search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
server: Implement querying the security label of a security descriptor.
[wine.git] / dlls / advapi32 / tests / security.c
blobd701251c8376ba28838e0bd05f1744142ab40760
1 /*
2 * Unit tests for security functions
3 *
4 * Copyright (c) 2004 Mike McCormack
5 * Copyright (c) 2011 Dmitry Timoshkov
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include <stdarg.h>
23 #include <stdio.h>
24
25 #include "ntstatus.h"
26 #define WIN32_NO_STATUS
27 #include "windef.h"
28 #include "winbase.h"
29 #include "winerror.h"
30 #include "winternl.h"
31 #include "aclapi.h"
32 #include "winnt.h"
33 #include "sddl.h"
34 #include "ntsecapi.h"
35 #include "lmcons.h"
36
37 #include "wine/test.h"
38
39 #ifndef PROCESS_QUERY_LIMITED_INFORMATION
40 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
41 #endif
42
43 /* PROCESS_ALL_ACCESS in Vista+ PSDKs is incompatible with older Windows versions */
44 #define PROCESS_ALL_ACCESS_NT4 (PROCESS_ALL_ACCESS & ~0xf000)
45 #define PROCESS_ALL_ACCESS_VISTA (PROCESS_ALL_ACCESS | 0xf000)
46
47 #ifndef EVENT_QUERY_STATE
48 #define EVENT_QUERY_STATE 0x0001
49 #endif
50
51 #ifndef SEMAPHORE_QUERY_STATE
52 #define SEMAPHORE_QUERY_STATE 0x0001
53 #endif
54
55 #ifndef THREAD_SET_LIMITED_INFORMATION
56 #define THREAD_SET_LIMITED_INFORMATION 0x0400
57 #define THREAD_QUERY_LIMITED_INFORMATION 0x0800
58 #endif
59
60 #define THREAD_ALL_ACCESS_NT4 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)
61 #define THREAD_ALL_ACCESS_VISTA (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)
62
63 #define expect_eq(expr, value, type, format) { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }
64
65 static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
66 static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
67 static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
68 static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
69 static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
70 static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
71 static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
72 POBJECTS_AND_NAME_A pObjName,
73 SE_OBJECT_TYPE ObjectType,
74 LPSTR ObjectTypeName,
75 LPSTR InheritedObjectTypeName,
76 LPSTR Name );
77 static VOID (WINAPI *pBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
78 POBJECTS_AND_SID pObjSid,
79 GUID* pObjectGuid,
80 GUID* pInheritedObjectGuid,
81 PSID pSid );
82 static LPSTR (WINAPI *pGetTrusteeNameA)( PTRUSTEEA pTrustee );
83 static BOOL (WINAPI *pMakeSelfRelativeSD)( PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, LPDWORD );
84 static BOOL (WINAPI *pConvertSidToStringSidA)( PSID pSid, LPSTR *str );
85 static BOOL (WINAPI *pConvertStringSidToSidA)( LPCSTR str, PSID pSid );
86 static BOOL (WINAPI *pCheckTokenMembership)(HANDLE, PSID, PBOOL);
87 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorA)(LPCSTR, DWORD,
88 PSECURITY_DESCRIPTOR*, PULONG );
89 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorW)(LPCWSTR, DWORD,
90 PSECURITY_DESCRIPTOR*, PULONG );
91 static BOOL (WINAPI *pConvertSecurityDescriptorToStringSecurityDescriptorA)(PSECURITY_DESCRIPTOR, DWORD,
92 SECURITY_INFORMATION, LPSTR *, PULONG );
93 static BOOL (WINAPI *pGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
94 PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
95 static BOOL (WINAPI *pSetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
96 PSECURITY_DESCRIPTOR);
97 static DWORD (WINAPI *pGetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
98 PSID*, PSID*, PACL*, PACL*,
99 PSECURITY_DESCRIPTOR*);
100 static DWORD (WINAPI *pSetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
101 PSID, PSID, PACL, PACL);
102 static PDWORD (WINAPI *pGetSidSubAuthority)(PSID, DWORD);
103 static PUCHAR (WINAPI *pGetSidSubAuthorityCount)(PSID);
