OWNER*)owner)->Owner;
2907
2908 res = GetTokenInformation( token, TokenPrimaryGroup, NULL, 0, &size );
2909 ok(!res, "Expected failure, got %d\n", res);
2910 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2911 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2912
2913 group = HeapAlloc(GetProcessHeap(), 0, size);
2914 res = GetTokenInformation( token, TokenPrimaryGroup, group, size, &size );
2915 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2916 UsersSid = ((TOKEN_PRIMARY_GROUP*)group)->PrimaryGroup;
2917
2918 CloseHandle( token );
2919 if (!res)
2920 {
2921 HeapFree(GetProcessHeap(), 0, group);
2922 HeapFree(GetProcessHeap(), 0, owner);
2923 HeapFree(GetProcessHeap(), 0, Acl);
2924 return;
2925 }
2926
2927 res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
2928 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
2929 res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
2930 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
2931
2932 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
2933 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
2934 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
2935
2936 event = CreateEventA( NULL, TRUE, TRUE, "test_event" );
2937 ok(event != NULL, "CreateEvent %d\n", GetLastError());
2938
2939 SecurityDescriptor->Revision = 0;
2940 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_UNKNOWN_REVISION );
2941 SecurityDescriptor->Revision = SECURITY_DESCRIPTOR_REVISION;
2942
2943 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2944 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2945 CHECK_SET_SECURITY( event, SACL_SECURITY_INFORMATION, ERROR_ACCESS_DENIED );
2946 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2947 /* NULL DACL is valid and means that everyone has access */
2948 SecurityDescriptor->Control |= SE_DACL_PRESENT;
2949 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2950
2951 /* Set owner and group and dacl */
2952 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
2953 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
2954 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_SUCCESS );
2955 test_owner_equal( event, AdminSid, __LINE__ );
2956
2957 res = SetSecurityDescriptorGroup(SecurityDescriptor, EveryoneSid, FALSE);
2958 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2959 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2960 test_group_equal( event, EveryoneSid, __LINE__ );
2961
2962 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2963 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2964 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2965 /* setting a dacl should not change the owner or group */
2966 test_owner_equal( event, AdminSid, __LINE__ );
2967 test_group_equal( event, EveryoneSid, __LINE__ );
2968
2969 /* Test again with a different SID in case the previous SID also happens to
2970 * be the one that is incorrectly replacing the group. */
2971 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, FALSE);
2972 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2973 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2974 test_group_equal( event, UsersSid, __LINE__ );
2975
2976 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2977 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2978 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2979 test_group_equal( event, UsersSid, __LINE__ );
2980
2981 sprintf(buffer, "%s tests/security.c test", myARGV[0]);
2982 memset(&startup, 0, sizeof(startup));
2983 startup.cb = sizeof(startup);
2984 startup.dwFlags = STARTF_USESHOWWINDOW;
2985 startup.wShowWindow = SW_SHOWNORMAL;
2986
2987 psa.nLength = sizeof(psa);
2988 psa.lpSecurityDescriptor = SecurityDescriptor;
2989 psa.bInheritHandle = TRUE;
2990
2991 /* Doesn't matter what ACL say we should get full access for ourselves */
2992 res = CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info );
2993 ok(res, "CreateProcess with err:%d\n", GetLastError());
2994 TEST_GRANTED_ACCESS2( info.hProcess, PROCESS_ALL_ACCESS_NT4,
2995 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
2996 winetest_wait_child_process( info.hProcess );
2997
2998 FreeSid(EveryoneSid);
2999 CloseHandle( info.hProcess );
3000 CloseHandle( info.hThread );
3001 CloseHandle( event );
3002 HeapFree(GetProcessHeap(), 0, group);
3003 HeapFree(GetProcessHeap(), 0, owner);
3004 HeapFree(GetProcessHeap(), 0, Acl);
3005 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
3006 }
3007
3008 static void test_process_security_child(void)
3009 {
3010 HANDLE handle, handle1;
3011 BOOL ret;
3012 DWORD err;
3013
3014 handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
3015 ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
3016 TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
3017
3018 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3019 &handle1, 0, TRUE, DUPLICATE_SAME_ACCESS );
3020 ok(ret, "duplicating handle err:%d\n", GetLastError());
3021 TEST_GRANTED_ACCESS( handle1, PROCESS_TERMINATE );
3022
3023 CloseHandle( handle1 );
3024
3025 SetLastError( 0xdeadbeef );
3026 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3027 &handle1, PROCESS_ALL_ACCESS, TRUE, 0 );
3028 err = GetLastError();
3029 todo_wine
3030 ok(!ret && err == ERROR_ACCESS_DENIED, "duplicating handle should have failed "
3031 "with STATUS_ACCESS_DENIED, instead of err:%d\n", err);
3032
3033 CloseHandle( handle );
3034
3035 /* These two should fail - they are denied by ACL */
3036 handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
3037 todo_wine
3038 ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
3039 handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
3040 todo_wine
3041 ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
3042
3043 /* Documented privilege elevation */
3044 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
3045 &handle, 0, TRUE, DUPLICATE_SAME_ACCESS );
3046 ok(ret, "duplicating handle err:%d\n", GetLastError());
3047 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
3048 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
3049
3050 CloseHandle( handle );
3051
3052 /* Same only explicitly asking for all access rights */
3053 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
3054 &handle, PROCESS_ALL_ACCESS, TRUE, 0 );
3055 ok(ret, "duplicating handle err:%d\n", GetLastError());
3056 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
3057 PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION );
3058 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3059 &handle1, PROCESS_VM_READ, TRUE, 0 );
3060 ok(ret, "duplicating handle err:%d\n", GetLastError());
3061 TEST_GRANTED_ACCESS( handle1, PROCESS_VM_READ );
3062 CloseHandle( handle1 );
3063 CloseHandle( handle );
3064 }
3065
3066 static void test_impersonation_level(void)
3067 {
3068 HANDLE Token, ProcessToken;
3069 HANDLE Token2;
3070 DWORD Size;
3071 TOKEN_PRIVILEGES *Privileges;
3072 TOKEN_USER *User;
3073 PRIVILEGE_SET *PrivilegeSet;
3074 BOOL AccessGranted;
3075 BOOL ret;
3076 HKEY hkey;
3077 DWORD error;
3078
3079 if( !pDuplicateTokenEx ) {
3080 win_skip("DuplicateTokenEx is not available\n");
3081 return;
3082 }
3083 SetLastError(0xdeadbeef);
3084 ret = ImpersonateSelf(SecurityAnonymous);
3085 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3086 {
3087 win_skip("ImpersonateSelf is not implemented\n");
3088 return;
3089 }
3090 ok(ret, "ImpersonateSelf(SecurityAnonymous) failed with error %d\n", GetLastError());
3091 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3092 ok(!ret, "OpenThreadToken should have failed\n");
3093 error = GetLastError();
3094 ok(error == ERROR_CANT_OPEN_ANONYMOUS, "OpenThreadToken on anonymous token should have returned ERROR_CANT_OPEN_ANONYMOUS instead of %d\n", error);
3095 /* can't perform access check when opening object against an anonymous impersonation token */
3096 todo_wine {
3097 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3098 ok(error == ERROR_INVALID_HANDLE || error == ERROR_CANT_OPEN_ANONYMOUS || error == ERROR_BAD_IMPERSONATION_LEVEL,
3099 "RegOpenKeyEx failed with %d\n", error);
3100 }
3101 RevertToSelf();
3102
3103 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &ProcessToken);
3104 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
3105
3106 ret = pDuplicateTokenEx(ProcessToken,
3107 TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL,
3108 SecurityAnonymous, TokenImpersonation, &Token);
3109 ok(ret, "DuplicateTokenEx failed with error %d\n", GetLastError());
3110 /* can't increase the impersonation level */
3111 ret = DuplicateToken(Token, SecurityIdentification, &Token2);
3112 error = GetLastError();
3113 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL,
3114 "Duplicating a token and increasing the impersonation level should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3115 /* we can query anything from an anonymous token, including the user */
3116 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
3117 error = GetLastError();
3118 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenUser) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3119 User = HeapAlloc(GetProcessHeap(), 0, Size);
3120 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
3121 ok(ret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3122 HeapFree(GetProcessHeap(), 0, User);
3123
3124 /* PrivilegeCheck fails with SecurityAnonymous level */
3125 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
3126 error = GetLastError();
3127 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenPrivileges) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3128 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
3129 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
3130 ok(ret, "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
3131
3132 PrivilegeSet = HeapAlloc(GetProcessHeap(), 0, FIELD_OFFSET(PRIVILEGE_SET, Privilege[Privileges->PrivilegeCount]));
3133 PrivilegeSet->PrivilegeCount = Privileges->PrivilegeCount;
3134 memcpy(PrivilegeSet->Privilege, Privileges->Privileges, PrivilegeSet->PrivilegeCount * sizeof(PrivilegeSet->Privilege[0]));
3135 PrivilegeSet->Control = PRIVILEGE_SET_ALL_NECESSARY;
3136 HeapFree(GetProcessHeap(), 0, Privileges);
3137
3138 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3139 error = GetLastError();
3140 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL, "PrivilegeCheck for SecurityAnonymous token should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3141
3142 CloseHandle(Token);
3143
3144 ret = ImpersonateSelf(SecurityIdentification);
3145 ok(ret, "ImpersonateSelf(SecurityIdentification) failed with error %d\n", GetLastError());
3146 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3147 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3148
3149 /* can't perform access check when opening object against an identification impersonation token */
3150 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3151 todo_wine {
3152 ok(error == ERROR_INVALID_HANDLE || error == ERROR_BAD_IMPERSONATION_LEVEL || error == ERROR_ACCESS_DENIED,
3153 "RegOpenKeyEx should have failed with ERROR_INVALID_HANDLE, ERROR_BAD_IMPERSONATION_LEVEL or ERROR_ACCESS_DENIED instead of %d\n", error);
3154 }
3155 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3156 ok(ret, "PrivilegeCheck for SecurityIdentification failed with error %d\n", GetLastError());
3157 CloseHandle(Token);
3158 RevertToSelf();
3159
3160 ret = ImpersonateSelf(SecurityImpersonation);
3161 ok(ret, "ImpersonateSelf(SecurityImpersonation) failed with error %d\n", GetLastError());
3162 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3163 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3164 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3165 ok(error == ERROR_SUCCESS, "RegOpenKeyEx should have succeeded instead of failing with %d\n", error);
3166 RegCloseKey(hkey);
3167 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3168 ok(ret, "PrivilegeCheck for SecurityImpersonation failed with error %d\n", GetLastError());
3169 RevertToSelf();
3170
3171 CloseHandle(Token);
3172 CloseHandle(ProcessToken);
3173
3174 HeapFree(GetProcessHeap(), 0, PrivilegeSet);
3175 }
3176
3177 static void test_SetEntriesInAclW(void)
3178 {
3179 DWORD res;
3180 PSID EveryoneSid = NULL, UsersSid = NULL;
3181 PACL OldAcl = NULL, NewAcl;
3182 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3183 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3184 EXPLICIT_ACCESSW ExplicitAccess;
3185 static const WCHAR wszEveryone[] = {'E','v','e','r','y','o','n','e',0};
3186 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3187
3188 if (!pSetEntriesInAclW)
3189 {
3190 win_skip("SetEntriesInAclW is not available\n");
3191 return;
3192 }
3193
3194 NewAcl = (PACL)0xdeadbeef;
3195 res = pSetEntriesInAclW(0, NULL, NULL, &NewAcl);
3196 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3197 {
3198 win_skip("SetEntriesInAclW is not implemented\n");
3199 return;
3200 }
3201 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3202 ok(NewAcl == NULL ||
3203 broken(NewAcl != NULL), /* NT4 */
3204 "NewAcl=%p, expected NULL\n", NewAcl);
3205 LocalFree(NewAcl);
3206
3207 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3208 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3209 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3210 {
3211 win_skip("ACLs not implemented - skipping tests\n");
3212 HeapFree(GetProcessHeap(), 0, OldAcl);
3213 return;
3214 }
3215 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3216
3217 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3218 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3219
3220 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3221 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3222 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3223
3224 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3225 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3226
3227 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3228 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3229 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3230 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3231 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3232 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3233 ExplicitAccess.Trustee.MultipleTrusteeOperation = 0xDEADBEEF;
3234 ExplicitAccess.Trustee.pMultipleTrustee = (PVOID)0xDEADBEEF;
3235 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3236 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3237 ok(NewAcl != NULL, "returned acl was NULL\n");
3238 LocalFree(NewAcl);
3239
3240 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3241 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3242 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3243 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3244 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3245 ok(NewAcl != NULL, "returned acl was NULL\n");
3246 LocalFree(NewAcl);
3247
3248 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3249 {
3250 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3251 }
3252 else
3253 {
3254 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3255 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszEveryone;
3256 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3257 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3258 ok(NewAcl != NULL, "returned acl was NULL\n");
3259 LocalFree(NewAcl);
3260
3261 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3262 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3263 ok(res == ERROR_INVALID_PARAMETER ||
3264 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3265 "SetEntriesInAclW failed: %u\n", res);
3266 ok(NewAcl == NULL ||
3267 broken(NewAcl != NULL), /* NT4 */
3268 "returned acl wasn't NULL: %p\n", NewAcl);
3269
3270 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3271 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3272 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3273 ok(res == ERROR_INVALID_PARAMETER ||
3274 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3275 "SetEntriesInAclW failed: %u\n", res);
3276 ok(NewAcl == NULL ||
3277 broken(NewAcl != NULL), /* NT4 */
3278 "returned acl wasn't NULL: %p\n", NewAcl);
3279
3280 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3281 ExplicitAccess.grfAccessMode = SET_ACCESS;
3282 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3283 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3284 ok(NewAcl != NULL, "returned acl was NULL\n");
3285 LocalFree(NewAcl);
3286 }
3287
3288 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3289 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
3290 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3291 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3292 ok(NewAcl != NULL, "returned acl was NULL\n");
3293 LocalFree(NewAcl);
3294
3295 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3296 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3297 ExplicitAccess.Trustee.ptstrName = UsersSid;
3298 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3299 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3300 ok(NewAcl != NULL, "returned acl was NULL\n");
3301 LocalFree(NewAcl);
3302
3303 FreeSid(UsersSid);
3304 FreeSid(EveryoneSid);
3305 HeapFree(GetProcessHeap(), 0, OldAcl);
3306 }
3307
3308 static void test_SetEntriesInAclA(void)
3309 {
3310 DWORD res;
3311 PSID EveryoneSid = NULL, UsersSid = NULL;
3312 PACL OldAcl = NULL, NewAcl;
3313 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3314 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3315 EXPLICIT_ACCESSA ExplicitAccess;
3316 static const CHAR szEveryone[] = {'E','v','e','r','y','o','n','e',0};
3317 static const CHAR szCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3318
3319 if (!pSetEntriesInAclA)
3320 {
3321 win_skip("SetEntriesInAclA is not available\n");
3322 return;
3323 }
3324
3325 NewAcl = (PACL)0xdeadbeef;
3326 res = pSetEntriesInAclA(0, NULL, NULL, &NewAcl);
3327 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3328 {
3329 win_skip("SetEntriesInAclA is not implemented\n");
3330 return;
3331 }
3332 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3333 ok(NewAcl == NULL ||
3334 broken(NewAcl != NULL), /* NT4 */
3335 "NewAcl=%p, expected NULL\n", NewAcl);
3336 LocalFree(NewAcl);
3337
3338 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3339 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3340 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3341 {
3342 win_skip("ACLs not implemented - skipping tests\n");
3343 HeapFree(GetProcessHeap(), 0, OldAcl);
3344 return;
3345 }
3346 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3347
3348 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3349 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3350
3351 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3352 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3353 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3354
3355 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3356 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3357
3358 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3359 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3360 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3361 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3362 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3363 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3364 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3365 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3366 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3367 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3368 ok(NewAcl != NULL, "returned acl was NULL\n");
3369 LocalFree(NewAcl);
3370
3371 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3372 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3373 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3374 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3375 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3376 ok(NewAcl != NULL, "returned acl was NULL\n");
3377 LocalFree(NewAcl);
3378
3379 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3380 {
3381 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3382 }
3383 else
3384 {
3385 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3386 ExplicitAccess.Trustee.ptstrName = (LPSTR)szEveryone;
3387 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3388 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3389 ok(NewAcl != NULL, "returned acl was NULL\n");
3390 LocalFree(NewAcl);
3391
3392 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3393 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3394 ok(res == ERROR_INVALID_PARAMETER ||
3395 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3396 "SetEntriesInAclA failed: %u\n", res);
3397 ok(NewAcl == NULL ||
3398 broken(NewAcl != NULL), /* NT4 */
3399 "returned acl wasn't NULL: %p\n", NewAcl);
3400
3401 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3402 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3403 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3404 ok(res == ERROR_INVALID_PARAMETER ||
3405 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3406 "SetEntriesInAclA failed: %u\n", res);
3407 ok(NewAcl == NULL ||
3408 broken(NewAcl != NULL), /* NT4 */
3409 "returned acl wasn't NULL: %p\n", NewAcl);
3410
3411 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3412 ExplicitAccess.grfAccessMode = SET_ACCESS;
3413 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3414 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3415 ok(NewAcl != NULL, "returned acl was NULL\n");
3416 LocalFree(NewAcl);