104 static BOOL (WINAPI *pIsValidSid)(PSID);
105 static DWORD (WINAPI *pRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
106 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
107 static BOOL (WINAPI *pDuplicateTokenEx)(HANDLE,DWORD,LPSECURITY_ATTRIBUTES,
108 SECURITY_IMPERSONATION_LEVEL,TOKEN_TYPE,PHANDLE);
109
110 static NTSTATUS (WINAPI *pLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*);
111 static NTSTATUS (WINAPI *pLsaClose)(LSA_HANDLE);
112 static NTSTATUS (WINAPI *pLsaFreeMemory)(PVOID);
113 static NTSTATUS (WINAPI *pLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
114 static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
115 static DWORD (WINAPI *pSetEntriesInAclW)(ULONG, PEXPLICIT_ACCESSW, PACL, PACL*);
116 static DWORD (WINAPI *pSetEntriesInAclA)(ULONG, PEXPLICIT_ACCESSA, PACL, PACL*);
117 static BOOL (WINAPI *pSetSecurityDescriptorControl)(PSECURITY_DESCRIPTOR, SECURITY_DESCRIPTOR_CONTROL,
118 SECURITY_DESCRIPTOR_CONTROL);
119 static DWORD (WINAPI *pGetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
120 PSID*, PSID*, PACL*, PACL*, PSECURITY_DESCRIPTOR*);
121 static DWORD (WINAPI *pSetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
122 PSID, PSID, PACL, PACL);
123 static NTSTATUS (WINAPI *pNtAccessCheck)(PSECURITY_DESCRIPTOR, HANDLE, ACCESS_MASK, PGENERIC_MAPPING,
124 PPRIVILEGE_SET, PULONG, PULONG, NTSTATUS*);
125 static BOOL (WINAPI *pCreateRestrictedToken)(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
126 PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
127 static BOOL (WINAPI *pGetAclInformation)(PACL,LPVOID,DWORD,ACL_INFORMATION_CLASS);
128 static BOOL (WINAPI *pGetAce)(PACL,DWORD,LPVOID*);
129 static NTSTATUS (WINAPI *pNtSetSecurityObject)(HANDLE,SECURITY_INFORMATION,PSECURITY_DESCRIPTOR);
130 static NTSTATUS (WINAPI *pNtCreateFile)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG);
131 static BOOL (WINAPI *pRtlDosPathNameToNtPathName_U)(LPCWSTR,PUNICODE_STRING,PWSTR*,CURDIR*);
132 static NTSTATUS (WINAPI *pRtlAnsiStringToUnicodeString)(PUNICODE_STRING,PCANSI_STRING,BOOLEAN);
133 static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
134 static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
135 static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
136 static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
137
138 static HMODULE hmod;
139 static int myARGC;
140 static char** myARGV;
141
142 struct strsid_entry
143 {
144 const char *str;
145 DWORD flags;
146 };
147 #define STRSID_OK 0
148 #define STRSID_OPT 1
149
150 #define SID_SLOTS 4
151 static char debugsid_str[SID_SLOTS][256];
152 static int debugsid_index = 0;
153 static const char* debugstr_sid(PSID sid)
154 {
155 LPSTR sidstr;
156 DWORD le = GetLastError();
157 char* res = debugsid_str[debugsid_index];
158 debugsid_index = (debugsid_index + 1) % SID_SLOTS;
159 if (!pConvertSidToStringSidA)
160 strcpy(res, "missing ConvertSidToStringSidA");
161 else if (!pConvertSidToStringSidA(sid, &sidstr))
162 sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
163 else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
164 {
165 memcpy(res, sidstr, sizeof(*debugsid_str) - 4);
166 strcpy(res + sizeof(*debugsid_str) - 4, "...");
167 LocalFree(sidstr);
168 }
169 else
170 {
171 strcpy(res, sidstr);
172 LocalFree(sidstr);
173 }
174 /* Restore the last error in case ConvertSidToStringSidA() modified it */
175 SetLastError(le);
176 return res;
177 }
178
179 struct sidRef
180 {
181 SID_IDENTIFIER_AUTHORITY auth;
182 const char *refStr;
183 };
184
185 static void init(void)
186 {
187 HMODULE hntdll;
188
189 hntdll = GetModuleHandleA("ntdll.dll");
190 pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
191 pNtAccessCheck = (void *)GetProcAddress( hntdll, "NtAccessCheck" );
192 pNtSetSecurityObject = (void *)GetProcAddress(hntdll, "NtSetSecurityObject");
193 pNtCreateFile = (void *)GetProcAddress(hntdll, "NtCreateFile");
194 pRtlDosPathNameToNtPathName_U = (void *)GetProcAddress(hntdll, "RtlDosPathNameToNtPathName_U");
195 pRtlAnsiStringToUnicodeString = (void *)GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
196 pRtlInitAnsiString = (void *)GetProcAddress(hntdll, "RtlInitAnsiString");
197 pRtlFreeUnicodeString = (void *)GetProcAddress(hntdll, "RtlFreeUnicodeString");
198
199 hmod = GetModuleHandleA("advapi32.dll");
200 pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
201 pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
202 pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
203 pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
204 pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
205 pConvertStringSecurityDescriptorToSecurityDescriptorA =
206 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
207 pConvertStringSecurityDescriptorToSecurityDescriptorW =
208 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorW" );
209 pConvertSecurityDescriptorToStringSecurityDescriptorA =
210 (void *)GetProcAddress(hmod, "ConvertSecurityDescriptorToStringSecurityDescriptorA" );
211 pGetFileSecurityA = (void *)GetProcAddress(hmod, "GetFileSecurityA" );
212 pSetFileSecurityA = (void *)GetProcAddress(hmod, "SetFileSecurityA" );
213 pCreateWellKnownSid = (void *)GetProcAddress( hmod, "CreateWellKnownSid" );
214 pGetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "GetNamedSecurityInfoA");
215 pSetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "SetNamedSecurityInfoA");
216 pGetSidSubAuthority = (void *)GetProcAddress(hmod, "GetSidSubAuthority");
217 pGetSidSubAuthorityCount = (void *)GetProcAddress(hmod, "GetSidSubAuthorityCount");
218 pIsValidSid = (void *)GetProcAddress(hmod, "IsValidSid");
219 pMakeSelfRelativeSD = (void *)GetProcAddress(hmod, "MakeSelfRelativeSD");
220 pSetEntriesInAclW = (void *)GetProcAddress(hmod, "SetEntriesInAclW");
221 pSetEntriesInAclA = (void *)GetProcAddress(hmod, "SetEntriesInAclA");
222 pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
223 pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
224 pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
225 pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
226 pConvertSidToStringSidA = (void *)GetProcAddress(hmod, "ConvertSidToStringSidA");
227 pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
228 pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
229 pGetAce = (void *)GetProcAddress(hmod, "GetAce");
230 pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
231 pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
232
233 myARGC = winetest_get_mainargs( &myARGV );
234 }
235
236 static SECURITY_DESCRIPTOR* test_get_security_descriptor(HANDLE handle, int line)
237 {
238 /* use HeapFree(GetProcessHeap(), 0, sd); when done */
239 DWORD ret, length, needed;
240 SECURITY_DESCRIPTOR *sd;
241
242 needed = 0xdeadbeef;
243 SetLastError(0xdeadbeef);
244 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
245 NULL, 0, &needed);
246 ok_(__FILE__, line)(!ret, "GetKernelObjectSecurity should fail\n");
247 ok_(__FILE__, line)(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
248 ok_(__FILE__, line)(needed != 0xdeadbeef, "GetKernelObjectSecurity should return required buffer length\n");
249
250 length = needed;
251 sd = HeapAlloc(GetProcessHeap(), 0, length);
252
253 needed = 0xdeadbeef;
254 SetLastError(0xdeadbeef);
255 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
256 sd, length, &needed);
257 ok_(__FILE__, line)(ret, "GetKernelObjectSecurity error %d\n", GetLastError());
258 ok_(__FILE__, line)(needed == length || needed == 0 /* file, pipe */, "GetKernelObjectSecurity should return %u instead of %u\n", length, needed);