3417 }
3418
3419 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3420 ExplicitAccess.Trustee.ptstrName = (LPSTR)szCurrentUser;
3421 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3422 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3423 ok(NewAcl != NULL, "returned acl was NULL\n");
3424 LocalFree(NewAcl);
3425
3426 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3427 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3428 ExplicitAccess.Trustee.ptstrName = UsersSid;
3429 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3430 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3431 ok(NewAcl != NULL, "returned acl was NULL\n");
3432 LocalFree(NewAcl);
3433
3434 FreeSid(UsersSid);
3435 FreeSid(EveryoneSid);
3436 HeapFree(GetProcessHeap(), 0, OldAcl);
3437 }
3438
3439 /* helper function for test_CreateDirectoryA */
3440 static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
3441 {
3442 UNICODE_STRING strW;
3443 ANSI_STRING str;
3444 NTSTATUS status;
3445 BOOLEAN ret;
3446
3447 pRtlInitAnsiString(&str, name);
3448
3449 status = pRtlAnsiStringToUnicodeString(&strW, &str, TRUE);
3450 ok(!status, "RtlAnsiStringToUnicodeString failed with %08x\n", status);
3451
3452 ret = pRtlDosPathNameToNtPathName_U(strW.Buffer, nameW, NULL, NULL);
3453 ok(ret, "RtlDosPathNameToNtPathName_U failed\n");
3454
3455 pRtlFreeUnicodeString(&strW);
3456 }
3457
3458 static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask,
3459 BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
3460 {
3461 ACL_SIZE_INFORMATION acl_size;
3462 ACCESS_ALLOWED_ACE *ace;
3463 BOOL bret;
3464
3465 bret = pGetAclInformation(dacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3466 ok_(__FILE__, line)(bret, "GetAclInformation failed\n");
3467
3468 todo_wine_if (todo_count)
3469 ok_(__FILE__, line)(acl_size.AceCount == 2,
3470 "GetAclInformation returned unexpected entry count (%d != 2)\n",
3471 acl_size.AceCount);
3472
3473 if (acl_size.AceCount > 0)
3474 {
3475 bret = pGetAce(dacl, 0, (VOID **)&ace);
3476 ok_(__FILE__, line)(bret, "Failed to get Current User ACE\n");
3477
3478 bret = EqualSid(&ace->SidStart, user_sid);
3479 todo_wine_if (todo_sid)
3480 ok_(__FILE__, line)(bret, "Current User ACE (%s) != Current User SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3481
3482 todo_wine_if (todo_flags)
3483 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3484 "Current User ACE has unexpected flags (0x%x != 0x%x)\n",
3485 ((ACE_HEADER *)ace)->AceFlags, flags);
3486
3487 ok_(__FILE__, line)(ace->Mask == mask,
3488 "Current User ACE has unexpected mask (0x%x != 0x%x)\n",
3489 ace->Mask, mask);
3490 }
3491 if (acl_size.AceCount > 1)
3492 {
3493 bret = pGetAce(dacl, 1, (VOID **)&ace);
3494 ok_(__FILE__, line)(bret, "Failed to get Administators Group ACE\n");
3495
3496 bret = EqualSid(&ace->SidStart, admin_sid);
3497 todo_wine_if (todo_sid)
3498 ok_(__FILE__, line)(bret, "Administators Group ACE (%s) != Administators Group SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3499
3500 todo_wine_if (todo_flags)
3501 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3502 "Administators Group ACE has unexpected flags (0x%x != 0x%x)\n",
3503 ((ACE_HEADER *)ace)->AceFlags, flags);
3504
3505 ok_(__FILE__, line)(ace->Mask == mask,
3506 "Administators Group ACE has unexpected mask (0x%x != 0x%x)\n",
3507 ace->Mask, mask);
3508 }
3509 }
3510
3511 static void test_CreateDirectoryA(void)
3512 {
3513 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3514 DWORD sid_size = sizeof(admin_ptr), user_size;
3515 PSID admin_sid = (PSID) admin_ptr, user_sid;
3516 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
3517 PSECURITY_DESCRIPTOR pSD = &sd;
3518 ACL_SIZE_INFORMATION acl_size;
3519 UNICODE_STRING tmpfileW;
3520 SECURITY_ATTRIBUTES sa;
3521 OBJECT_ATTRIBUTES attr;
3522 char tmpfile[MAX_PATH];
3523 char tmpdir[MAX_PATH];
3524 HANDLE token, hTemp;
3525 IO_STATUS_BLOCK io;
3526 struct _SID *owner;
3527 BOOL bret = TRUE;
3528 NTSTATUS status;
3529 DWORD error;
3530 PACL pDacl;
3531
3532 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3533 {
3534 win_skip("Required functions are not available\n");
3535 return;
3536 }
3537
3538 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3539 {
3540 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3541 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3542 }
3543 if (!bret)
3544 {
3545 win_skip("Failed to get current user token\n");
3546 return;
3547 }
3548 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3549 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3550 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3551 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3552 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3553 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3554 CloseHandle( token );
3555 user_sid = ((TOKEN_USER *)user)->User.Sid;
3556
3557 sa.nLength = sizeof(sa);
3558 sa.lpSecurityDescriptor = pSD;
3559 sa.bInheritHandle = TRUE;
3560 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3561 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3562 pDacl = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 100);
3563 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3564 ok(bret, "Failed to initialize ACL.\n");
3565 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3566 GENERIC_ALL, user_sid);
3567 ok(bret, "Failed to add Current User to ACL.\n");
3568 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3569 GENERIC_ALL, admin_sid);
3570 ok(bret, "Failed to add Administrator Group to ACL.\n");
3571 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3572 ok(bret, "Failed to add ACL to security descriptor.\n");
3573
3574 GetTempPathA(MAX_PATH, tmpdir);
3575 lstrcatA(tmpdir, "Please Remove Me");
3576 bret = CreateDirectoryA(tmpdir, &sa);
3577 ok(bret == TRUE, "CreateDirectoryA(%s) failed err=%d\n", tmpdir, GetLastError());
3578 HeapFree(GetProcessHeap(), 0, pDacl);
3579
3580 SetLastError(0xdeadbeef);
3581 error = pGetNamedSecurityInfoA(tmpdir, SE_FILE_OBJECT,
3582 OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, (PSID*)&owner,
3583 NULL, &pDacl, NULL, &pSD);
3584 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3585 {
3586 win_skip("GetNamedSecurityInfoA is not implemented\n");
3587 goto done;
3588 }
3589 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3590 test_inherited_dacl(pDacl, admin_sid, user_sid, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3591 0x1f01ff, FALSE, TRUE, FALSE, __LINE__);
3592 LocalFree(pSD);
3593
3594 /* Test inheritance of ACLs in CreateFile without security descriptor */
3595 strcpy(tmpfile, tmpdir);
3596 lstrcatA(tmpfile, "/tmpfile");
3597
3598 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, NULL,
3599 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3600 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3601
3602 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3603 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3604 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3605 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3606 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3607 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3608 LocalFree(pSD);
3609 CloseHandle(hTemp);
3610
3611 /* Test inheritance of ACLs in CreateFile with security descriptor -
3612 * When a security descriptor is set, then inheritance doesn't take effect */
3613 pSD = &sd;
3614 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3615 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3616 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3617 ok(bret, "Failed to initialize ACL\n");
3618 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3619 ok(bret, "Failed to add ACL to security descriptor\n");
3620
3621 strcpy(tmpfile, tmpdir);
3622 lstrcatA(tmpfile, "/tmpfile");
3623
3624 sa.nLength = sizeof(sa);
3625 sa.lpSecurityDescriptor = pSD;
3626 sa.bInheritHandle = TRUE;
3627 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, &sa,
3628 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3629 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3630 HeapFree(GetProcessHeap(), 0, pDacl);
3631
3632 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3633 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3634 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3635 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3636 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3637 ok(bret, "GetAclInformation failed\n");
3638 todo_wine
3639 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3640 acl_size.AceCount);
3641 LocalFree(pSD);
3642
3643 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3644 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3645 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3646 todo_wine
3647 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3648 if (error == ERROR_SUCCESS)
3649 {
3650 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3651 ok(bret, "GetAclInformation failed\n");
3652 todo_wine
3653 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3654 acl_size.AceCount);
3655 LocalFree(pSD);
3656 }
3657 CloseHandle(hTemp);
3658
3659 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3660 strcpy(tmpfile, tmpdir);
3661 lstrcatA(tmpfile, "/tmpfile");
3662 get_nt_pathW(tmpfile, &tmpfileW);
3663
3664 attr.Length = sizeof(attr);
3665 attr.RootDirectory = 0;
3666 attr.ObjectName = &tmpfileW;
3667 attr.Attributes = OBJ_CASE_INSENSITIVE;
3668 attr.SecurityDescriptor = NULL;
3669 attr.SecurityQualityOfService = NULL;
3670
3671 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3672 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3673 ok(!status, "NtCreateFile failed with %08x\n", status);
3674 pRtlFreeUnicodeString(&tmpfileW);
3675
3676 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3677 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3678 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3679 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3680 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3681 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3682 LocalFree(pSD);
3683 CloseHandle(hTemp);
3684
3685 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3686 * When a security descriptor is set, then inheritance doesn't take effect */
3687 pSD = &sd;
3688 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3689 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3690 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3691 ok(bret, "Failed to initialize ACL\n");
3692 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3693 ok(bret, "Failed to add ACL to security descriptor\n");
3694
3695 strcpy(tmpfile, tmpdir);
3696 lstrcatA(tmpfile, "/tmpfile");
3697 get_nt_pathW(tmpfile, &tmpfileW);
3698
3699 attr.Length = sizeof(attr);
3700 attr.RootDirectory = 0;
3701 attr.ObjectName = &tmpfileW;
3702 attr.Attributes = OBJ_CASE_INSENSITIVE;
3703 attr.SecurityDescriptor = pSD;
3704 attr.SecurityQualityOfService = NULL;
3705
3706 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3707 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3708 ok(!status, "NtCreateFile failed with %08x\n", status);
3709 pRtlFreeUnicodeString(&tmpfileW);
3710 HeapFree(GetProcessHeap(), 0, pDacl);
3711
3712 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3713 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3714 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3715 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3716 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3717 ok(bret, "GetAclInformation failed\n");
3718 todo_wine
3719 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3720 acl_size.AceCount);
3721 LocalFree(pSD);
3722
3723 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3724 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3725 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3726 todo_wine
3727 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3728 if (error == ERROR_SUCCESS)
3729 {
3730 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3731 ok(bret, "GetAclInformation failed\n");
3732 todo_wine
3733 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3734 acl_size.AceCount);
3735 LocalFree(pSD);
3736 }
3737 CloseHandle(hTemp);
3738
3739 done:
3740 HeapFree(GetProcessHeap(), 0, user);
3741 bret = RemoveDirectoryA(tmpdir);
3742 ok(bret == TRUE, "RemoveDirectoryA should always succeed\n");
3743 }
3744
3745 static void test_GetNamedSecurityInfoA(void)
3746 {
3747 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3748 char system_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3749 char users_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3750 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3751 PSID admin_sid = (PSID) admin_ptr, users_sid = (PSID) users_ptr;
3752 PSID system_sid = (PSID) system_ptr, user_sid, localsys_sid;
3753 DWORD sid_size = sizeof(admin_ptr), user_size;
3754 char invalid_path[] = "/an invalid file path";
3755 int users_ace_id = -1, admins_ace_id = -1, i;
3756 char software_key[] = "MACHINE\\Software";
3757 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH+sizeof(void*)];
3758 SECURITY_DESCRIPTOR_CONTROL control;
3759 ACL_SIZE_INFORMATION acl_size;
3760 CHAR windows_dir[MAX_PATH];
3761 PSECURITY_DESCRIPTOR pSD;
3762 ACCESS_ALLOWED_ACE *ace;
3763 BOOL bret = TRUE, isNT4;
3764 char tmpfile[MAX_PATH];
3765 DWORD error, revision;
3766 BOOL owner_defaulted;
3767 BOOL group_defaulted;
3768 BOOL dacl_defaulted;
3769 HANDLE token, hTemp, h;
3770 PSID owner, group;
3771 BOOL dacl_present;
3772 PACL pDacl;
3773 BYTE flags;
3774 NTSTATUS status;
3775
3776 if (!pSetNamedSecurityInfoA || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3777 {
3778 win_skip("Required functions are not available\n");
3779 return;
3780 }
3781
3782 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3783 {
3784 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3785 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3786 }
3787 if (!bret)
3788 {
3789 win_skip("Failed to get current user token\n");
3790 return;
3791 }
3792 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3793 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3794 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3795 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3796 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3797 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3798 CloseHandle( token );
3799 user_sid = ((TOKEN_USER *)user)->User.Sid;
3800
3801 bret = GetWindowsDirectoryA(windows_dir, MAX_PATH);
3802 ok(bret, "GetWindowsDirectory failed with error %d\n", GetLastError());
3803
3804 SetLastError(0xdeadbeef);
3805 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,
3806 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
3807 NULL, NULL, NULL, NULL, &pSD);
3808 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3809 {
3810 win_skip("GetNamedSecurityInfoA is not implemented\n");
3811 HeapFree(GetProcessHeap(), 0, user);
3812 return;
3813 }
3814 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3815
3816 bret = GetSecurityDescriptorControl(pSD, &control, &revision);
3817 ok(bret, "GetSecurityDescriptorControl failed with error %d\n", GetLastError());
3818 ok((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == (SE_SELF_RELATIVE|SE_DACL_PRESENT) ||
3819 broken((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT), /* NT4 */
3820 "control (0x%x) doesn't have (SE_SELF_RELATIVE|SE_DACL_PRESENT) flags set\n", control);
3821 ok(revision == SECURITY_DESCRIPTOR_REVISION1, "revision was %d instead of 1\n", revision);
3822
3823 isNT4 = (control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT;
3824
3825 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3826 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3827 ok(owner != NULL, "owner should not be NULL\n");
3828
3829 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
3830 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
3831 ok(group != NULL, "group should not be NULL\n");
3832 LocalFree(pSD);
3833
3834
3835 /* NULL descriptor tests */
3836 if(isNT4)
3837 {
3838 win_skip("NT4 does not support GetNamedSecutityInfo with a NULL descriptor\n");
3839 HeapFree(GetProcessHeap(), 0, user);
3840 return;
3841 }
3842
3843 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3844 NULL, NULL, NULL, NULL, NULL);
3845 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3846
3847 pDacl = NULL;
3848 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3849 NULL, NULL, &pDacl, NULL, &pSD);
3850 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3851 ok(pDacl != NULL, "DACL should not be NULL\n");
3852 LocalFree(pSD);
3853
3854 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,
3855 NULL, NULL, &pDacl, NULL, NULL);
3856 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3857
3858 /* Test behavior of SetNamedSecurityInfo with an invalid path */
3859 SetLastError(0xdeadbeef);
3860 error = pSetNamedSecurityInfoA(invalid_path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3861 NULL, NULL, NULL);
3862 ok(error == ERROR_FILE_NOT_FOUND, "Unexpected error returned: 0x%x\n", error);
3863 ok(GetLastError() == 0xdeadbeef, "Expected last error to remain unchanged.\n");
3864
3865 /* Create security descriptor information and test that it comes back the same */
3866 pSD = &sd;
3867 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3868 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3869 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3870 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3871 ok(bret, "Failed to initialize ACL.\n");
3872 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3873 ok(bret, "Failed to add Current User to ACL.\n");
3874 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
3875 ok(bret, "Failed to add Administrator Group to ACL.\n");
3876 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3877 ok(bret, "Failed to add ACL to security descriptor.\n");
3878 GetTempFileNameA(".", "foo", 0, tmpfile);
3879 hTemp = CreateFileA(tmpfile, WRITE_DAC|GENERIC_WRITE, FILE_SHARE_DELETE|FILE_SHARE_READ,
3880 NULL, OPEN_EXISTING, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3881 SetLastError(0xdeadbeef);
3882 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3883 NULL, pDacl, NULL);
3884 HeapFree(GetProcessHeap(), 0, pDacl);
3885 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3886 {
3887 win_skip("SetNamedSecurityInfoA is not implemented\n");
3888 HeapFree(GetProcessHeap(), 0, user);
3889 CloseHandle(hTemp);
3890 return;
3891 }
3892 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3893 SetLastError(0xdeadbeef);
3894 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3895 NULL, NULL, &pDacl, NULL, &pSD);
3896 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3897 {
3898 win_skip("GetNamedSecurityInfoA is not implemented\n");
3899 HeapFree(GetProcessHeap(), 0, user);
3900 CloseHandle(hTemp);
3901 return;
3902 }
3903 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3904
3905 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3906 ok(bret, "GetAclInformation failed\n");
3907 if (acl_size.AceCount > 0)
3908 {
3909 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3910 ok(bret, "Failed to get Current User ACE.\n");
3911 bret = EqualSid(&ace->SidStart, user_sid);
3912 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
3913 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3914 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3915 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3916 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
3917 ace->Mask);
3918 }
3919 if (acl_size.AceCount > 1)
3920 {
3921 bret = pGetAce(pDacl, 1, (VOID **)&ace);
3922 ok(bret, "Failed to get Administators Group ACE.\n");
3923 bret = EqualSid(&ace->SidStart, admin_sid);
3924 todo_wine ok(bret || broken(!bret) /* win2k */,
3925 "Administators Group ACE (%s) != Administators Group SID (%s).\n",
3926 debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3927 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3928 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3929 ok(ace->Mask == 0x1f01ff || broken(ace->Mask == GENERIC_ALL) /* win2k */,
3930 "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n", ace->Mask);
3931 }
3932 LocalFree(pSD);
3933
3934 /* show that setting empty DACL is not removing all file permissions */
3935 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3936 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3937 ok(bret, "Failed to initialize ACL.\n");
3938 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3939 NULL, NULL, pDacl, NULL);
3940 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3941 HeapFree(GetProcessHeap(), 0, pDacl);
3942
3943 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3944 NULL, NULL, &pDacl, NULL, &pSD);
3945 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3946
3947 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3948 ok(bret, "GetAclInformation failed\n");
3949 if (acl_size.AceCount > 0)
3950 {
3951 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3952 ok(bret, "Failed to get ACE.\n");
3953 todo_wine ok(((ACE_HEADER *)ace)->AceFlags & INHERITED_ACE,
3954 "ACE has unexpected flags: 0x%x\n", ((ACE_HEADER *)ace)->AceFlags);
3955 }
3956 LocalFree(pSD);
3957
3958 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3959 NULL, OPEN_EXISTING, 0, NULL);
3960 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3961 CloseHandle(h);
3962
3963 /* test setting NULL DACL */
3964 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3965 DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL);