259 return sd;
260 }
261
262 static void test_owner_equal(HANDLE Handle, PSID expected, int line)
263 {
264 BOOL res;
265 SECURITY_DESCRIPTOR *queriedSD = NULL;
266 PSID owner;
267 BOOL owner_defaulted;
268
269 queriedSD = test_get_security_descriptor( Handle, line );
270
271 res = GetSecurityDescriptorOwner(queriedSD, &owner, &owner_defaulted);
272 ok_(__FILE__, line)(res, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
273
274 ok_(__FILE__, line)(EqualSid(owner, expected), "Owner SIDs are not equal %s != %s\n",
275 debugstr_sid(owner), debugstr_sid(expected));
276 ok_(__FILE__, line)(!owner_defaulted, "Defaulted is true\n");
277
278 HeapFree(GetProcessHeap(), 0, queriedSD);
279 }
280
281 static void test_group_equal(HANDLE Handle, PSID expected, int line)
282 {
283 BOOL res;
284 SECURITY_DESCRIPTOR *queriedSD = NULL;
285 PSID group;
286 BOOL group_defaulted;
287
288 queriedSD = test_get_security_descriptor( Handle, line );
289
290 res = GetSecurityDescriptorGroup(queriedSD, &group, &group_defaulted);
291 ok_(__FILE__, line)(res, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
292
293 ok_(__FILE__, line)(EqualSid(group, expected), "Group SIDs are not equal %s != %s\n",
294 debugstr_sid(group), debugstr_sid(expected));
295 ok_(__FILE__, line)(!group_defaulted, "Defaulted is true\n");
296
297 HeapFree(GetProcessHeap(), 0, queriedSD);
298 }
299
300 static void test_sid(void)
301 {
302 struct sidRef refs[] = {
303 { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
304 { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1" },
305 { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1" },
306 { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1" },
307 { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1" },
308 { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1" },
309 };
310 struct strsid_entry strsid_table[] = {
311 {"AO", STRSID_OK}, {"RU", STRSID_OK}, {"AN", STRSID_OK}, {"AU", STRSID_OK},
312 {"BA", STRSID_OK}, {"BG", STRSID_OK}, {"BO", STRSID_OK}, {"BU", STRSID_OK},
313 {"CA", STRSID_OPT}, {"CG", STRSID_OK}, {"CO", STRSID_OK}, {"DA", STRSID_OPT},
314 {"DC", STRSID_OPT}, {"DD", STRSID_OPT}, {"DG", STRSID_OPT}, {"DU", STRSID_OPT},
315 {"EA", STRSID_OPT}, {"ED", STRSID_OK}, {"WD", STRSID_OK}, {"PA", STRSID_OPT},
316 {"IU", STRSID_OK}, {"LA", STRSID_OK}, {"LG", STRSID_OK}, {"LS", STRSID_OK},
317 {"SY", STRSID_OK}, {"NU", STRSID_OK}, {"NO", STRSID_OK}, {"NS", STRSID_OK},
318 {"PO", STRSID_OK}, {"PS", STRSID_OK}, {"PU", STRSID_OK}, {"RS", STRSID_OPT},
319 {"RD", STRSID_OK}, {"RE", STRSID_OK}, {"RC", STRSID_OK}, {"SA", STRSID_OPT},
320 {"SO", STRSID_OK}, {"SU", STRSID_OK}};
321
322 const char noSubAuthStr[] = "S-1-5";
323 unsigned int i;
324 PSID psid = NULL;
325 SID *pisid;
326 BOOL r;
327 LPSTR str = NULL;
328
329 if( !pConvertSidToStringSidA || !pConvertStringSidToSidA )
330 {
331 win_skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
332 return;
333 }
334
335 r = pConvertStringSidToSidA( NULL, NULL );
336 ok( !r, "expected failure with NULL parameters\n" );
337 if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
338 return;
339 ok( GetLastError() == ERROR_INVALID_PARAMETER,
340 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
341 GetLastError() );
342
343 r = pConvertStringSidToSidA( refs[0].refStr, NULL );
344 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
345 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
346 GetLastError() );
347
348 r = pConvertStringSidToSidA( NULL, &str );
349 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
350 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
351 GetLastError() );
352
353 r = pConvertStringSidToSidA( noSubAuthStr, &psid );
354 ok( !r,
355 "expected failure with no sub authorities\n" );
356 ok( GetLastError() == ERROR_INVALID_SID,