3966 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3967
3968 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3969 NULL, NULL, &pDacl, NULL, &pSD);
3970 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3971 todo_wine ok(!pDacl, "pDacl != NULL\n");
3972 LocalFree(pSD);
3973
3974 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3975 NULL, OPEN_EXISTING, 0, NULL);
3976 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3977 CloseHandle(h);
3978
3979 /* NtSetSecurityObject doesn't inherit DACL entries */
3980 pSD = sd+sizeof(void*)-((ULONG_PTR)sd)%sizeof(void*);
3981 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3982 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3983 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3984 ok(bret, "Failed to initialize ACL.\n");
3985 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3986 ok(bret, "Failed to add ACL to security descriptor.\n");
3987 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3988 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3989
3990 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3991 NULL, OPEN_EXISTING, 0, NULL);
3992 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3993 CloseHandle(h);
3994
3995 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ, SE_DACL_AUTO_INHERIT_REQ);
3996 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3997 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3998
3999 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4000 NULL, OPEN_EXISTING, 0, NULL);
4001 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4002 CloseHandle(h);
4003
4004 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED,
4005 SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED);
4006 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4007 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4008
4009 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4010 NULL, OPEN_EXISTING, 0, NULL);
4011 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4012 CloseHandle(h);
4013
4014 /* test if DACL is properly mapped to permission */
4015 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
4016 ok(bret, "Failed to initialize ACL.\n");
4017 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4018 ok(bret, "Failed to add Current User to ACL.\n");
4019 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4020 ok(bret, "Failed to add Current User to ACL.\n");
4021 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4022 ok(bret, "Failed to add ACL to security descriptor.\n");
4023 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4024 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4025
4026 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4027 NULL, OPEN_EXISTING, 0, NULL);
4028 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4029 CloseHandle(h);
4030
4031 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
4032 ok(bret, "Failed to initialize ACL.\n");
4033 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4034 ok(bret, "Failed to add Current User to ACL.\n");
4035 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4036 ok(bret, "Failed to add Current User to ACL.\n");
4037 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4038 ok(bret, "Failed to add ACL to security descriptor.\n");
4039 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4040 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4041
4042 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4043 NULL, OPEN_EXISTING, 0, NULL);
4044 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4045 HeapFree(GetProcessHeap(), 0, pDacl);
4046 HeapFree(GetProcessHeap(), 0, user);
4047 CloseHandle(hTemp);
4048
4049 /* Test querying the ownership of a built-in registry key */
4050 sid_size = sizeof(system_ptr);
4051 pCreateWellKnownSid(WinLocalSystemSid, NULL, system_sid, &sid_size);
4052 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY,
4053 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
4054 NULL, NULL, NULL, NULL, &pSD);
4055 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4056
4057 bret = AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &localsys_sid);
4058 ok(bret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4059
4060 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
4061 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
4062 ok(owner != NULL, "owner should not be NULL\n");
4063 ok(EqualSid(owner, admin_sid) || EqualSid(owner, localsys_sid),
4064 "MACHINE\\Software owner SID (%s) != Administrators SID (%s) or Local System Sid (%s).\n",
4065 debugstr_sid(owner), debugstr_sid(admin_sid), debugstr_sid(localsys_sid));
4066
4067 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
4068 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
4069 ok(group != NULL, "group should not be NULL\n");
4070 ok(EqualSid(group, admin_sid) || broken(EqualSid(group, system_sid)) /* before Win7 */
4071 || broken(((SID*)group)->SubAuthority[0] == SECURITY_NT_NON_UNIQUE) /* Vista */,
4072 "MACHINE\\Software group SID (%s) != Local System SID (%s or %s)\n",
4073 debugstr_sid(group), debugstr_sid(admin_sid), debugstr_sid(system_sid));
4074 LocalFree(pSD);
4075
4076 /* Test querying the DACL of a built-in registry key */
4077 sid_size = sizeof(users_ptr);
4078 pCreateWellKnownSid(WinBuiltinUsersSid, NULL, users_sid, &sid_size);
4079 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
4080 NULL, NULL, NULL, NULL, &pSD);
4081 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4082
4083 bret = GetSecurityDescriptorDacl(pSD, &dacl_present, &pDacl, &dacl_defaulted);
4084 ok(bret, "GetSecurityDescriptorDacl failed with error %d\n", GetLastError());
4085 ok(dacl_present, "DACL should be present\n");
4086 ok(pDacl && IsValidAcl(pDacl), "GetSecurityDescriptorDacl returned invalid DACL.\n");
4087 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4088 ok(bret, "GetAclInformation failed\n");
4089 ok(acl_size.AceCount != 0, "GetAclInformation returned no ACLs\n");
4090 for (i=0; i<acl_size.AceCount; i++)
4091 {
4092 bret = pGetAce(pDacl, i, (VOID **)&ace);
4093 ok(bret, "Failed to get ACE %d.\n", i);
4094 bret = EqualSid(&ace->SidStart, users_sid);
4095 if (bret) users_ace_id = i;
4096 bret = EqualSid(&ace->SidStart, admin_sid);
4097 if (bret) admins_ace_id = i;
4098 }
4099 ok(users_ace_id != -1 || broken(users_ace_id == -1) /* win2k */,
4100 "Builtin Users ACE not found.\n");
4101 if (users_ace_id != -1)
4102 {
4103 bret = pGetAce(pDacl, users_ace_id, (VOID **)&ace);
4104 ok(bret, "Failed to get Builtin Users ACE.\n");
4105 flags = ((ACE_HEADER *)ace)->AceFlags;
4106 ok(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)
4107 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4108 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4109 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4110 "Builtin Users ACE has unexpected flags (0x%x != 0x%x)\n", flags,
4111 INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE);
4112 ok(ace->Mask == GENERIC_READ
4113 || broken(ace->Mask == KEY_READ), /* win 10 */
4114 "Builtin Users ACE has unexpected mask (0x%x != 0x%x)\n",
4115 ace->Mask, GENERIC_READ);
4116 }
4117 ok(admins_ace_id != -1, "Builtin Admins ACE not found.\n");
4118 if (admins_ace_id != -1)
4119 {
4120 bret = pGetAce(pDacl, admins_ace_id, (VOID **)&ace);
4121 ok(bret, "Failed to get Builtin Admins ACE.\n");
4122 flags = ((ACE_HEADER *)ace)->AceFlags;
4123 ok(flags == 0x0
4124 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4125 || broken(flags == (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) /* win7 */
4126 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)) /* win8+ */
4127 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4128 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4129 "Builtin Admins ACE has unexpected flags (0x%x != 0x0)\n", flags);
4130 ok(ace->Mask == KEY_ALL_ACCESS || broken(ace->Mask == GENERIC_ALL) /* w2k8 */,
4131 "Builtin Admins ACE has unexpected mask (0x%x != 0x%x)\n", ace->Mask, KEY_ALL_ACCESS);
4132 }
4133
4134 FreeSid(localsys_sid);
4135 LocalFree(pSD);
4136 }
4137
4138 static void test_ConvertStringSecurityDescriptor(void)
4139 {
4140 BOOL ret;
4141 PSECURITY_DESCRIPTOR pSD;
4142 static const WCHAR Blank[] = { 0 };
4143 unsigned int i;
4144 ULONG size;
4145 ACL *acl;
4146 static const struct
4147 {
4148 const char *sidstring;
4149 DWORD revision;
4150 BOOL ret;
4151 DWORD GLE;
4152 DWORD altGLE;
4153 } cssd[] =
4154 {
4155 { "D:(A;;GA;;;WD)", 0xdeadbeef, FALSE, ERROR_UNKNOWN_REVISION },
4156 /* test ACE string type */
4157 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4158 { "D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4159 { "ERROR:(D;;GA;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_PARAMETER },
4160 /* test ACE string with spaces */
4161 { " D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4162 { "D: (D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4163 { "D:( D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4164 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4165 { "D:(D; ;GA;;;WD)", SDDL_REVISION_1, TRUE },
4166 { "D:(D;; GA;;;WD)", SDDL_REVISION_1, TRUE },
4167 { "D:(D;;GA ;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4168 { "D:(D;;GA; ;;WD)", SDDL_REVISION_1, TRUE },
4169 { "D:(D;;GA;; ;WD)", SDDL_REVISION_1, TRUE },
4170 { "D:(D;;GA;;; WD)", SDDL_REVISION_1, TRUE },
4171 { "D:(D;;GA;;;WD )", SDDL_REVISION_1, TRUE },
4172 /* test ACE string access rights */
4173 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4174 { "D:(A;;GRGWGX;;;WD)", SDDL_REVISION_1, TRUE },
4175 { "D:(A;;RCSDWDWO;;;WD)", SDDL_REVISION_1, TRUE },
4176 { "D:(A;;RPWPCCDCLCSWLODTCR;;;WD)", SDDL_REVISION_1, TRUE },
4177 { "D:(A;;FAFRFWFX;;;WD)", SDDL_REVISION_1, TRUE },
4178 { "D:(A;;KAKRKWKX;;;WD)", SDDL_REVISION_1, TRUE },
4179 { "D:(A;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4180 { "S:(AU;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4181 /* test ACE string access right error case */
4182 { "D:(A;;ROB;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4183 /* test behaviour with empty strings */
4184 { "", SDDL_REVISION_1, TRUE },
4185 /* test ACE string SID */
4186 { "D:(D;;GA;;;S-1-0-0)", SDDL_REVISION_1, TRUE },
4187 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4188 };
4189
4190 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4191 {
4192 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4193 return;
4194 }
4195
4196 for (i = 0; i < ARRAY_SIZE(cssd); i++)
4197 {
4198 DWORD GLE;
4199
4200 SetLastError(0xdeadbeef);
4201 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4202 cssd[i].sidstring, cssd[i].revision, &pSD, NULL);
4203 GLE = GetLastError();
4204 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4205 if (!cssd[i].ret)
4206 ok(GLE == cssd[i].GLE ||
4207 (cssd[i].altGLE && GLE == cssd[i].altGLE),
4208 "(%02u) Unexpected last error %d\n", i, GLE);
4209 if (ret)
4210 LocalFree(pSD);
4211 }
4212
4213 /* test behaviour with NULL parameters */
4214 SetLastError(0xdeadbeef);
4215 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4216 NULL, 0xdeadbeef, &pSD, NULL);
4217 todo_wine
4218 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4219 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4220 GetLastError());
4221
4222 SetLastError(0xdeadbeef);
4223 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4224 NULL, 0xdeadbeef, &pSD, NULL);
4225 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4226 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4227 GetLastError());
4228
4229 SetLastError(0xdeadbeef);
4230 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4231 "D:(A;;ROB;;;WD)", 0xdeadbeef, NULL, NULL);
4232 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4233 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4234 GetLastError());
4235
4236 SetLastError(0xdeadbeef);
4237 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4238 "D:(A;;ROB;;;WD)", SDDL_REVISION_1, NULL, NULL);
4239 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4240 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4241 GetLastError());
4242
4243 /* test behaviour with empty strings */
4244 SetLastError(0xdeadbeef);
4245 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4246 Blank, SDDL_REVISION_1, &pSD, NULL);
4247 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4248 LocalFree(pSD);
4249
4250 SetLastError(0xdeadbeef);
4251 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4252 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4253 ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
4254 "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
4255 if (ret) LocalFree(pSD);
4256
4257 /* empty DACL */
4258 size = 0;
4259 SetLastError(0xdeadbeef);
4260 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("D:", SDDL_REVISION_1, &pSD, &size);
4261 ok(ret, "unexpected error %u\n", GetLastError());
4262 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4263 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4264 ok(acl->AclRevision == ACL_REVISION, "got %u\n", acl->AclRevision);
4265 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4266 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4267 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4268 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4269 LocalFree(pSD);
4270
4271 /* empty SACL */
4272 size = 0;
4273 SetLastError(0xdeadbeef);
4274 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("S:", SDDL_REVISION_1, &pSD, &size);
4275 ok(ret, "unexpected error %u\n", GetLastError());
4276 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4277 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4278 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4279 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4280 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4281 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4282 LocalFree(pSD);
4283 }
4284
4285 static void test_ConvertSecurityDescriptorToString(void)
4286 {
4287 SECURITY_DESCRIPTOR desc;
4288 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4289 LPSTR string;
4290 DWORD size;
4291 PSID psid, psid2;
4292 PACL pacl;
4293 char sid_buf[256];
4294 char acl_buf[8192];
4295 ULONG len;
4296
4297 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4298 {
4299 win_skip("ConvertSecurityDescriptorToStringSecurityDescriptor is not available\n");
4300 return;
4301 }
4302 if (!pCreateWellKnownSid)
4303 {
4304 win_skip("CreateWellKnownSid is not available\n");
4305 return;
4306 }
4307
4308 /* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4309 * don't replicate this feature so we only test len >= strlen+1. */
4310 #define CHECK_RESULT_AND_FREE(exp_str) \
4311 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4312 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4313 LocalFree(string);
4314
4315 #define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4316 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4317 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4318 LocalFree(string);
4319
4320 InitializeSecurityDescriptor(&desc, SECURITY_DESCRIPTOR_REVISION);
4321 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4322 CHECK_RESULT_AND_FREE("");
4323
4324 size = 4096;
4325 pCreateWellKnownSid(WinLocalSid, NULL, sid_buf, &size);
4326 SetSecurityDescriptorOwner(&desc, sid_buf, FALSE);
4327 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4328 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4329
4330 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4331 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4332 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4333
4334 size = sizeof(sid_buf);
4335 pCreateWellKnownSid(WinLocalSystemSid, NULL, sid_buf, &size);
4336 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4337 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4338 CHECK_RESULT_AND_FREE("O:SY");
4339
4340 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4341 SetSecurityDescriptorGroup(&desc, psid, TRUE);
4342 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4343 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576");
4344
4345 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4346 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4347
4348 pacl = (PACL)acl_buf;
4349 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4350 SetSecurityDescriptorDacl(&desc, TRUE, pacl, TRUE);
4351 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4352 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4353
4354 SetSecurityDescriptorDacl(&desc, TRUE, pacl, FALSE);
4355 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4356 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4357
4358 pConvertStringSidToSidA("S-1-5-6", &psid2);
4359 pAddAccessAllowedAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, 0xf0000000, psid2);
4360 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4361 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)");
4362
4363 pAddAccessAllowedAceEx(pacl, ACL_REVISION, INHERIT_ONLY_ACE|INHERITED_ACE, 0x00000003, psid2);
4364 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4365 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4366
4367 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4368 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4369 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4370
4371
4372 pacl = (PACL)acl_buf;
4373 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4374 SetSecurityDescriptorSacl(&desc, TRUE, pacl, FALSE);
4375 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4376 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:");
4377
4378 /* fails in win2k */
4379 SetSecurityDescriptorDacl(&desc, TRUE, NULL, FALSE);
4380 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4381 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4382 {
4383 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4384 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4385 }
4386
4387 /* fails in win2k */
4388 pAddAuditAccessAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, FILE_GENERIC_READ|FILE_GENERIC_WRITE, psid2, TRUE, FALSE);
4389 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4390 {
4391 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4392 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4393 }
4394
4395 LocalFree(psid2);
4396 LocalFree(psid);
4397 }
4398
4399 static void test_SetSecurityDescriptorControl (PSECURITY_DESCRIPTOR sec)
4400 {
4401 SECURITY_DESCRIPTOR_CONTROL ref;
4402 SECURITY_DESCRIPTOR_CONTROL test;
4403
4404 SECURITY_DESCRIPTOR_CONTROL const mutable
4405 = SE_DACL_AUTO_INHERIT_REQ | SE_SACL_AUTO_INHERIT_REQ
4406 | SE_DACL_AUTO_INHERITED | SE_SACL_AUTO_INHERITED
4407 | SE_DACL_PROTECTED | SE_SACL_PROTECTED
4408 | 0x00000040 | 0x00000080 /* not defined in winnt.h */
4409 ;
4410 SECURITY_DESCRIPTOR_CONTROL const immutable
4411 = SE_OWNER_DEFAULTED | SE_GROUP_DEFAULTED
4412 | SE_DACL_PRESENT | SE_DACL_DEFAULTED
4413 | SE_SACL_PRESENT | SE_SACL_DEFAULTED
4414 | SE_RM_CONTROL_VALID | SE_SELF_RELATIVE
4415 ;
4416
4417 int bit;
4418 DWORD dwRevision;
4419 LPCSTR fmt = "Expected error %s, got %u\n";
4420
4421 GetSecurityDescriptorControl (sec, &ref, &dwRevision);
4422
4423 /* The mutable bits are mutable regardless of the truth of
4424 SE_DACL_PRESENT and/or SE_SACL_PRESENT */
4425
4426 /* Check call barfs if any bit-of-interest is immutable */
4427 for (bit = 0; bit < 16; ++bit)
4428 {
4429 SECURITY_DESCRIPTOR_CONTROL const bitOfInterest = 1 << bit;
4430 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitOfInterest;
4431
4432 SECURITY_DESCRIPTOR_CONTROL ctrl;
4433
4434 DWORD dwExpect = (bitOfInterest & immutable)
4435 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4436 LPCSTR strExpect = (bitOfInterest & immutable)
4437 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4438
4439 ctrl = (bitOfInterest & mutable) ? ref + bitOfInterest : ref;
4440 setOrClear ^= bitOfInterest;
4441 SetLastError (0xbebecaca);
4442 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4443 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4444 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4445 expect_eq(test, ctrl, int, "%x");
4446
4447 setOrClear ^= bitOfInterest;
4448 SetLastError (0xbebecaca);
4449 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4450 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4451 GetSecurityDescriptorControl (sec, &test, &dwRevision);
4452 expect_eq(test, ref, int, "%x");
4453 }
4454
4455 /* Check call barfs if any bit-to-set is immutable
4456 even when not a bit-of-interest */
4457 for (bit = 0; bit < 16; ++bit)
4458 {
4459 SECURITY_DESCRIPTOR_CONTROL const bitsOfInterest = mutable;
4460 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitsOfInterest;
4461
4462 SECURITY_DESCRIPTOR_CONTROL ctrl;
4463
4464 DWORD dwExpect = ((1 << bit) & immutable)
4465 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4466 LPCSTR strExpect = ((1 << bit) & immutable)
4467 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4468
4469 ctrl = ((1 << bit) & immutable) ? test : ref | mutable;
4470 setOrClear ^= bitsOfInterest;
4471 SetLastError (0xbebecaca);
4472 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4473 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4474 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4475 expect_eq(test, ctrl, int, "%x");
4476
4477 ctrl = ((1 << bit) & immutable) ? test : ref | (1 << bit);
4478 setOrClear ^= bitsOfInterest;
4479 SetLastError (0xbebecaca);
4480 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4481 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4482 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4483 expect_eq(test, ctrl, int, "%x");
4484 }
4485 }
4486
4487 static void test_PrivateObjectSecurity(void)
4488 {
4489 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4490 SECURITY_DESCRIPTOR_CONTROL ctrl;
4491 PSECURITY_DESCRIPTOR sec;
4492 DWORD dwDescSize;
4493 DWORD dwRevision;
4494 DWORD retSize;
4495 LPSTR string;
4496 ULONG len;
4497 PSECURITY_DESCRIPTOR buf;
4498 BOOL ret;
4499
4500 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4501 {
4502 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4503 return;
4504 }
4505
4506 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4507 "O:SY"
4508 "G:S-1-5-21-93476-23408-4576"
4509 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
4510 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4511 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4512 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4513
4514 test_SetSecurityDescriptorControl(sec);
4515
4516 LocalFree(sec);
4517
4518 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4519 "O:SY"
4520 "G:S-1-5-21-93476-23408-4576",
4521 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4522
4523 test_SetSecurityDescriptorControl(sec);
4524
4525 LocalFree(sec);
4526
4527 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4528 "O:SY"
4529 "G:S-1-5-21-93476-23408-4576"
4530 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4531 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4532 buf = HeapAlloc(GetProcessHeap(), 0, dwDescSize);
4533 pSetSecurityDescriptorControl(sec, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
4534 GetSecurityDescriptorControl(sec, &ctrl, &dwRevision);
4535 expect_eq(ctrl, 0x9014, int, "%x");
4536
4537 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4538 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4539 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4540 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4541 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4542 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4543 expect_eq(ctrl, 0x8000, int, "%x");
4544
4545 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4546 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4547 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4548 ret = pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len);
4549 ok(ret, "Conversion failed err=%u\n", GetLastError());
4550 CHECK_ONE_OF_AND_FREE("G:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)",
4551 "G:S-1-5-21-93476-23408-4576D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"); /* Win7 */
4552 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4553 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8004, int, "%x");
4554
4555 ret = GetPrivateObjectSecurity(sec, sec_info, buf, dwDescSize, &retSize);
4556 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4557 ok(retSize == dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4558 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4559 CHECK_ONE_OF_AND_FREE("O:SY"
4560 "G:S-1-5-21-93476-23408-4576"
4561 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4562 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4563 "O:SY"
4564 "G:S-1-5-21-93476-23408-4576"
4565 "D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4566 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)"); /* Win7 */
4567 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4568 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8014, int, "%x");
4569
4570 SetLastError(0xdeadbeef);
4571 ok(GetPrivateObjectSecurity(sec, sec_info, buf, 5, &retSize) == FALSE, "GetPrivateObjectSecurity should have failed\n");
4572 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected error ERROR_INSUFFICIENT_BUFFER, got %u\n", GetLastError());
4573
4574 LocalFree(sec);
4575 HeapFree(GetProcessHeap(), 0, buf);
4576 }
4577 #undef CHECK_RESULT_AND_FREE
4578 #undef CHECK_ONE_OF_AND_FREE
4579
4580 static void test_acls(void)
4581 {
4582 char buffer[256];
4583 PACL pAcl = (PACL)buffer;
4584 BOOL ret;
4585
4586 SetLastError(0xdeadbeef);
4587 ret = InitializeAcl(pAcl, sizeof(ACL) - 1, ACL_REVISION);
4588 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4589 {
4590 win_skip("InitializeAcl is not implemented\n");
4591 return;
4592 }
4593
4594 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4595
4596 SetLastError(0xdeadbeef);
4597 ret = InitializeAcl(pAcl, 0xffffffff, ACL_REVISION);
4598 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4599
4600 SetLastError(0xdeadbeef);
4601 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION1);
4602 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4603
4604 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION2);
4605 ok(ret, "InitializeAcl(ACL_REVISION2) failed with error %d\n", GetLastError());
4606
4607 ret = IsValidAcl(pAcl);
4608 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4609
4610 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION3);
4611 ok(ret, "InitializeAcl(ACL_REVISION3) failed with error %d\n", GetLastError());
4612
4613 ret = IsValidAcl(pAcl);
4614 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4615
4616 SetLastError(0xdeadbeef);
4617 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION4);
4618 if (GetLastError() != ERROR_INVALID_PARAMETER)
4619 {
4620 ok(ret, "InitializeAcl(ACL_REVISION4) failed with error %d\n", GetLastError());
4621
4622 ret = IsValidAcl(pAcl);
4623 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4624 }
4625 else
4626 win_skip("ACL_REVISION4 is not implemented on NT4\n");
4627
4628 SetLastError(0xdeadbeef);
4629 ret = InitializeAcl(pAcl, sizeof(buffer), -1);
4630 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4631 }
4632
4633 static void test_GetSecurityInfo(void)
4634 {
4635 char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
4636 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
4637 DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
4638 PSID admin_sid = (PSID) admin_ptr, user_sid;
4639 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
4640 ACL_SIZE_INFORMATION acl_size;
4641 PSECURITY_DESCRIPTOR pSD;
4642 ACCESS_ALLOWED_ACE *ace;
4643 HANDLE token, obj;
4644 PSID owner, group;
4645 BOOL bret = TRUE;
4646 PACL pDacl;
4647 DWORD ret;
4648
4649 if (!pGetSecurityInfo || !pSetSecurityInfo)
4650 {
4651 win_skip("[Get|Set]SecurityInfo is not available\n");
4652 return;
4653 }
4654
4655 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
4656 {
4657 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
4658 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
4659 }
4660 if (!bret)
4661 {
4662 win_skip("Failed to get current user token\n");
4663 return;
4664 }
4665 bret = GetTokenInformation(token, TokenUser, b, l, &l);
4666 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
4667 CloseHandle( token );
4668 user_sid = ((TOKEN_USER *)b)->User.Sid;
4669
4670 /* Create something. Files have lots of associated security info. */
4671 obj = CreateFileA(myARGV[0], GENERIC_READ|WRITE_DAC, FILE_SHARE_READ, NULL,
4672 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4673 if (obj == INVALID_HANDLE_VALUE)
4674 {
4675 skip("Couldn't create an object for GetSecurityInfo test\n");
4676 return;
4677 }
4678
4679 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4680 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4681 &owner, &group, &pDacl, NULL, &pSD);
4682 if (ret == ERROR_CALL_NOT_IMPLEMENTED)
4683 {
4684 win_skip("GetSecurityInfo is not implemented\n");
4685 CloseHandle(obj);
4686 return;
4687 }
4688 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4689 ok(pSD != NULL, "GetSecurityInfo\n");
4690 ok(owner != NULL, "GetSecurityInfo\n");
4691 ok(group != NULL, "GetSecurityInfo\n");
4692 if (pDacl != NULL)
4693 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4694 else
4695 win_skip("No ACL information returned\n");
4696
4697 LocalFree(pSD);
4698
4699 if (!pCreateWellKnownSid)
4700 {
4701 win_skip("NULL parameter test would crash on NT4\n");
4702 CloseHandle(obj);
4703 return;
4704 }
4705
4706 /* If we don't ask for the security descriptor, Windows will still give us
4707 the other stuff, leaving us no way to free it. */
4708 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4709 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4710 &owner, &group, &pDacl, NULL, NULL);
4711 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4712 ok(owner != NULL, "GetSecurityInfo\n");
4713 ok(group != NULL, "GetSecurityInfo\n");
4714 if (pDacl != NULL)
4715 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4716 else
4717 win_skip("No ACL information returned\n");
4718
4719 /* Create security descriptor information and test that it comes back the same */
4720 pSD = &sd;
4721 pDacl = (PACL)&dacl;
4722 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
4723 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
4724 bret = InitializeAcl(pDacl, sizeof(dacl), ACL_REVISION);
4725 ok(bret, "Failed to initialize ACL.\n");
4726 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4727 ok(bret, "Failed to add Current User to ACL.\n");
4728 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
4729 ok(bret, "Failed to add Administrator Group to ACL.\n");
4730 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4731 ok(bret, "Failed to add ACL to security descriptor.\n");
4732 ret = pSetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4733 NULL, NULL, pDacl, NULL);
4734 ok(ret == ERROR_SUCCESS, "SetSecurityInfo returned %d\n", ret);
4735 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4736 NULL, NULL, &pDacl, NULL, &pSD);
4737 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4738 ok(pDacl && IsValidAcl(pDacl), "GetSecurityInfo returned invalid DACL.\n");
4739 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4740 ok(bret, "GetAclInformation failed\n");
4741 if (acl_size.AceCount > 0)
4742 {
4743 bret = pGetAce(pDacl, 0, (VOID **)&ace);
4744 ok(bret, "Failed to get Current User ACE.\n");
4745 bret = EqualSid(&ace->SidStart, user_sid);
4746 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
4747 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
4748 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4749 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4750 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4751 ace->Mask);
4752 }
4753 if (acl_size.AceCount > 1)
4754 {
4755 bret = pGetAce(pDacl, 1, (VOID **)&ace);
4756 ok(bret, "Failed to get Administators Group ACE.\n");
4757 bret = EqualSid(&ace->SidStart, admin_sid);
4758 todo_wine ok(bret, "Administators Group ACE (%s) != Administators Group SID (%s).\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
4759 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4760 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4761 ok(ace->Mask == 0x1f01ff, "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4762 ace->Mask);
4763 }
4764 LocalFree(pSD);
4765 CloseHandle(obj);
4766 }
4767
4768 static void test_GetSidSubAuthority(void)
4769 {
4770 PSID psid = NULL;
4771
4772 if (!pGetSidSubAuthority || !pConvertStringSidToSidA || !pIsValidSid || !pGetSidSubAuthorityCount)
4773 {
4774 win_skip("Some functions not available\n");
4775 return;
4776 }
4777 /* Note: on windows passing in an invalid index like -1, lets GetSidSubAuthority return 0x05000000 but
4778 still GetLastError returns ERROR_SUCCESS then. We don't test these unlikely cornercases here for now */
4779 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576",&psid),"ConvertStringSidToSidA failed\n");
4780 ok(pIsValidSid(psid),"Sid is not valid\n");
4781 SetLastError(0xbebecaca);
4782 ok(*pGetSidSubAuthorityCount(psid) == 4,"GetSidSubAuthorityCount gave %d expected 4\n",*pGetSidSubAuthorityCount(psid));
4783 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4784 SetLastError(0xbebecaca);
4785 ok(*pGetSidSubAuthority(psid,0) == 21,"GetSidSubAuthority gave %d expected 21\n",*pGetSidSubAuthority(psid,0));
4786 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4787 SetLastError(0xbebecaca);
4788 ok(*pGetSidSubAuthority(psid,1) == 93476,"GetSidSubAuthority gave %d expected 93476\n",*pGetSidSubAuthority(psid,1));
4789 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4790 SetLastError(0xbebecaca);
4791 ok(pGetSidSubAuthority(psid,4) != NULL,"Expected out of bounds GetSidSubAuthority to return a non-NULL pointer\n");
4792 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4793 LocalFree(psid);
4794 }
4795
4796 static void test_CheckTokenMembership(void)
4797 {
4798 PTOKEN_GROUPS token_groups;
4799 DWORD size;
4800 HANDLE process_token, token;
4801 BOOL is_member;
4802 BOOL ret;
4803 DWORD i;
4804
4805 if (!pCheckTokenMembership)
4806 {
4807 win_skip("CheckTokenMembership is not available\n");
4808 return;
4809 }
4810 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4811 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
4812
4813 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
4814 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
4815
4816 /* groups */
4817 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
4818 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
4819 "GetTokenInformation(TokenGroups) %s with error %d\n",
4820 ret ? "succeeded" : "failed", GetLastError());
4821 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
4822 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
4823 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
4824
4825 for (i = 0; i < token_groups->GroupCount; i++)
4826 {
4827 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
4828 break;
4829 }
4830
4831 if (i == token_groups->GroupCount)
4832 {
4833 HeapFree(GetProcessHeap(), 0, token_groups);
4834 CloseHandle(token);
4835 skip("user not a member of any group\n");
4836 return;
4837 }
4838
4839 is_member = FALSE;
4840 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
4841 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4842 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4843
4844 is_member = FALSE;
4845 ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
4846 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4847 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4848
4849 is_member = TRUE;
4850 SetLastError(0xdeadbeef);
4851 ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
4852 ok(!ret && GetLastError() == ERROR_NO_IMPERSONATION_TOKEN,
4853 "CheckTokenMembership with process token %s with error %d\n",
4854 ret ? "succeeded" : "failed", GetLastError());
4855 ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
4856
4857 HeapFree(GetProcessHeap(), 0, token_groups);
4858 CloseHandle(token);
4859 CloseHandle(process_token);
4860 }
4861
4862 static void test_EqualSid(void)
4863 {
4864 PSID sid1, sid2;
4865 BOOL ret;
4866 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
4867 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
4868
4869 SetLastError(0xdeadbeef);
4870 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4871 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid1);
4872 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4873 {
4874 win_skip("AllocateAndInitializeSid is not implemented\n");
4875 return;
4876 }
4877 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4878 ok(GetLastError() == 0xdeadbeef,
4879 "AllocateAndInitializeSid shouldn't have set last error to %d\n",
4880 GetLastError());
4881
4882 ret = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID,
4883 0, 0, 0, 0, 0, 0, 0, &sid2);
4884 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4885
4886 SetLastError(0xdeadbeef);
4887 ret = EqualSid(sid1, sid2);
4888 ok(!ret, "World and domain admins sids shouldn't have been equal\n");
4889 ok(GetLastError() == ERROR_SUCCESS ||
4890 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4891 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4892 GetLastError());
4893
4894 SetLastError(0xdeadbeef);
4895 sid2 = FreeSid(sid2);
4896 ok(!sid2, "FreeSid should have returned NULL instead of %p\n", sid2);
4897 ok(GetLastError() == 0xdeadbeef,
4898 "FreeSid shouldn't have set last error to %d\n",
4899 GetLastError());
4900
4901 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4902 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid2);
4903 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4904
4905 SetLastError(0xdeadbeef);
4906 ret = EqualSid(sid1, sid2);
4907 ok(ret, "Same sids should have been equal %s != %s\n",
4908 debugstr_sid(sid1), debugstr_sid(sid2));
4909 ok(GetLastError() == ERROR_SUCCESS ||
4910 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4911 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4912 GetLastError());
4913
4914 ((SID *)sid2)->Revision = 2;
4915 SetLastError(0xdeadbeef);
4916 ret = EqualSid(sid1, sid2);
4917 ok(!ret, "EqualSid with invalid sid should have returned FALSE\n");
4918 ok(GetLastError() == ERROR_SUCCESS ||
4919 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4920 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4921 GetLastError());
4922 ((SID *)sid2)->Revision = SID_REVISION;
4923
4924 FreeSid(sid1);
4925 FreeSid(sid2);
4926 }
4927
4928 static void test_GetUserNameA(void)
4929 {
4930 char buffer[UNLEN + 1], filler[UNLEN + 1];
4931 DWORD required_len, buffer_len;
4932 BOOL ret;
4933
4934 /* Test crashes on Windows. */
4935 if (0)
4936 {
4937 SetLastError(0xdeadbeef);
4938 GetUserNameA(NULL, NULL);
4939 }
4940
4941 SetLastError(0xdeadbeef);
4942 required_len = 0;
4943 ret = GetUserNameA(NULL, &required_len);
4944 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4945 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4946 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4947
4948 SetLastError(0xdeadbeef);
4949 required_len = 1;
4950 ret = GetUserNameA(NULL, &required_len);
4951 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4952 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4953 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4954
4955 /* Tests crashes on Windows. */
4956 if (0)
4957 {
4958 SetLastError(0xdeadbeef);
4959 required_len = UNLEN + 1;
4960 GetUserNameA(NULL, &required_len);
4961
4962 SetLastError(0xdeadbeef);
4963 GetUserNameA(buffer, NULL);
4964 }
4965
4966 memset(filler, 'x', sizeof(filler));
4967
4968 /* Note that GetUserNameA on XP and newer outputs the number of bytes
4969 * required for a Unicode string, which affects a test in the next block. */
4970 SetLastError(0xdeadbeef);
4971 memcpy(buffer, filler, sizeof(filler));
4972 required_len = 0;
4973 ret = GetUserNameA(buffer, &required_len);
4974 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4975 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
4976 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4977 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4978
4979 SetLastError(0xdeadbeef);
4980 memcpy(buffer, filler, sizeof(filler));
4981 buffer_len = required_len;
4982 ret = GetUserNameA(buffer, &buffer_len);
4983 ok(ret == TRUE, "GetUserNameA returned %d, last error %u\n", ret, GetLastError());
4984 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
4985 ok(buffer_len == required_len ||
4986 broken(buffer_len == required_len / sizeof(WCHAR)), /* XP+ */
4987 "Outputted buffer length was %u\n", buffer_len);
4988
4989 /* Use the reported buffer size from the last GetUserNameA call and pass
4990 * a length that is one less than the required value. */
4991 SetLastError(0xdeadbeef);
4992 memcpy(buffer, filler, sizeof(filler));
4993 buffer_len--;
4994 ret = GetUserNameA(buffer, &buffer_len);
4995 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4996 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was untouched\n");
4997 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4998 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4999 }
5000
5001 static void test_GetUserNameW(void)
5002 {
5003 WCHAR buffer[UNLEN + 1], filler[UNLEN + 1];
5004 DWORD required_len, buffer_len;
5005 BOOL ret;
5006
5007 /* Test crashes on Windows. */
5008 if (0)
5009 {
5010 SetLastError(0xdeadbeef);
5011 GetUserNameW(NULL, NULL);
5012 }
5013
5014 SetLastError(0xdeadbeef);
5015 required_len = 0;
5016 ret = GetUserNameW(NULL, &required_len);
5017 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5018 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
5019 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5020
5021 SetLastError(0xdeadbeef);
5022 required_len = 1;
5023 ret = GetUserNameW(NULL, &required_len);
5024 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5025 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
5026 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5027
5028 /* Tests crash on Windows. */
5029 if (0)
5030 {
5031 SetLastError(0xdeadbeef);
5032 required_len = UNLEN + 1;
5033 GetUserNameW(NULL, &required_len);
5034
5035 SetLastError(0xdeadbeef);
5036 GetUserNameW(buffer, NULL);
5037 }
5038
5039 memset(filler, 'x', sizeof(filler));
5040
5041 SetLastError(0xdeadbeef);
5042 memcpy(buffer, filler, sizeof(filler));
5043 required_len = 0;
5044 ret = GetUserNameW(buffer, &required_len);
5045 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5046 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
5047 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
5048 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5049
5050 SetLastError(0xdeadbeef);
5051 memcpy(buffer, filler, sizeof(filler));
5052 buffer_len = required_len;
5053 ret = GetUserNameW(buffer, &buffer_len);
5054 ok(ret == TRUE, "GetUserNameW returned %d, last error %u\n", ret, GetLastError());
5055 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
5056 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
5057
5058 /* GetUserNameW on XP and newer writes a truncated portion of the username string to the buffer. */
5059 SetLastError(0xdeadbeef);