357 "expected GetLastError() is ERROR_INVALID_SID, got %d\n",
358 GetLastError() );
359
360 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid), "ConvertStringSidToSidA failed\n");
361 pisid = psid;
362 ok(pisid->SubAuthorityCount == 4, "Invalid sub authority count - expected 4, got %d\n", pisid->SubAuthorityCount);
363 ok(pisid->SubAuthority[0] == 21, "Invalid subauthority 0 - expected 21, got %d\n", pisid->SubAuthority[0]);
364 ok(pisid->SubAuthority[3] == 4576, "Invalid subauthority 0 - expected 4576, got %d\n", pisid->SubAuthority[3]);
365 LocalFree(str);
366 LocalFree(psid);
367
368 for( i = 0; i < sizeof(refs) / sizeof(refs[0]); i++ )
369 {
370 r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
371 &psid );
372 ok( r, "failed to allocate sid\n" );
373 r = pConvertSidToStringSidA( psid, &str );
374 ok( r, "failed to convert sid\n" );
375 if (r)
376 {
377 ok( !strcmp( str, refs[i].refStr ),
378 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
379 LocalFree( str );
380 }
381 if( psid )
382 FreeSid( psid );
383
384 r = pConvertStringSidToSidA( refs[i].refStr, &psid );
385 ok( r, "failed to parse sid string\n" );
386 pisid = psid;
387 ok( pisid &&
388 !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
389 sizeof(refs[i].auth) ),
390 "string sid %s didn't parse to expected value\n"
391 "(got 0x%04x%08x, expected 0x%04x%08x)\n",
392 refs[i].refStr,
393 MAKEWORD( pisid->IdentifierAuthority.Value[1],
394 pisid->IdentifierAuthority.Value[0] ),
395 MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
396 pisid->IdentifierAuthority.Value[4] ),
397 MAKEWORD( pisid->IdentifierAuthority.Value[3],
398 pisid->IdentifierAuthority.Value[2] ) ),
399 MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
400 MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
401 MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
402 if( psid )
403 LocalFree( psid );
404 }
405
406 /* string constant format not supported before XP */
407 r = pConvertStringSidToSidA(strsid_table[0].str, &psid);
408 if(!r)
409 {
410 win_skip("String constant format not supported\n");
411 return;
412 }
413 LocalFree(psid);
414
415 for(i = 0; i < sizeof(strsid_table) / sizeof(strsid_table[0]); i++)
416 {
417 char *temp;
418
419 SetLastError(0xdeadbeef);
420 r = pConvertStringSidToSidA(strsid_table[i].str, &psid);
421
422 if (!(strsid_table[i].flags & STRSID_OPT))
423 {
424 ok(r, "%s: got %u\n", strsid_table[i].str, GetLastError());
425 }
426
427 if (r)
428 {
429 if ((winetest_debug > 1) && (pConvertSidToStringSidA(psid, &temp)))
430 {
431 trace(" %s: %s\n", strsid_table[i].str, temp);
432 LocalFree(temp);
433 }
434 LocalFree(psid);
435 }
436 else
437 {
438 if (GetLastError() != ERROR_INVALID_SID)
439 trace(" %s: couldn't be converted, returned %d\n", strsid_table[i].str, GetLastError());
440 else
441 trace(" %s: couldn't be converted\n", strsid_table[i].str);
442 }
443 }
444 }
445
446 static void test_trustee(void)
447 {
448 GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
449 GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
450 GUID ZeroGuid;
451 OBJECTS_AND_NAME_A oan;
452 OBJECTS_AND_SID oas;
453 TRUSTEEA trustee;
454 PSID psid;
455 char szObjectTypeName[] = "ObjectTypeName";
456 char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
457 char szTrusteeName[] = "szTrusteeName";
458 SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
459
460 memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
461
462 pBuildTrusteeWithSidA = (void *)GetProcAddress( hmod, "BuildTrusteeWithSidA" );
463 pBuildTrusteeWithNameA = (void *)GetProcAddress( hmod, "BuildTrusteeWithNameA" );
464 pBuildTrusteeWithObjectsAndNameA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
465 pBuildTrusteeWithObjectsAndSidA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
466 pGetTrusteeNameA = (void *)GetProcAddress (hmod, "GetTrusteeNameA" );