5060 memcpy(buffer, filler, sizeof(filler));
5061 buffer_len--;
5062 ret = GetUserNameW(buffer, &buffer_len);
5063 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5064 ok(!memcmp(buffer, filler, sizeof(filler)) ||
5065 broken(memcmp(buffer, filler, sizeof(filler)) != 0), /* XP+ */
5066 "Output buffer was altered\n");
5067 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
5068 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5069 }
5070
5071 static void test_CreateRestrictedToken(void)
5072 {
5073 HANDLE process_token, token, r_token;
5074 PTOKEN_GROUPS token_groups, groups2;
5075 SID_AND_ATTRIBUTES sattr;
5076 SECURITY_IMPERSONATION_LEVEL level;
5077 TOKEN_TYPE type;
5078 BOOL is_member;
5079 DWORD size;
5080 BOOL ret;
5081 DWORD i, j;
5082
5083 if (!pCreateRestrictedToken)
5084 {
5085 win_skip("CreateRestrictedToken is not available\n");
5086 return;
5087 }
5088
5089 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
5090 ok(ret, "got error %d\n", GetLastError());
5091
5092 ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
5093 NULL, SecurityImpersonation, TokenImpersonation, &token);
5094 ok(ret, "got error %d\n", GetLastError());
5095
5096 /* groups */
5097 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
5098 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
5099 "got %d with error %d\n", ret, GetLastError());
5100 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5101 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5102 ok(ret, "got error %d\n", GetLastError());
5103
5104 for (i = 0; i < token_groups->GroupCount; i++)
5105 {
5106 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5107 break;
5108 }
5109
5110 if (i == token_groups->GroupCount)
5111 {
5112 HeapFree(GetProcessHeap(), 0, token_groups);
5113 CloseHandle(token);
5114 skip("User not a member of any group\n");
5115 return;
5116 }
5117
5118 is_member = FALSE;
5119 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5120 ok(ret, "got error %d\n", GetLastError());
5121 ok(is_member, "not a member\n");
5122
5123 /* disable a SID in new token */
5124 sattr.Sid = token_groups->Groups[i].Sid;
5125 sattr.Attributes = 0;
5126 r_token = NULL;
5127 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
5128 ok(ret, "got error %d\n", GetLastError());
5129
5130 if (ret)
5131 {
5132 /* check if a SID is enabled */
5133 is_member = TRUE;
5134 ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
5135 ok(ret, "got error %d\n", GetLastError());
5136 todo_wine ok(!is_member, "not a member\n");
5137
5138 ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
5139 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
5140 ret, GetLastError());
5141 groups2 = HeapAlloc(GetProcessHeap(), 0, size);
5142 ret = GetTokenInformation(r_token, TokenGroups, groups2, size, &size);
5143 ok(ret, "got error %d\n", GetLastError());
5144
5145 for (j = 0; j < groups2->GroupCount; j++)
5146 {
5147 if (EqualSid(groups2->Groups[j].Sid, token_groups->Groups[i].Sid))
5148 break;
5149 }
5150
5151 todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
5152 "got wrong attributes\n");
5153 todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
5154 "got wrong attributes\n");
5155
5156 HeapFree(GetProcessHeap(), 0, groups2);
5157
5158 size = sizeof(type);
5159 ret = GetTokenInformation(r_token, TokenType, &type, size, &size);
5160 ok(ret, "got error %d\n", GetLastError());
5161 ok(type == TokenImpersonation, "got type %u\n", type);
5162
5163 size = sizeof(level);
5164 ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
5165 ok(ret, "got error %d\n", GetLastError());
5166 ok(level == SecurityImpersonation, "got level %u\n", type);
5167 }
5168
5169 HeapFree(GetProcessHeap(), 0, token_groups);
5170 CloseHandle(r_token);
5171 CloseHandle(token);
5172 CloseHandle(process_token);
5173 }
5174
5175 static void validate_default_security_descriptor(SECURITY_DESCRIPTOR *sd)
5176 {
5177 BOOL ret, present, defaulted;
5178 ACL *acl;
5179 void *sid;
5180
5181 ret = IsValidSecurityDescriptor(sd);
5182 ok(ret, "security descriptor is not valid\n");
5183
5184 present = -1;
5185 defaulted = -1;
5186 acl = (void *)0xdeadbeef;
5187 SetLastError(0xdeadbeef);
5188 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
5189 ok(ret, "GetSecurityDescriptorDacl error %d\n", GetLastError());
5190 todo_wine
5191 ok(present == 1, "acl is not present\n");
5192 todo_wine
5193 ok(acl != (void *)0xdeadbeef && acl != NULL, "acl pointer is not set\n");
5194 ok(defaulted == 0, "defaulted is set to TRUE\n");
5195
5196 defaulted = -1;
5197 sid = (void *)0xdeadbeef;
5198 SetLastError(0xdeadbeef);
5199 ret = GetSecurityDescriptorOwner(sd, &sid, &defaulted);
5200 ok(ret, "GetSecurityDescriptorOwner error %d\n", GetLastError());
5201 todo_wine
5202 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5203 ok(defaulted == 0, "defaulted is set to TRUE\n");
5204
5205 defaulted = -1;
5206 sid = (void *)0xdeadbeef;
5207 SetLastError(0xdeadbeef);
5208 ret = GetSecurityDescriptorGroup(sd, &sid, &defaulted);
5209 ok(ret, "GetSecurityDescriptorGroup error %d\n", GetLastError());
5210 todo_wine
5211 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5212 ok(defaulted == 0, "defaulted is set to TRUE\n");
5213 }
5214
5215 static void test_default_handle_security(HANDLE token, HANDLE handle, GENERIC_MAPPING *mapping)
5216 {
5217 DWORD ret, granted, priv_set_len;
5218 BOOL status;
5219 PRIVILEGE_SET priv_set;
5220 SECURITY_DESCRIPTOR *sd;
5221
5222 sd = test_get_security_descriptor(handle, __LINE__);
5223 validate_default_security_descriptor(sd);
5224
5225 priv_set_len = sizeof(priv_set);
5226 granted = 0xdeadbeef;
5227 status = 0xdeadbeef;
5228 SetLastError(0xdeadbeef);
5229 ret = AccessCheck(sd, token, MAXIMUM_ALLOWED, mapping, &priv_set, &priv_set_len, &granted, &status);
5230 todo_wine {
5231 ok(ret, "AccessCheck error %d\n", GetLastError());
5232 ok(status == 1, "expected 1, got %d\n", status);
5233 ok(granted == mapping->GenericAll, "expected all access %#x, got %#x\n", mapping->GenericAll, granted);
5234 }
5235 priv_set_len = sizeof(priv_set);
5236 granted = 0xdeadbeef;
5237 status = 0xdeadbeef;
5238 SetLastError(0xdeadbeef);
5239 ret = AccessCheck(sd, token, 0, mapping, &priv_set, &priv_set_len, &granted, &status);
5240 todo_wine {
5241 ok(ret, "AccessCheck error %d\n", GetLastError());
5242 ok(status == 0 || broken(status == 1) /* NT4 */, "expected 0, got %d\n", status);
5243 ok(granted == 0 || broken(granted == mapping->GenericRead) /* NT4 */, "expected 0, got %#x\n", granted);
5244 }
5245 priv_set_len = sizeof(priv_set);
5246 granted = 0xdeadbeef;
5247 status = 0xdeadbeef;
5248 SetLastError(0xdeadbeef);
5249 ret = AccessCheck(sd, token, ACCESS_SYSTEM_SECURITY, mapping, &priv_set, &priv_set_len, &granted, &status);
5250 todo_wine {
5251 ok(ret, "AccessCheck error %d\n", GetLastError());
5252 ok(status == 0, "expected 0, got %d\n", status);
5253 ok(granted == 0, "expected 0, got %#x\n", granted);
5254 }
5255 priv_set_len = sizeof(priv_set);
5256 granted = 0xdeadbeef;
5257 status = 0xdeadbeef;
5258 SetLastError(0xdeadbeef);
5259 ret = AccessCheck(sd, token, mapping->GenericRead, mapping, &priv_set, &priv_set_len, &granted, &status);
5260 todo_wine {
5261 ok(ret, "AccessCheck error %d\n", GetLastError());
5262 ok(status == 1, "expected 1, got %d\n", status);
5263 ok(granted == mapping->GenericRead, "expected read access %#x, got %#x\n", mapping->GenericRead, granted);
5264 }
5265 priv_set_len = sizeof(priv_set);
5266 granted = 0xdeadbeef;
5267 status = 0xdeadbeef;
5268 SetLastError(0xdeadbeef);
5269 ret = AccessCheck(sd, token, mapping->GenericWrite, mapping, &priv_set, &priv_set_len, &granted, &status);
5270 todo_wine {
5271 ok(ret, "AccessCheck error %d\n", GetLastError());
5272 ok(status == 1, "expected 1, got %d\n", status);
5273 ok(granted == mapping->GenericWrite, "expected write access %#x, got %#x\n", mapping->GenericWrite, granted);
5274 }
5275 priv_set_len = sizeof(priv_set);
5276 granted = 0xdeadbeef;
5277 status = 0xdeadbeef;
5278 SetLastError(0xdeadbeef);
5279 ret = AccessCheck(sd, token, mapping->GenericExecute, mapping, &priv_set, &priv_set_len, &granted, &status);
5280 todo_wine {
5281 ok(ret, "AccessCheck error %d\n", GetLastError());
5282 ok(status == 1, "expected 1, got %d\n", status);
5283 ok(granted == mapping->GenericExecute, "expected execute access %#x, got %#x\n", mapping->GenericExecute, granted);
5284 }
5285 HeapFree(GetProcessHeap(), 0, sd);
5286 }
5287
5288 static ACCESS_MASK get_obj_access(HANDLE obj)
5289 {
5290 OBJECT_BASIC_INFORMATION info;
5291 NTSTATUS status;
5292
5293 if (!pNtQueryObject) return 0;
5294
5295 status = pNtQueryObject(obj, ObjectBasicInformation, &info, sizeof(info), NULL);
5296 ok(!status, "NtQueryObject error %#x\n", status);
5297
5298 return info.GrantedAccess;
5299 }
5300
5301 static void test_mutex_security(HANDLE token)
5302 {
5303 DWORD ret, i, access;
5304 HANDLE mutex, dup;
5305 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE | SYNCHRONIZE,
5306 STANDARD_RIGHTS_WRITE | MUTEX_MODIFY_STATE | SYNCHRONIZE,
5307 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5308 STANDARD_RIGHTS_ALL | MUTEX_ALL_ACCESS };
5309 static const struct
5310 {
5311 int generic, mapped;
5312 } map[] =
5313 {
5314 { 0, 0 },
5315 { GENERIC_READ, STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE },
5316 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE },
5317 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5318 { GENERIC_ALL, STANDARD_RIGHTS_ALL | MUTANT_QUERY_STATE }
5319 };
5320
5321 SetLastError(0xdeadbeef);
5322 mutex = OpenMutexA(0, FALSE, "WineTestMutex");
5323 ok(!mutex, "mutex should not exist\n");
5324 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5325
5326 SetLastError(0xdeadbeef);
5327 mutex = CreateMutexA(NULL, FALSE, "WineTestMutex");
5328 ok(mutex != 0, "CreateMutex error %d\n", GetLastError());
5329
5330 access = get_obj_access(mutex);
5331 ok(access == MUTANT_ALL_ACCESS, "expected MUTANT_ALL_ACCESS, got %#x\n", access);
5332
5333 for (i = 0; i < ARRAY_SIZE(map); i++)
5334 {
5335 SetLastError( 0xdeadbeef );
5336 ret = DuplicateHandle(GetCurrentProcess(), mutex, GetCurrentProcess(), &dup,
5337 map[i].generic, FALSE, 0);
5338 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5339
5340 access = get_obj_access(dup);
5341 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5342
5343 CloseHandle(dup);
5344
5345 SetLastError(0xdeadbeef);
5346 dup = OpenMutexA(0, FALSE, "WineTestMutex");
5347 todo_wine
5348 ok(!dup, "OpenMutex should fail\n");
5349 todo_wine
5350 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5351 }
5352
5353 test_default_handle_security(token, mutex, &mapping);
5354
5355 CloseHandle (mutex);
5356 }
5357
5358 static void test_event_security(HANDLE token)
5359 {
5360 DWORD ret, i, access;
5361 HANDLE event, dup;
5362 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | EVENT_QUERY_STATE | SYNCHRONIZE,
5363 STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE | SYNCHRONIZE,
5364 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5365 STANDARD_RIGHTS_ALL | EVENT_ALL_ACCESS };
5366 static const struct
5367 {
5368 int generic, mapped;
5369 } map[] =
5370 {
5371 { 0, 0 },
5372 { GENERIC_READ, STANDARD_RIGHTS_READ | EVENT_QUERY_STATE },
5373 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE },
5374 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5375 { GENERIC_ALL, STANDARD_RIGHTS_ALL | EVENT_QUERY_STATE | EVENT_MODIFY_STATE }
5376 };
5377
5378 SetLastError(0xdeadbeef);
5379 event = OpenEventA(0, FALSE, "WineTestEvent");
5380 ok(!event, "event should not exist\n");
5381 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5382
5383 SetLastError(0xdeadbeef);
5384 event = CreateEventA(NULL, FALSE, FALSE, "WineTestEvent");
5385 ok(event != 0, "CreateEvent error %d\n", GetLastError());
5386
5387 access = get_obj_access(event);
5388 ok(access == EVENT_ALL_ACCESS, "expected EVENT_ALL_ACCESS, got %#x\n", access);
5389
5390 for (i = 0; i < ARRAY_SIZE(map); i++)
5391 {
5392 SetLastError( 0xdeadbeef );
5393 ret = DuplicateHandle(GetCurrentProcess(), event, GetCurrentProcess(), &dup,
5394 map[i].generic, FALSE, 0);
5395 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5396
5397 access = get_obj_access(dup);
5398 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5399
5400 CloseHandle(dup);
5401
5402 SetLastError(0xdeadbeef);
5403 dup = OpenEventA(0, FALSE, "WineTestEvent");
5404 todo_wine
5405 ok(!dup, "OpenEvent should fail\n");
5406 todo_wine
5407 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5408 }
5409
5410 test_default_handle_security(token, event, &mapping);
5411
5412 CloseHandle(event);
5413 }
5414
5415 static void test_semaphore_security(HANDLE token)
5416 {
5417 DWORD ret, i, access;
5418 HANDLE sem, dup;
5419 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE,
5420 STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE,
5421 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5422 STANDARD_RIGHTS_ALL | SEMAPHORE_ALL_ACCESS };
5423 static const struct
5424 {
5425 int generic, mapped;
5426 } map[] =
5427 {
5428 { 0, 0 },
5429 { GENERIC_READ, STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE },
5430 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE },
5431 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5432 { GENERIC_ALL, STANDARD_RIGHTS_ALL | SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE }
5433 };
5434
5435 SetLastError(0xdeadbeef);
5436 sem = OpenSemaphoreA(0, FALSE, "WineTestSemaphore");
5437 ok(!sem, "semaphore should not exist\n");
5438 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5439
5440 SetLastError(0xdeadbeef);
5441 sem = CreateSemaphoreA(NULL, 0, 10, "WineTestSemaphore");
5442 ok(sem != 0, "CreateSemaphore error %d\n", GetLastError());
5443
5444 access = get_obj_access(sem);
5445 ok(access == SEMAPHORE_ALL_ACCESS, "expected SEMAPHORE_ALL_ACCESS, got %#x\n", access);
5446
5447 for (i = 0; i < ARRAY_SIZE(map); i++)
5448 {
5449 SetLastError( 0xdeadbeef );
5450 ret = DuplicateHandle(GetCurrentProcess(), sem, GetCurrentProcess(), &dup,
5451 map[i].generic, FALSE, 0);
5452 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5453
5454 access = get_obj_access(dup);
5455 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5456
5457 CloseHandle(dup);
5458 }
5459
5460 test_default_handle_security(token, sem, &mapping);
5461
5462 CloseHandle(sem);
5463 }
5464
5465 #define WINE_TEST_PIPE "\\\\.\\pipe\\WineTestPipe"
5466 static void test_named_pipe_security(HANDLE token)
5467 {
5468 DWORD ret, i, access;
5469 HANDLE pipe, file, dup;
5470 GENERIC_MAPPING mapping = { FILE_GENERIC_READ,
5471 FILE_GENERIC_WRITE,
5472 FILE_GENERIC_EXECUTE,
5473 STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS };
5474 static const struct
5475 {
5476 int todo, generic, mapped;
5477 } map[] =
5478 {
5479 { 0, 0, 0 },
5480 { 1, GENERIC_READ, FILE_GENERIC_READ },
5481 { 1, GENERIC_WRITE, FILE_GENERIC_WRITE },
5482 { 1, GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5483 { 1, GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5484 };
5485 static const struct
5486 {
5487 DWORD open_mode;
5488 DWORD access;
5489 } creation_access[] =
5490 {
5491 { PIPE_ACCESS_INBOUND, FILE_GENERIC_READ },
5492 { PIPE_ACCESS_OUTBOUND, FILE_GENERIC_WRITE },
5493 { PIPE_ACCESS_DUPLEX, FILE_GENERIC_READ|FILE_GENERIC_WRITE },
5494 { PIPE_ACCESS_INBOUND|WRITE_DAC, FILE_GENERIC_READ|WRITE_DAC },
5495 { PIPE_ACCESS_INBOUND|WRITE_OWNER, FILE_GENERIC_READ|WRITE_OWNER }
5496 /* ACCESS_SYSTEM_SECURITY is also valid, but will fail with ERROR_PRIVILEGE_NOT_HELD */
5497 };
5498
5499 /* Test the different security access options for pipes */
5500 for (i = 0; i < ARRAY_SIZE(creation_access); i++)
5501 {
5502 SetLastError(0xdeadbeef);
5503 pipe = CreateNamedPipeA(WINE_TEST_PIPE, creation_access[i].open_mode,
5504 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 0, 0,
5505 NMPWAIT_USE_DEFAULT_WAIT, NULL);
5506 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe(0x%x) error %d\n",
5507 creation_access[i].open_mode, GetLastError());
5508 access = get_obj_access(pipe);
5509 ok(access == creation_access[i].access,
5510 "CreateNamedPipeA(0x%x) pipe expected access 0x%x (got 0x%x)\n",
5511 creation_access[i].open_mode, creation_access[i].access, access);
5512 CloseHandle(pipe);
5513 }
5514
5515 SetLastError(0xdeadbeef);
5516 pipe = CreateNamedPipeA(WINE_TEST_PIPE, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE,
5517 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES,
5518 0, 0, NMPWAIT_USE_DEFAULT_WAIT, NULL);
5519 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe error %d\n", GetLastError());
5520
5521 test_default_handle_security(token, pipe, &mapping);
5522
5523 SetLastError(0xdeadbeef);
5524 file = CreateFileA(WINE_TEST_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
5525 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5526
5527 access = get_obj_access(file);
5528 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5529
5530 for (i = 0; i < ARRAY_SIZE(map); i++)
5531 {
5532 SetLastError( 0xdeadbeef );
5533 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5534 map[i].generic, FALSE, 0);
5535 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5536
5537 access = get_obj_access(dup);
5538 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5539
5540 CloseHandle(dup);
5541 }
5542
5543 CloseHandle(file);
5544 CloseHandle(pipe);
5545
5546 SetLastError(0xdeadbeef);
5547 file = CreateFileA("\\\\.\\pipe\\", FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0);
5548 ok(file != INVALID_HANDLE_VALUE || broken(file == INVALID_HANDLE_VALUE) /* before Vista */, "CreateFile error %d\n", GetLastError());
5549
5550 if (file != INVALID_HANDLE_VALUE)
5551 {
5552 access = get_obj_access(file);
5553 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5554
5555 for (i = 0; i < ARRAY_SIZE(map); i++)
5556 {
5557 SetLastError( 0xdeadbeef );
5558 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5559 map[i].generic, FALSE, 0);
5560 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5561
5562 access = get_obj_access(dup);
5563 todo_wine_if (map[i].todo)
5564 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5565
5566 CloseHandle(dup);
5567 }
5568 }
5569
5570 CloseHandle(file);
5571 }
5572
5573 static void test_file_security(HANDLE token)
5574 {
5575 DWORD ret, i, access, bytes;
5576 HANDLE file, dup;
5577 static const struct
5578 {
5579 int generic, mapped;
5580 } map[] =
5581 {
5582 { 0, 0 },
5583 { GENERIC_READ, FILE_GENERIC_READ },
5584 { GENERIC_WRITE, FILE_GENERIC_WRITE },
5585 { GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5586 { GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5587 };
5588 char temp_path[MAX_PATH];
5589 char file_name[MAX_PATH];
5590 char buf[16];
5591
5592 GetTempPathA(MAX_PATH, temp_path);
5593 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5594
5595 /* file */
5596 SetLastError(0xdeadbeef);
5597 file = CreateFileA(file_name, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
5598 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5599
5600 access = get_obj_access(file);
5601 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5602
5603 for (i = 0; i < ARRAY_SIZE(map); i++)
5604 {
5605 SetLastError( 0xdeadbeef );
5606 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5607 map[i].generic, FALSE, 0);
5608 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5609
5610 access = get_obj_access(dup);
5611 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5612
5613 CloseHandle(dup);
5614 }
5615
5616 CloseHandle(file);
5617
5618 SetLastError(0xdeadbeef);
5619 file = CreateFileA(file_name, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
5620 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5621
5622 access = get_obj_access(file);
5623 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5624
5625 bytes = 0xdeadbeef;
5626 SetLastError(0xdeadbeef);
5627 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5628 ok(!ret, "ReadFile should fail\n");
5629 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5630 ok(bytes == 0, "expected 0, got %u\n", bytes);
5631
5632 CloseHandle(file);
5633
5634 SetLastError(0xdeadbeef);
5635 file = CreateFileA(file_name, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0);
5636 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5637
5638 access = get_obj_access(file);
5639 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5640
5641 bytes = 0xdeadbeef;
5642 SetLastError(0xdeadbeef);
5643 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5644 ok(!ret, "ReadFile should fail\n");
5645 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5646 ok(bytes == 0, "expected 0, got %u\n", bytes);
5647
5648 CloseHandle(file);
5649 DeleteFileA(file_name);
5650
5651 /* directory */
5652 SetLastError(0xdeadbeef);
5653 file = CreateFileA(temp_path, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5654 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5655
5656 access = get_obj_access(file);
5657 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5658
5659 for (i = 0; i < ARRAY_SIZE(map); i++)
5660 {
5661 SetLastError( 0xdeadbeef );
5662 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5663 map[i].generic, FALSE, 0);
5664 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5665
5666 access = get_obj_access(dup);
5667 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5668
5669 CloseHandle(dup);
5670 }
5671
5672 CloseHandle(file);
5673
5674 SetLastError(0xdeadbeef);
5675 file = CreateFileA(temp_path, 0, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5676 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5677
5678 access = get_obj_access(file);
5679 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5680
5681 CloseHandle(file);
5682
5683 SetLastError(0xdeadbeef);
5684 file = CreateFileA(temp_path, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5685 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5686
5687 access = get_obj_access(file);
5688 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5689
5690 CloseHandle(file);
5691 }
5692
5693 static void test_filemap_security(void)
5694 {
5695 char temp_path[MAX_PATH];
5696 char file_name[MAX_PATH];
5697 DWORD ret, i, access;
5698 HANDLE file, mapping, dup, created_mapping;
5699 static const struct
5700 {
5701 int generic, mapped;
5702 BOOL open_only;
5703 } map[] =
5704 {
5705 { 0, 0 },
5706 { GENERIC_READ, STANDARD_RIGHTS_READ | SECTION_QUERY | SECTION_MAP_READ },
5707 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SECTION_MAP_WRITE },
5708 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SECTION_MAP_EXECUTE },
5709 { GENERIC_ALL, STANDARD_RIGHTS_REQUIRED | SECTION_ALL_ACCESS },
5710 { SECTION_MAP_READ | SECTION_MAP_WRITE, SECTION_MAP_READ | SECTION_MAP_WRITE },
5711 { SECTION_MAP_WRITE, SECTION_MAP_WRITE },
5712 { SECTION_MAP_READ | SECTION_QUERY, SECTION_MAP_READ | SECTION_QUERY },
5713 { SECTION_QUERY, SECTION_MAP_READ, TRUE },
5714 { SECTION_QUERY | SECTION_MAP_READ, SECTION_QUERY | SECTION_MAP_READ }
5715 };
5716 static const struct
5717 {
5718 int prot, mapped;
5719 } prot_map[] =
5720 {
5721 { 0, 0 },
5722 { PAGE_NOACCESS, 0 },
5723 { PAGE_READONLY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5724 { PAGE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE },
5725 { PAGE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5726 { PAGE_EXECUTE, 0 },
5727 { PAGE_EXECUTE_READ, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE },
5728 { PAGE_EXECUTE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE },
5729 { PAGE_EXECUTE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE }
5730 };
5731
5732 GetTempPathA(MAX_PATH, temp_path);
5733 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5734
5735 SetLastError(0xdeadbeef);
5736 file = CreateFileA(file_name, GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE, 0, NULL, CREATE_ALWAYS, 0, 0);
5737 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5738 SetFilePointer(file, 4096, NULL, FILE_BEGIN);
5739 SetEndOfFile(file);
5740
5741 for (i = 0; i < ARRAY_SIZE(prot_map); i++)
5742 {
5743 if (map[i].open_only) continue;
5744
5745 SetLastError(0xdeadbeef);
5746 mapping = CreateFileMappingW(file, NULL, prot_map[i].prot, 0, 4096, NULL);
5747 if (prot_map[i].mapped)
5748 {
5749 if (!mapping)
5750 {
5751 /* NT4 and win2k don't support EXEC on file mappings */
5752 if (prot_map[i].prot == PAGE_EXECUTE_READ || prot_map[i].prot == PAGE_EXECUTE_READWRITE || prot_map[i].prot == PAGE_EXECUTE_WRITECOPY)
5753 {
5754 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5755 continue;
5756 }
5757 }
5758 ok(mapping != 0, "CreateFileMapping(%04x) error %d\n", prot_map[i].prot, GetLastError());
5759 }
5760 else
5761 {
5762 ok(!mapping, "CreateFileMapping(%04x) should fail\n", prot_map[i].prot);
5763 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
5764 continue;
5765 }
5766
5767 access = get_obj_access(mapping);
5768 ok(access == prot_map[i].mapped, "%d: expected %#x, got %#x\n", i, prot_map[i].mapped, access);
5769
5770 CloseHandle(mapping);
5771 }
5772
5773 SetLastError(0xdeadbeef);
5774 mapping = CreateFileMappingW(file, NULL, PAGE_EXECUTE_READWRITE, 0, 4096, NULL);
5775 if (!mapping)
5776 {
5777 /* NT4 and win2k don't support EXEC on file mappings */
5778 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5779 CloseHandle(file);
5780 DeleteFileA(file_name);
5781 return;
5782 }
5783 ok(mapping != 0, "CreateFileMapping error %d\n", GetLastError());
5784
5785 access = get_obj_access(mapping);
5786 ok(access == (STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE),
5787 "expected STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, got %#x\n", access);
5788
5789 for (i = 0; i < ARRAY_SIZE(map); i++)
5790 {
5791 if (map[i].open_only) continue;
5792
5793 SetLastError( 0xdeadbeef );
5794 ret = DuplicateHandle(GetCurrentProcess(), mapping, GetCurrentProcess(), &dup,
5795 map[i].generic, FALSE, 0);
5796 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5797
5798 access = get_obj_access(dup);
5799 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5800
5801 CloseHandle(dup);
5802 }
5803
5804 CloseHandle(mapping);
5805 CloseHandle(file);
5806 DeleteFileA(file_name);
5807
5808 created_mapping = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000,
5809 "Wine Test Open Mapping");
5810 ok(created_mapping != NULL, "CreateFileMapping failed with error %u\n", GetLastError());
5811
5812 for (i = 0; i < ARRAY_SIZE(map); i++)
5813 {
5814 if (!map[i].generic) continue;
5815
5816 mapping = OpenFileMappingA(map[i].generic, FALSE, "Wine Test Open Mapping");
5817 ok(mapping != NULL, "OpenFileMapping failed with error %d\n", GetLastError());
5818 access = get_obj_access(mapping);
5819 ok(access == map[i].mapped, "%d: unexpected access flags %#x, expected %#x\n",
5820 i, access, map[i].mapped);
5821 CloseHandle(mapping);
5822 }
5823
5824 CloseHandle(created_mapping);
5825 }
5826
5827 static void test_thread_security(void)
5828 {
5829 DWORD ret, i, access;
5830 HANDLE thread, dup;
5831 static const struct
5832 {
5833 int generic, mapped;
5834 } map[] =
5835 {
5836 { 0, 0 },
5837 { GENERIC_READ, STANDARD_RIGHTS_READ | THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT },
5838 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | THREAD_SET_INFORMATION | THREAD_SET_CONTEXT | THREAD_TERMINATE | THREAD_SUSPEND_RESUME | 0x4 },
5839 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5840 { GENERIC_ALL, THREAD_ALL_ACCESS_NT4 }
5841 };
5842
5843 SetLastError(0xdeadbeef);
5844 thread = CreateThread(NULL, 0, (void *)0xdeadbeef, NULL, CREATE_SUSPENDED, &ret);
5845 ok(thread != 0, "CreateThread error %d\n", GetLastError());
5846
5847 access = get_obj_access(thread);
5848 ok(access == THREAD_ALL_ACCESS_NT4 || access == THREAD_ALL_ACCESS_VISTA, "expected THREAD_ALL_ACCESS, got %#x\n", access);
5849
5850 for (i = 0; i < ARRAY_SIZE(map); i++)
5851 {
5852 SetLastError( 0xdeadbeef );
5853 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5854 map[i].generic, FALSE, 0);
5855 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5856
5857 access = get_obj_access(dup);
5858 switch (map[i].generic)
5859 {
5860 case GENERIC_READ:
5861 case GENERIC_EXECUTE:
5862 ok(access == map[i].mapped ||
5863 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5864 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5865 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5866 break;
5867 case GENERIC_WRITE:
5868 todo_wine
5869 ok(access == map[i].mapped ||
5870 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION) /* Vista+ */ ||
5871 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5872 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5873 break;
5874 case GENERIC_ALL:
5875 ok(access == map[i].mapped || access == THREAD_ALL_ACCESS_VISTA,
5876 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5877 break;
5878 default:
5879 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5880 break;
5881 }
5882
5883 CloseHandle(dup);
5884 }
5885
5886 SetLastError( 0xdeadbeef );
5887 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5888 THREAD_QUERY_INFORMATION, FALSE, 0);
5889 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5890 access = get_obj_access(dup);
5891 ok(access == (THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5892 access == THREAD_QUERY_INFORMATION /* before Vista */,
5893 "expected THREAD_QUERY_INFORMATION|THREAD_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5894 CloseHandle(dup);
5895
5896 TerminateThread(thread, 0);
5897 CloseHandle(thread);
5898 }
5899
5900 static void test_process_access(void)
5901 {
5902 DWORD ret, i, access;
5903 HANDLE process, dup;
5904 STARTUPINFOA sti;
5905 PROCESS_INFORMATION pi;
5906 char cmdline[] = "winver.exe";
5907 static const struct
5908 {
5909 int generic, mapped;
5910 } map[] =
5911 {
5912 { 0, 0 },
5913 { GENERIC_READ, STANDARD_RIGHTS_READ | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ },
5914 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME |
5915 PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION },
5916 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5917 { GENERIC_ALL, PROCESS_ALL_ACCESS_NT4 }
5918 };
5919
5920 memset(&sti, 0, sizeof(sti));
5921 sti.cb = sizeof(sti);
5922 SetLastError(0xdeadbeef);
5923 ret = CreateProcessA(NULL, cmdline, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sti, &pi);
5924 ok(ret, "CreateProcess() error %d\n", GetLastError());
5925
5926 CloseHandle(pi.hThread);
5927 process = pi.hProcess;
5928
5929 access = get_obj_access(process);
5930 ok(access == PROCESS_ALL_ACCESS_NT4 || access == PROCESS_ALL_ACCESS_VISTA, "expected PROCESS_ALL_ACCESS, got %#x\n", access);
5931
5932 for (i = 0; i < ARRAY_SIZE(map); i++)
5933 {
5934 SetLastError( 0xdeadbeef );
5935 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5936 map[i].generic, FALSE, 0);
5937 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5938
5939 access = get_obj_access(dup);
5940 switch (map[i].generic)
5941 {
5942 case GENERIC_READ:
5943 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */,
5944 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5945 break;
5946 case GENERIC_WRITE:
5947 ok(access == map[i].mapped ||
5948 access == (map[i].mapped | PROCESS_TERMINATE) /* before Vista */ ||
5949 access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */ ||
5950 access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION) /* Win10 Anniversary Update */,
5951 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5952 break;
5953 case GENERIC_EXECUTE:
5954 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE) /* Vista+ */,
5955 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5956 break;
5957 case GENERIC_ALL:
5958 ok(access == map[i].mapped || access == PROCESS_ALL_ACCESS_VISTA,
5959 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5960 break;
5961 default:
5962 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5963 break;
5964 }
5965
5966 CloseHandle(dup);
5967 }
5968
5969 SetLastError( 0xdeadbeef );
5970 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5971 PROCESS_QUERY_INFORMATION, FALSE, 0);
5972 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5973 access = get_obj_access(dup);
5974 ok(access == (PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5975 access == PROCESS_QUERY_INFORMATION /* before Vista */,
5976 "expected PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5977 CloseHandle(dup);
5978
5979 TerminateProcess(process, 0);
5980 CloseHandle(process);
5981 }
5982
5983 static BOOL validate_impersonation_token(HANDLE token, DWORD *token_type)
5984 {
5985 DWORD ret, needed;
5986 TOKEN_TYPE type;
5987 SECURITY_IMPERSONATION_LEVEL sil;
5988
5989 type = 0xdeadbeef;
5990 needed = 0;
5991 SetLastError(0xdeadbeef);
5992 ret = GetTokenInformation(token, TokenType, &type, sizeof(type), &needed);
5993 ok(ret, "GetTokenInformation error %d\n", GetLastError());
5994 ok(needed == sizeof(type), "GetTokenInformation should return required buffer length\n");
5995 ok(type == TokenPrimary || type == TokenImpersonation, "expected TokenPrimary or TokenImpersonation, got %d\n", type);
5996
5997 *token_type = type;
5998 if (type != TokenImpersonation) return FALSE;
5999
6000 needed = 0;
6001 SetLastError(0xdeadbeef);
6002 ret = GetTokenInformation(token, TokenImpersonationLevel, &sil, sizeof(sil), &needed);
6003 ok(ret, "GetTokenInformation error %d\n", GetLastError());
6004 ok(needed == sizeof(sil), "GetTokenInformation should return required buffer length\n");
6005 ok(sil == SecurityImpersonation, "expected SecurityImpersonation, got %d\n", sil);
6006
6007 needed = 0xdeadbeef;
6008 SetLastError(0xdeadbeef);
6009 ret = GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &needed);
6010 ok(!ret, "GetTokenInformation should fail\n");
6011 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6012 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6013 ok(needed > sizeof(TOKEN_DEFAULT_DACL), "GetTokenInformation returned empty default DACL\n");
6014
6015 needed = 0xdeadbeef;
6016 SetLastError(0xdeadbeef);
6017 ret = GetTokenInformation(token, TokenOwner, NULL, 0, &needed);
6018 ok(!ret, "GetTokenInformation should fail\n");
6019 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6020 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6021 ok(needed > sizeof(TOKEN_OWNER), "GetTokenInformation returned empty token owner\n");
6022
6023 needed = 0xdeadbeef;
6024 SetLastError(0xdeadbeef);
6025 ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &needed);
6026 ok(!ret, "GetTokenInformation should fail\n");
6027 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6028 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6029 ok(needed > sizeof(TOKEN_PRIMARY_GROUP), "GetTokenInformation returned empty token primary group\n");
6030
6031 return TRUE;
6032 }
6033
6034 static void test_kernel_objects_security(void)
6035 {
6036 HANDLE token, process_token;
6037 DWORD ret, token_type;
6038
6039 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &process_token);
6040 ok(ret, "OpenProcessToken error %d\n", GetLastError());
6041
6042 ret = validate_impersonation_token(process_token, &token_type);
6043 ok(token_type == TokenPrimary, "expected TokenPrimary, got %d\n", token_type);
6044 ok(!ret, "access token should not be an impersonation token\n");
6045
6046 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
6047 ok(ret, "DuplicateToken error %d\n", GetLastError());
6048
6049 ret = validate_impersonation_token(token, &token_type);
6050 ok(ret, "access token should be a valid impersonation token\n");
6051 ok(token_type == TokenImpersonation, "expected TokenImpersonation, got %d\n", token_type);
6052
6053 test_mutex_security(token);
6054 test_event_security(token);
6055 test_named_pipe_security(token);
6056 test_semaphore_security(token);
6057 test_file_security(token);
6058 test_filemap_security();
6059 test_thread_security();
6060 test_process_access();
6061 /* FIXME: test other kernel object types */
6062
6063 CloseHandle(process_token);
6064 CloseHandle(token);
6065 }
6066
6067 static void test_TokenIntegrityLevel(void)
6068 {
6069 TOKEN_MANDATORY_LABEL *tml;
6070 BYTE buffer[64]; /* using max. 28 byte in win7 x64 */
6071 HANDLE token;
6072 DWORD size;
6073 DWORD res;
6074 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6075 {SECURITY_MANDATORY_HIGH_RID}};
6076 static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6077 {SECURITY_MANDATORY_MEDIUM_RID}};
6078
6079 SetLastError(0xdeadbeef);
6080 res = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6081 ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
6082
6083 SetLastError(0xdeadbeef);
6084 res = GetTokenInformation(token, TokenIntegrityLevel, buffer, sizeof(buffer), &size);
6085
6086 /* not supported before Vista */
6087 if (!res && ((GetLastError() == ERROR_INVALID_PARAMETER) || GetLastError() == ERROR_INVALID_FUNCTION))
6088 {
6089 win_skip("TokenIntegrityLevel not supported\n");
6090 CloseHandle(token);
6091 return;
6092 }
6093
6094 ok(res, "got %u with %u (expected TRUE)\n", res, GetLastError());
6095 if (!res)
6096 {
6097 CloseHandle(token);
6098 return;
6099 }
6100
6101 tml = (TOKEN_MANDATORY_LABEL*) buffer;
6102 ok(tml->Label.Attributes == (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED),
6103 "got 0x%x (expected 0x%x)\n", tml->Label.Attributes, (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED));
6104
6105 ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
6106 "got %s (expected %s or %s)\n", debugstr_sid(tml->Label.Sid),
6107 debugstr_sid(&medium_level), debugstr_sid(&high_level));
6108
6109 CloseHandle(token);
6110 }
6111
6112 static void test_default_dacl_owner_sid(void)
6113 {
6114 HANDLE handle;
6115 BOOL ret, defaulted, present, found;
6116 DWORD size, index;
6117 SECURITY_DESCRIPTOR *sd;
6118 SECURITY_ATTRIBUTES sa;
6119 PSID owner;
6120 ACL *dacl;
6121 ACCESS_ALLOWED_ACE *ace;
6122
6123 sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
6124 ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
6125 ok( ret, "error %u\n", GetLastError() );
6126
6127 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6128 sa.lpSecurityDescriptor = sd;
6129 sa.bInheritHandle = FALSE;
6130 handle = CreateEventA( &sa, TRUE, TRUE, "test_event" );
6131 ok( handle != NULL, "error %u\n", GetLastError() );
6132
6133 size = 0;
6134 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
6135 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
6136
6137 sd = HeapAlloc( GetProcessHeap(), 0, size );
6138 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
6139 ok( ret, "error %u\n", GetLastError() );
6140
6141 owner = (void *)0xdeadbeef;
6142 defaulted = TRUE;
6143 ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
6144 ok( ret, "error %u\n", GetLastError() );
6145 ok( owner != (void *)0xdeadbeef, "owner not set\n" );
6146 ok( !defaulted, "owner defaulted\n" );
6147
6148 dacl = (void *)0xdeadbeef;
6149 present = FALSE;
6150 defaulted = TRUE;
6151 ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
6152 ok( ret, "error %u\n", GetLastError() );
6153 ok( present, "dacl not present\n" );
6154 ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
6155 ok( !defaulted, "dacl defaulted\n" );
6156
6157 index = 0;
6158 found = FALSE;
6159 while (pGetAce( dacl, index++, (void **)&ace ))
6160 {
6161 if (EqualSid( &ace->SidStart, owner )) found = TRUE;
6162 }
6163 ok( found, "owner sid not found in dacl\n" );
6164
6165 HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
6166 HeapFree( GetProcessHeap(), 0, sd );
6167 CloseHandle( handle );
6168 }
6169
6170 static void test_AdjustTokenPrivileges(void)
6171 {
6172 TOKEN_PRIVILEGES tp;
6173 HANDLE token;
6174 DWORD len;
6175 LUID luid;
6176 BOOL ret;
6177
6178 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
6179 return;
6180
6181 if (!LookupPrivilegeValueA(NULL, SE_BACKUP_NAME, &luid))
6182 {
6183 CloseHandle(token);
6184 return;
6185 }
6186
6187 tp.PrivilegeCount = 1;
6188 tp.Privileges[0].Luid = luid;
6189 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6190
6191 len = 0xdeadbeef;
6192 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, &len);
6193 ok(ret, "got %d\n", ret);
6194 ok(len == 0xdeadbeef, "got length %d\n", len);
6195
6196 /* revert */
6197 tp.PrivilegeCount = 1;
6198 tp.Privileges[0].Luid = luid;
6199 tp.Privileges[0].Attributes = 0;
6200 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
6201 ok(ret, "got %d\n", ret);
6202
6203 CloseHandle(token);
6204 }
6205
6206 static void test_AddAce(void)
6207 {
6208 static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
6209
6210 char acl_buf[1024], ace_buf[256];
6211 ACCESS_ALLOWED_ACE *ace = (ACCESS_ALLOWED_ACE*)ace_buf;
6212 PACL acl = (PACL)acl_buf;
6213 BOOL ret;
6214
6215 memset(ace, 0, sizeof(ace_buf));
6216 ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
6217 ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+sizeof(SID);
6218 memcpy(&ace->SidStart, &sidWorld, sizeof(sidWorld));
6219
6220 ret = InitializeAcl(acl, sizeof(acl_buf), ACL_REVISION2);
6221 ok(ret, "InitializeAcl failed: %d\n", GetLastError());
6222
6223 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6224 ok(ret, "AddAce failed: %d\n", GetLastError());
6225 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6226 ok(ret, "AddAce failed: %d\n", GetLastError());
6227 ret = AddAce(acl, ACL_REVISION3, MAXDWORD, ace, ace->Header.AceSize);
6228 ok(ret, "AddAce failed: %d\n", GetLastError());
6229 ok(acl->AclRevision == ACL_REVISION3, "acl->AclRevision = %d\n", acl->AclRevision);
6230 ret = AddAce(acl, ACL_REVISION4, MAXDWORD, ace, ace->Header.AceSize);
6231 ok(ret, "AddAce failed: %d\n", GetLastError());
6232 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6233 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6234 ok(ret, "AddAce failed: %d\n", GetLastError());
6235 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6236 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6237 ok(ret, "AddAce failed: %d\n", GetLastError());
6238
6239 ret = AddAce(acl, MIN_ACL_REVISION-1, MAXDWORD, ace, ace->Header.AceSize);
6240 ok(ret, "AddAce failed: %d\n", GetLastError());
6241 /* next test succeededs but corrupts ACL */
6242 ret = AddAce(acl, MAX_ACL_REVISION+1, MAXDWORD, ace, ace->Header.AceSize);
6243 ok(ret, "AddAce failed: %d\n", GetLastError());
6244 ok(acl->AclRevision == MAX_ACL_REVISION+1, "acl->AclRevision = %d\n", acl->AclRevision);
6245 SetLastError(0xdeadbeef);
6246 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6247 ok(!ret, "AddAce succeeded\n");
6248 ok(GetLastError() == ERROR_INVALID_PARAMETER, "GetLastError() = %d\n", GetLastError());
6249 }
6250
6251 static void test_AddMandatoryAce(void)
6252 {
6253 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6254 {SECURITY_MANDATORY_LOW_RID}};
6255 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6256 {SECURITY_MANDATORY_MEDIUM_RID}};
6257 static SID_IDENTIFIER_AUTHORITY sia_world = {SECURITY_WORLD_SID_AUTHORITY};
6258 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6259 SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6260 BOOL defaulted, present, ret, found, found2;
6261 ACL_SIZE_INFORMATION acl_size_info;
6262 SYSTEM_MANDATORY_LABEL_ACE *ace;
6263 char buffer_acl[256];
6264 ACL *acl = (ACL *)&buffer_acl;
6265 SECURITY_ATTRIBUTES sa;
6266 DWORD index, size;
6267 HANDLE handle;
6268 SID *everyone;
6269 ACL *sacl;
6270
6271 if (!pAddMandatoryAce)
6272 {
6273 win_skip("AddMandatoryAce not supported, skipping test\n");
6274 return;
6275 }
6276
6277 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6278 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6279
6280 sa.nLength = sizeof(sa);
6281 sa.lpSecurityDescriptor = sd;
6282 sa.bInheritHandle = FALSE;
6283
6284 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6285 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6286
6287 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6288 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6289 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6290
6291 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6292 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6293 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6294
6295 sacl = (void *)0xdeadbeef;
6296 present = TRUE;
6297 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6298 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6299 ok(!present, "SACL is present\n");
6300 ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
6301
6302 HeapFree(GetProcessHeap(), 0, sd2);
6303 CloseHandle(handle);
6304
6305 memset(buffer_acl, 0, sizeof(buffer_acl));
6306 ret = InitializeAcl(acl, 256, ACL_REVISION);
6307 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6308
6309 SetLastError(0xdeadbeef);
6310 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
6311 ok(!ret, "AddMandatoryAce succeeded\n");
6312 ok(GetLastError() == ERROR_INVALID_PARAMETER,
6313 "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
6314
6315 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6316 ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
6317
6318 index = 0;
6319 found = FALSE;
6320 while (pGetAce(acl, index++, (void **)&ace))
6321 {
6322 if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
6323 ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
6324 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6325 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6326 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6327 found = TRUE;
6328 }
6329 ok(found, "Could not find mandatory label ace\n");
6330
6331 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6332 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6333
6334 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6335 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6336
6337 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6338 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6339 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6340
6341 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6342 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6343 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6344
6345 sacl = (void *)0xdeadbeef;
6346 present = FALSE;
6347 defaulted = TRUE;
6348 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6349 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6350 ok(present, "SACL not present\n");
6351 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6352 ok(!defaulted, "SACL defaulted\n");
6353 ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
6354 ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
6355 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6356
6357 ret = pGetAce(sacl, 0, (void **)&ace);
6358 ok(ret, "GetAce failed with error %u\n", GetLastError());
6359 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6360 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6361 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6362 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6363
6364 HeapFree(GetProcessHeap(), 0, sd2);
6365
6366 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6367 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6368
6369 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6370 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6371
6372 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6373 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6374 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6375
6376 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6377 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6378 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6379
6380 sacl = (void *)0xdeadbeef;
6381 present = FALSE;
6382 defaulted = TRUE;
6383 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6384 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6385 ok(present, "SACL not present\n");
6386 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6387 ok(sacl->AceCount == 2, "Expected 2 ACEs, got %d\n", sacl->AceCount);
6388 ok(!defaulted, "SACL defaulted\n");
6389
6390 index = 0;
6391 found = found2 = FALSE;
6392 while (pGetAce(sacl, index++, (void **)&ace))
6393 {
6394 if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
6395 {
6396 if (EqualSid(&ace->SidStart, &low_level))
6397 {
6398 found = TRUE;
6399 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6400 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6401 "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
6402 }
6403 if (EqualSid(&ace->SidStart, &medium_level))
6404 {
6405 found2 = TRUE;
6406 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6407 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP,
6408 "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
6409 }
6410 }
6411 }
6412 ok(found, "Could not find low mandatory label\n");
6413 ok(found2, "Could not find medium mandatory label\n");
6414
6415 HeapFree(GetProcessHeap(), 0, sd2);
6416
6417 ret = SetSecurityDescriptorSacl(sd, FALSE, NULL, FALSE);
6418 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6419
6420 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6421 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6422
6423 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6424 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6425 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6426
6427 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6428 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6429 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6430
6431 sacl = (void *)0xdeadbeef;
6432 present = FALSE;
6433 defaulted = TRUE;
6434 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6435 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6436 ok(present, "SACL not present\n");
6437 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6438 ok(!defaulted, "SACL defaulted\n");
6439 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6440
6441 HeapFree(GetProcessHeap(), 0, sd2);
6442
6443 ret = InitializeAcl(acl, 256, ACL_REVISION);
6444 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6445
6446 ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6447 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6448
6449 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6450 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6451
6452 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6453 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6454
6455 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6456 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6457 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6458
6459 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6460 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6461 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6462
6463 sacl = (void *)0xdeadbeef;
6464 present = FALSE;
6465 defaulted = TRUE;
6466 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6467 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6468 ok(present, "SACL not present\n");
6469 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6470 ok(sacl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sacl->AclRevision);
6471 ok(!defaulted, "SACL defaulted\n");
6472
6473 HeapFree(GetProcessHeap(), 0, sd2);
6474
6475 ret = InitializeAcl(acl, 256, ACL_REVISION);
6476 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6477
6478 ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
6479 ok(ret, "AllocateAndInitializeSid failed with error %u\n", GetLastError());
6480
6481 ret = AddAccessAllowedAce(acl, ACL_REVISION, KEY_READ, everyone);
6482 ok(ret, "AddAccessAllowedAce failed with error %u\n", GetLastError());
6483
6484 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6485 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6486
6487 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6488 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6489
6490 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6491 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6492 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6493
6494 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6495 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6496 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6497
6498 sacl = (void *)0xdeadbeef;
6499 present = FALSE;
6500 defaulted = TRUE;
6501 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6502 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6503 ok(present, "SACL not present\n");
6504 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6505 ok(!defaulted, "SACL defaulted\n");
6506 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6507
6508 FreeSid(everyone);
6509 HeapFree(GetProcessHeap(), 0, sd2);
6510 CloseHandle(handle);
6511 }
6512
6513 static void test_system_security_access(void)
6514 {
6515 static const WCHAR testkeyW[] =
6516 {'S','O','F','T','W','A','R','E','\\','W','i','n','e','\\','S','A','C','L','t','e','s','t',0};
6517 LONG res;
6518 HKEY hkey;
6519 PSECURITY_DESCRIPTOR sd;
6520 ACL *sacl;
6521 DWORD err, len = 128;
6522 TOKEN_PRIVILEGES priv, *priv_prev;
6523 HANDLE token;
6524 LUID luid;
6525 BOOL ret;
6526
6527 if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token )) return;
6528 if (!LookupPrivilegeValueA( NULL, SE_SECURITY_NAME, &luid ))
6529 {
6530 CloseHandle( token );
6531 return;
6532 }
6533
6534 /* ACCESS_SYSTEM_SECURITY requires special privilege */
6535 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6536 if (res == ERROR_ACCESS_DENIED)
6537 {
6538 skip( "unprivileged user\n" );
6539 CloseHandle( token );
6540 return;
6541 }
6542 todo_wine ok( res == ERROR_PRIVILEGE_NOT_HELD, "got %d\n", res );
6543
6544 priv.PrivilegeCount = 1;
6545 priv.Privileges[0].Luid = luid;
6546 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6547
6548 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6549 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6550 ok( ret, "got %u\n", GetLastError());
6551
6552 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6553 if (res == ERROR_PRIVILEGE_NOT_HELD)
6554 {
6555 win_skip( "privilege not held\n" );
6556 HeapFree( GetProcessHeap(), 0, priv_prev );
6557 CloseHandle( token );
6558 return;
6559 }
6560 ok( !res, "got %d\n", res );
6561
6562 /* restore privileges */
6563 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6564 ok( ret, "got %u\n", GetLastError() );
6565 HeapFree( GetProcessHeap(), 0, priv_prev );
6566
6567 /* privilege is checked on access */
6568 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6569 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD || err == ERROR_ACCESS_DENIED, "got %u\n", err );
6570 if (err == ERROR_SUCCESS)
6571 LocalFree( sd );
6572
6573 priv.PrivilegeCount = 1;
6574 priv.Privileges[0].Luid = luid;
6575 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6576
6577 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6578 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6579 ok( ret, "got %u\n", GetLastError());
6580
6581 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6582 ok( err == ERROR_SUCCESS, "got %u\n", err );
6583 RegCloseKey( hkey );
6584 LocalFree( sd );
6585
6586 /* handle created without ACCESS_SYSTEM_SECURITY, privilege held */
6587 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6588 ok( res == ERROR_SUCCESS, "got %d\n", res );
6589
6590 sd = NULL;
6591 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6592 todo_wine ok( err == ERROR_SUCCESS, "got %u\n", err );
6593 RegCloseKey( hkey );
6594 LocalFree( sd );
6595
6596 /* restore privileges */
6597 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6598 ok( ret, "got %u\n", GetLastError() );
6599 HeapFree( GetProcessHeap(), 0, priv_prev );
6600
6601 /* handle created without ACCESS_SYSTEM_SECURITY, privilege not held */
6602 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6603 ok( res == ERROR_SUCCESS, "got %d\n", res );
6604
6605 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6606 ok( err == ERROR_PRIVILEGE_NOT_HELD || err == ERROR_ACCESS_DENIED, "got %u\n", err );
6607 RegCloseKey( hkey );
6608
6609 res = RegDeleteKeyW( HKEY_LOCAL_MACHINE, testkeyW );
6610 ok( !res, "got %d\n", res );
6611 CloseHandle( token );
6612 }
6613
6614 static void test_GetWindowsAccountDomainSid(void)
6615 {
6616 char *user, buffer1[SECURITY_MAX_SID_SIZE], buffer2[SECURITY_MAX_SID_SIZE];
6617 SID_IDENTIFIER_AUTHORITY domain_ident = { SECURITY_NT_AUTHORITY };
6618 PSID domain_sid = (PSID *)&buffer1;
6619 PSID domain_sid2 = (PSID *)&buffer2;
6620 DWORD sid_size;
6621 PSID user_sid;
6622 HANDLE token;
6623 BOOL bret = TRUE;
6624 int i;
6625
6626 if (!pGetWindowsAccountDomainSid)
6627 {
6628 win_skip("GetWindowsAccountDomainSid not available\n");
6629 return;
6630 }
6631
6632 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
6633 {
6634 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
6635 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
6636 }
6637 if (!bret)
6638 {
6639 win_skip("Failed to get current user token\n");
6640 return;
6641 }
6642
6643 bret = GetTokenInformation(token, TokenUser, NULL, 0, &sid_size);
6644 ok(!bret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6645 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6646 user = HeapAlloc(GetProcessHeap(), 0, sid_size);
6647 bret = GetTokenInformation(token, TokenUser, user, sid_size, &sid_size);
6648 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6649 CloseHandle(token);
6650 user_sid = ((TOKEN_USER *)user)->User.Sid;
6651
6652 SetLastError(0xdeadbeef);
6653 bret = pGetWindowsAccountDomainSid(0, 0, 0);
6654 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6655 ok(GetLastError() == ERROR_INVALID_SID, "expected ERROR_INVALID_SID, got %d\n", GetLastError());
6656
6657 SetLastError(0xdeadbeef);
6658 bret = pGetWindowsAccountDomainSid(user_sid, 0, 0);
6659 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6660 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6661
6662 sid_size = SECURITY_MAX_SID_SIZE;
6663 SetLastError(0xdeadbeef);
6664 bret = pGetWindowsAccountDomainSid(user_sid, 0, &sid_size);
6665 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6666 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6667 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6668
6669 SetLastError(0xdeadbeef);
6670 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, 0);
6671 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6672 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6673
6674 sid_size = 1;
6675 SetLastError(0xdeadbeef);
6676 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6677 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6678 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6679 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6680
6681 sid_size = SECURITY_MAX_SID_SIZE;
6682 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6683 ok(bret, "GetWindowsAccountDomainSid failed with error %d\n", GetLastError());
6684 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6685 InitializeSid(domain_sid2, &domain_ident, 4);
6686 for (i = 0; i < 4; i++)
6687 *GetSidSubAuthority(domain_sid2, i) = *GetSidSubAuthority(user_sid, i);
6688 ok(EqualSid(domain_sid, domain_sid2), "unexpected domain sid %s != %s\n",
6689 debugstr_sid(domain_sid), debugstr_sid(domain_sid2));
6690
6691 HeapFree(GetProcessHeap(), 0, user);
6692 }
6693
6694 static void test_GetSidIdentifierAuthority(void)
6695 {
6696 char buffer[SECURITY_MAX_SID_SIZE];
6697 PSID authority_sid = (PSID *)buffer;
6698 PSID_IDENTIFIER_AUTHORITY id;
6699 BOOL ret;
6700
6701 if (!pGetSidIdentifierAuthority)
6702 {
6703 win_skip("GetSidIdentifierAuthority not available\n");
6704 return;
6705 }
6706
6707 memset(buffer, 0xcc, sizeof(buffer));
6708 ret = IsValidSid(authority_sid);
6709 ok(!ret, "expected FALSE, got %u\n", ret);
6710
6711 SetLastError(0xdeadbeef);
6712 id = GetSidIdentifierAuthority(authority_sid);
6713 ok(id != NULL, "got NULL pointer as identifier authority\n");
6714 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6715
6716 SetLastError(0xdeadbeef);
6717 id = GetSidIdentifierAuthority(NULL);
6718 ok(id != NULL, "got NULL pointer as identifier authority\n");
6719 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6720 }
6721
6722 static void test_pseudo_tokens(void)
6723 {
6724 TOKEN_STATISTICS statistics1, statistics2;
6725 HANDLE token;
6726 DWORD retlen;
6727 BOOL ret;
6728
6729 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6730 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6731 memset(&statistics1, 0x11, sizeof(statistics1));
6732 ret = GetTokenInformation(token, TokenStatistics, &statistics1, sizeof(statistics1), &retlen);
6733 ok(ret, "GetTokenInformation failed with %u\n", GetLastError());
6734 CloseHandle(token);
6735
6736 /* test GetCurrentProcessToken() */
6737 SetLastError(0xdeadbeef);
6738 memset(&statistics2, 0x22, sizeof(statistics2));
6739 ret = GetTokenInformation(GetCurrentProcessToken(), TokenStatistics,
6740 &statistics2, sizeof(statistics2), &retlen);
6741 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6742 "GetTokenInformation failed with %u\n", GetLastError());
6743 if (ret)
6744 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6745 else
6746 win_skip("CurrentProcessToken not supported, skipping test\n");
6747
6748 /* test GetCurrentThreadEffectiveToken() */
6749 SetLastError(0xdeadbeef);
6750 memset(&statistics2, 0x22, sizeof(statistics2));
6751 ret = GetTokenInformation(GetCurrentThreadEffectiveToken(), TokenStatistics,
6752 &statistics2, sizeof(statistics2), &retlen);
6753 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6754 "GetTokenInformation failed with %u\n", GetLastError());
6755 if (ret)
6756 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6757 else
6758 win_skip("CurrentThreadEffectiveToken not supported, skipping test\n");
6759
6760 SetLastError(0xdeadbeef);
6761 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
6762 ok(!ret, "OpenThreadToken should have failed\n");
6763 ok(GetLastError() == ERROR_NO_TOKEN, "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6764
6765 /* test GetCurrentThreadToken() */
6766 SetLastError(0xdeadbeef);
6767 ret = GetTokenInformation(GetCurrentThreadToken(), TokenStatistics,
6768 &statistics2, sizeof(statistics2), &retlen);
6769 todo_wine ok(GetLastError() == ERROR_NO_TOKEN || broken(GetLastError() == ERROR_INVALID_HANDLE),
6770 "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6771 }
6772
6773 static void test_maximum_allowed(void)
6774 {
6775 HANDLE (WINAPI *pCreateEventExA)(SECURITY_ATTRIBUTES *, LPCSTR, DWORD, DWORD);
6776 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH], buffer_acl[256];
6777 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6778 SECURITY_ATTRIBUTES sa;
6779 ACL *acl = (ACL *)&buffer_acl;
6780 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
6781 ACCESS_MASK mask;
6782 HANDLE handle;
6783 BOOL ret;
6784
6785 pCreateEventExA = (void *)GetProcAddress(hkernel32, "CreateEventExA");
6786 if (!pCreateEventExA)
6787 {
6788 win_skip("CreateEventExA is not available\n");
6789 return;
6790 }
6791
6792 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6793 ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
6794 memset(buffer_acl, 0, sizeof(buffer_acl));
6795 ret = InitializeAcl(acl, 256, ACL_REVISION);
6796 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6797 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6798 ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
6799
6800 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6801 sa.lpSecurityDescriptor = sd;
6802 sa.bInheritHandle = FALSE;
6803
6804 handle = pCreateEventExA(&sa, NULL, 0, MAXIMUM_ALLOWED | 0x4);
6805 ok(handle != NULL, "CreateEventExA failed with error %u\n", GetLastError());
6806 mask = get_obj_access(handle);
6807 ok(mask == EVENT_ALL_ACCESS, "Expected %x, got %x\n", EVENT_ALL_ACCESS, mask);
6808 CloseHandle(handle);
6809 }
6810
6811 static void test_token_label(void)
6812 {
6813 static SID medium_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6814 {SECURITY_MANDATORY_MEDIUM_RID}};
6815 static SID high_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6816 {SECURITY_MANDATORY_HIGH_RID}};
6817 SECURITY_DESCRIPTOR_CONTROL control;
6818 SYSTEM_MANDATORY_LABEL_ACE *ace;
6819 BOOL ret, present, defaulted;
6820 SECURITY_DESCRIPTOR *sd;
6821 ACL *sacl = NULL, *dacl;
6822 DWORD size, revision;
6823 HANDLE token;
6824 char *str;
6825 SID *sid;
6826
6827 ret = OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, &token);
6828 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6829
6830 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6831 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6832 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6833
6834 sd = HeapAlloc(GetProcessHeap(), 0, size);
6835 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
6836 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6837
6838 ret = GetSecurityDescriptorControl(sd, &control, &revision);
6839 ok(ret, "GetSecurityDescriptorControl failed with error %u\n", GetLastError());
6840 todo_wine ok(control == (SE_SELF_RELATIVE | SE_SACL_AUTO_INHERITED | SE_SACL_PRESENT) ||
6841 broken(control == SE_SELF_RELATIVE) /* WinXP, Win2003 */,
6842 "Unexpected security descriptor control %#x\n", control);
6843 ok(revision == 1, "Unexpected security descriptor revision %u\n", revision);
6844
6845 sid = (void *)0xdeadbeef;
6846 defaulted = TRUE;
6847 ret = GetSecurityDescriptorOwner(sd, (void **)&sid, &defaulted);
6848 ok(ret, "GetSecurityDescriptorOwner failed with error %u\n", GetLastError());
6849 ok(!sid, "Owner present\n");
6850 ok(!defaulted, "Owner defaulted\n");
6851
6852 sid = (void *)0xdeadbeef;
6853 defaulted = TRUE;
6854 ret = GetSecurityDescriptorGroup(sd, (void **)&sid, &defaulted);
6855 ok(ret, "GetSecurityDescriptorGroup failed with error %u\n", GetLastError());
6856 ok(!sid, "Group present\n");
6857 ok(!defaulted, "Group defaulted\n");
6858
6859 ret = GetSecurityDescriptorSacl(sd, &present, &sacl, &defaulted);
6860 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6861 ok(present || broken(!present) /* WinXP, Win2003 */, "No SACL in the security descriptor\n");
6862 ok(sacl || broken(!sacl) /* WinXP, Win2003 */, "NULL SACL in the security descriptor\n");
6863
6864 if (present)
6865 {
6866 ok(!defaulted, "SACL defaulted\n");
6867 ok(sacl->AceCount == 1, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6868
6869 ret = pGetAce(sacl, 0, (void **)&ace);
6870 ok(ret, "GetAce failed with error %u\n", GetLastError());
6871
6872 ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
6873 "Unexpected ACE type %#x\n", ace->Header.AceType);
6874 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6875 ok(ace->Header.AceSize, "Unexpected ACE size %u\n", ace->Header.AceSize);
6876 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6877
6878 sid = (SID *)&ace->SidStart;
6879 ConvertSidToStringSidA(sid, &str);
6880 ok(EqualSid(sid, &medium_sid) || EqualSid(sid, &high_sid), "Got unexpected SID %s\n", str);
6881 LocalFree(str);
6882 }
6883
6884 ret = GetSecurityDescriptorDacl(sd, &present, &dacl, &defaulted);
6885 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6886 todo_wine ok(!present, "DACL present\n");
6887
6888 HeapFree(GetProcessHeap(), 0, sd);
6889 CloseHandle(token);
6890 }
6891
6892 static void test_token_security_descriptor(void)
6893 {
6894 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6895 {SECURITY_MANDATORY_LOW_RID}};
6896 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6897 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
6898 char buffer_acl[256], buffer[MAX_PATH];
6899 ACL *acl = (ACL *)&buffer_acl, *acl2, *acl_child;
6900 BOOL defaulted, present, ret, found;
6901 HANDLE token, token2, token3;
6902 EXPLICIT_ACCESSW exp_access;
6903 PROCESS_INFORMATION info;
6904 DWORD size, index, retd;
6905 ACCESS_ALLOWED_ACE *ace;
6906 SECURITY_ATTRIBUTES sa;
6907 STARTUPINFOA startup;
6908 PSID psid;
6909
6910 if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
6911 || !pSetEntriesInAclW)
6912 {
6913 win_skip("Some functions not available\n");
6914 return;
6915 }
6916
6917 /* Test whether we can create tokens with security descriptors */
6918 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
6919 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6920
6921 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6922 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6923
6924 memset(buffer_acl, 0, sizeof(buffer_acl));
6925 ret = InitializeAcl(acl, 256, ACL_REVISION);
6926 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6927
6928 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
6929 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
6930
6931 ret = pAddAccessAllowedAceEx(acl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
6932 ok(ret, "AddAccessAllowedAceEx failed with error %u\n", GetLastError());
6933
6934 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6935 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6936
6937 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6938 sa.lpSecurityDescriptor = sd;
6939 sa.bInheritHandle = FALSE;
6940
6941 ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
6942 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
6943
6944 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6945 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6946 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6947
6948 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6949 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
6950 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6951
6952 acl2 = (void *)0xdeadbeef;
6953 present = FALSE;
6954 defaulted = TRUE;
6955 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6956 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6957 ok(present, "acl2 not present\n");
6958 ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
6959 ok(acl2->AceCount == 1, "Expected 1 ACE, got %d\n", acl2->AceCount);
6960 ok(!defaulted, "acl2 defaulted\n");
6961
6962 ret = pGetAce(acl2, 0, (void **)&ace);
6963 ok(ret, "GetAce failed with error %u\n", GetLastError());
6964 ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6965 ok(EqualSid(&ace->SidStart, psid), "Expected access allowed ACE\n");
6966 ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
6967 "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
6968
6969 HeapFree(GetProcessHeap(), 0, sd2);
6970
6971 /* Duplicate token without security attributes.
6972 * Tokens do not inherit the security descriptor in DuplicateToken. */
6973 ret = pDuplicateTokenEx(token2, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &token3);
6974 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
6975
6976 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6977 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6978 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6979
6980 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6981 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
6982 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6983
6984 acl2 = (void *)0xdeadbeef;
6985 present = FALSE;
6986 defaulted = TRUE;
6987 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6988 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6989 todo_wine
6990 ok(present, "DACL not present\n");
6991
6992 if (present)
6993 {
6994 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
6995 ok(!defaulted, "DACL defaulted\n");
6996
6997 index = 0;
6998 found = FALSE;
6999 while (pGetAce(acl2, index++, (void **)&ace))
7000 {
7001 if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
7002 found = TRUE;
7003 }
7004 ok(!found, "Access allowed ACE was inherited\n");
7005 }
7006
7007 HeapFree(GetProcessHeap(), 0, sd2);
7008
7009 /* When creating a child process, the process does inherit the token of
7010 * the parent but not the DACL of the token */
7011 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7012 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7013 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7014
7015 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
7016 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd2, size, &size);
7017 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7018
7019 acl2 = (void *)0xdeadbeef;
7020 present = FALSE;
7021 defaulted = TRUE;
7022 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
7023 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7024 ok(present, "DACL not present\n");
7025 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
7026 ok(!defaulted, "DACL defaulted\n");
7027
7028 exp_access.grfAccessPermissions = GENERIC_ALL;
7029 exp_access.grfAccessMode = GRANT_ACCESS;
7030 exp_access.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
7031 exp_access.Trustee.pMultipleTrustee = NULL;
7032 exp_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7033 exp_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
7034 exp_access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
7035 exp_access.Trustee.ptstrName = (void*)psid;
7036
7037 retd = pSetEntriesInAclW(1, &exp_access, acl2, &acl_child);
7038 ok(retd == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %u\n", retd);
7039
7040 memset(sd, 0, sizeof(buffer_sd));
7041 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
7042 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
7043
7044 ret = SetSecurityDescriptorDacl(sd, TRUE, acl_child, FALSE);
7045 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7046
7047 ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
7048 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
7049
7050 /* The security label is also not inherited */
7051 if (pAddMandatoryAce)
7052 {
7053 ret = InitializeAcl(acl, 256, ACL_REVISION);
7054 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
7055
7056 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
7057 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
7058
7059 memset(sd, 0, sizeof(buffer_sd));
7060 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
7061 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
7062
7063 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
7064 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7065
7066 ret = SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd);
7067 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
7068 }
7069 else
7070 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7071
7072 /* Start child process with our modified token */
7073 memset(&startup, 0, sizeof(startup));
7074 startup.cb = sizeof(startup);
7075 startup.dwFlags = STARTF_USESHOWWINDOW;
7076 startup.wShowWindow = SW_SHOWNORMAL;
7077
7078 sprintf(buffer, "%s tests/security.c test_token_sd", myARGV[0]);
7079 ret = CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startup, &info);
7080 ok(ret, "CreateProcess failed with error %u\n", GetLastError());
7081 winetest_wait_child_process(info.hProcess);
7082 CloseHandle(info.hProcess);
7083 CloseHandle(info.hThread);
7084
7085 LocalFree(acl_child);
7086 HeapFree(GetProcessHeap(), 0, sd2);
7087 LocalFree(psid);
7088
7089 CloseHandle(token3);
7090 CloseHandle(token2);
7091 CloseHandle(token);
7092 }
7093
7094 static void test_child_token_sd(void)
7095 {
7096 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7097 {SECURITY_MANDATORY_LOW_RID}};
7098 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7099 BOOL ret, present, defaulted;
7100 ACCESS_ALLOWED_ACE *acc_ace;
7101 SECURITY_DESCRIPTOR *sd;
7102 DWORD size, i;
7103 HANDLE token;
7104 PSID psid;
7105 ACL *acl;
7106
7107 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
7108 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
7109
7110 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
7111 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7112
7113 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7114 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7115 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7116
7117 sd = HeapAlloc(GetProcessHeap(), 0, size);
7118 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd, size, &size);
7119 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7120
7121 acl = NULL;
7122 present = FALSE;
7123 defaulted = TRUE;
7124 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
7125 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7126 ok(present, "DACL not present\n");
7127 ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
7128 ok(!defaulted, "DACL defaulted\n");
7129
7130 ok(acl->AceCount, "Expected at least one ACE\n");
7131 for (i = 0; i < acl->AceCount; i++)
7132 {
7133 ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
7134 ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
7135 "ACE inherited from the parent\n");
7136 }
7137
7138 LocalFree(psid);
7139 HeapFree(GetProcessHeap(), 0, sd);
7140
7141 if (!pAddMandatoryAce)
7142 {
7143 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7144 return;
7145 }
7146
7147 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
7148 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7149 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7150
7151 sd = HeapAlloc(GetProcessHeap(), 0, size);
7152 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
7153 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7154
7155 acl = NULL;
7156 present = FALSE;
7157 defaulted = TRUE;
7158 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7159 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7160 ok(present, "SACL not present\n");
7161 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7162 ok(!defaulted, "SACL defaulted\n");
7163 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7164 ret = pGetAce(acl, 0, (void **)&ace_label);
7165 ok(ret, "GetAce failed with error %u\n", GetLastError());
7166 ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
7167 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7168 ok(!EqualSid(&ace_label->SidStart, &low_level),
7169 "Low integrity level should not have been inherited\n");
7170
7171 HeapFree(GetProcessHeap(), 0, sd);
7172 }
7173
7174 static void test_GetExplicitEntriesFromAclW(void)
7175 {
7176 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
7177 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
7178 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
7179 PSID everyone_sid = NULL, users_sid = NULL;
7180 EXPLICIT_ACCESSW access;
7181 EXPLICIT_ACCESSW *access2;
7182 PACL new_acl, old_acl = NULL;
7183 ULONG count;
7184 DWORD res;
7185
7186 if (!pGetExplicitEntriesFromAclW)
7187 {
7188 win_skip("GetExplicitEntriesFromAclW is not available\n");
7189 return;
7190 }
7191
7192 if (!pSetEntriesInAclW)
7193 {
7194 win_skip("SetEntriesInAclW is not available\n");
7195 return;
7196 }
7197
7198 old_acl = HeapAlloc(GetProcessHeap(), 0, 256);
7199 res = InitializeAcl(old_acl, 256, ACL_REVISION);
7200 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
7201 {
7202 win_skip("ACLs not implemented - skipping tests\n");
7203 HeapFree(GetProcessHeap(), 0, old_acl);
7204 return;
7205 }
7206 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
7207
7208 res = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid);
7209 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
7210
7211 res = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
7212 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &users_sid);
7213 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
7214
7215 res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, users_sid);
7216 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
7217
7218 access2 = NULL;
7219 res = pGetExplicitEntriesFromAclW(old_acl, &count, &access2);
7220 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7221 ok(count == 1, "Expected count == 1, got %d\n", count);
7222 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7223 ok(access2[0].grfAccessPermissions == KEY_READ, "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
7224 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7225 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7226 ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
7227 LocalFree(access2);
7228
7229 access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
7230 access.Trustee.pMultipleTrustee = NULL;
7231
7232 access.grfAccessPermissions = KEY_WRITE;
7233 access.grfAccessMode = GRANT_ACCESS;
7234 access.grfInheritance = NO_INHERITANCE;
7235 access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
7236 access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7237 access.Trustee.ptstrName = everyone_sid;
7238 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7239 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7240 ok(new_acl != NULL, "returned acl was NULL\n");
7241
7242 access2 = NULL;
7243 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7244 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7245 ok(count == 2, "Expected count == 2, got %d\n", count);
7246 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7247 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7248 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7249 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7250 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7251 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7252 ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
7253 LocalFree(access2);
7254 LocalFree(new_acl);
7255
7256 access.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
7257 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7258 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7259 ok(new_acl != NULL, "returned acl was NULL\n");
7260
7261 access2 = NULL;
7262 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7263 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7264 ok(count == 2, "Expected count == 2, got %d\n", count);
7265 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7266 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7267 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7268 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7269 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7270 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7271 ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
7272 LocalFree(access2);
7273 LocalFree(new_acl);
7274
7275 access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
7276 access.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
7277 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7278 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7279 ok(new_acl != NULL, "returned acl was NULL\n");
7280
7281 access2 = NULL;
7282 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7283 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7284 ok(count == 2, "Expected count == 2, got %d\n", count);
7285 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7286 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7287 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7288 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7289 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7290 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7291 LocalFree(access2);
7292 LocalFree(new_acl);
7293
7294 access.grfAccessMode = REVOKE_ACCESS;
7295 access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7296 access.Trustee.ptstrName = users_sid;
7297 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7298 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7299 ok(new_acl != NULL, "returned acl was NULL\n");
7300
7301 access2 = (void *)0xdeadbeef;
7302 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7303 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7304 ok(count == 0, "Expected count == 0, got %d\n", count);
7305 ok(access2 == NULL, "access2 was not NULL\n");
7306 LocalFree(new_acl);
7307
7308 FreeSid(users_sid);
7309 FreeSid(everyone_sid);
7310 HeapFree(GetProcessHeap(), 0, old_acl);
7311 }
7312
7313 static void test_BuildSecurityDescriptorW(void)
7314 {
7315 SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
7316 ULONG new_sd_size;
7317 DWORD buf_size;
7318 char buf[1024];
7319 BOOL success;
7320 DWORD ret;
7321
7322 InitializeSecurityDescriptor(&old_sd, SECURITY_DESCRIPTOR_REVISION);
7323
7324 buf_size = sizeof(buf);
7325 rel_sd = (SECURITY_DESCRIPTOR *)buf;
7326 success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size);
7327 ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError());
7328
7329 new_sd = NULL;
7330 new_sd_size = 0;
7331 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
7332 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
7333 ok(new_sd != NULL, "expected new_sd != NULL\n");
7334 LocalFree(new_sd);
7335
7336 new_sd = (void *)0xdeadbeef;
7337 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
7338 ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
7339 ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd);
7340
7341 new_sd = NULL;
7342 new_sd_size = 0;
7343 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
7344 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
7345 ok(new_sd != NULL, "expected new_sd != NULL\n");
7346 LocalFree(new_sd);
7347 }
7348
7349 START_TEST(security)
7350 {
7351 init();
7352 if (!hmod) return;
7353
7354 if (myARGC >= 3)
7355 {
7356 if (!strcmp(myARGV[2], "test_token_sd"))
7357 test_child_token_sd();
7358 else
7359 test_process_security_child();
7360 return;
7361 }
7362 test_kernel_objects_security();
7363 test_sid();
7364 test_trustee();
7365 test_luid();
7366 test_CreateWellKnownSid();
7367 test_FileSecurity();
7368 test_AccessCheck();
7369 test_token_attr();
7370 test_GetTokenInformation();
7371 test_LookupAccountSid();
7372 test_LookupAccountName();
7373 test_security_descriptor();
7374 test_process_security();
7375 test_impersonation_level();
7376 test_SetEntriesInAclW();
7377 test_SetEntriesInAclA();
7378 test_CreateDirectoryA();
7379 test_GetNamedSecurityInfoA();
7380 test_ConvertStringSecurityDescriptor();
7381 test_ConvertSecurityDescriptorToString();
7382 test_PrivateObjectSecurity();
7383 test_acls();
7384 test_GetWindowsAccountDomainSid();
7385 test_GetSecurityInfo();
7386 test_GetSidSubAuthority();
7387 test_CheckTokenMembership();
7388 test_EqualSid();
7389 test_GetUserNameA();
7390 test_GetUserNameW();
7391 test_CreateRestrictedToken();
7392 test_TokenIntegrityLevel();
7393 test_default_dacl_owner_sid();
7394 test_AdjustTokenPrivileges();
7395 test_AddAce();
7396 test_AddMandatoryAce();
7397 test_system_security_access();
7398 test_GetSidIdentifierAuthority();
7399 test_pseudo_tokens();
7400 test_maximum_allowed();
7401 test_token_label();
7402 test_GetExplicitEntriesFromAclW();
7403 test_BuildSecurityDescriptorW();
7404
7405 /* Must be the last test, modifies process token */
7406 test_token_security_descriptor();
7407 }
Windows API implementation