467 if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
468 !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
469 !pGetTrusteeNameA )
470 return;
471
472 if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
473 {
474 trace( "failed to init SID\n" );
475 return;
476 }
477
478 /* test BuildTrusteeWithSidA */
479 memset( &trustee, 0xff, sizeof trustee );
480 pBuildTrusteeWithSidA( &trustee, psid );
481
482 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
483 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
484 "MultipleTrusteeOperation wrong\n");
485 ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
486 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
487 ok( trustee.ptstrName == psid, "ptstrName wrong\n" );
488
489 /* test BuildTrusteeWithObjectsAndSidA (test 1) */
490 memset( &trustee, 0xff, sizeof trustee );
491 memset( &oas, 0xff, sizeof(oas) );
492 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
493 &InheritedObjectType, psid);
494
495 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
496 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
497 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
498 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
499 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
500
501 ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
502 ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
503 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
504 ok(oas.pSid == psid, "pSid wrong\n");
505
506 /* test GetTrusteeNameA */
507 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
508
509 /* test BuildTrusteeWithObjectsAndSidA (test 2) */
510 memset( &trustee, 0xff, sizeof trustee );
511 memset( &oas, 0xff, sizeof(oas) );
512 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
513 &InheritedObjectType, psid);
514
515 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
516 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
517 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
518 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
519 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
520
521 ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
522 ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
523 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
524 ok(oas.pSid == psid, "pSid wrong\n");
525
526 FreeSid( psid );
527
528 /* test BuildTrusteeWithNameA */
529 memset( &trustee, 0xff, sizeof trustee );
530 pBuildTrusteeWithNameA( &trustee, szTrusteeName );
531
532 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
533 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
534 "MultipleTrusteeOperation wrong\n");
535 ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
536 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
537 ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
538
539 /* test BuildTrusteeWithObjectsAndNameA (test 1) */
540 memset( &trustee, 0xff, sizeof trustee );
541 memset( &oan, 0xff, sizeof(oan) );
542 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
543 szInheritedObjectTypeName, szTrusteeName);
544
545 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
546 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
547 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
548 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
549 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
550
551 ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
552 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
553 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
554 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
555
556 /* test GetTrusteeNameA */
557 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
558
559 /* test BuildTrusteeWithObjectsAndNameA (test 2) */
560 memset( &trustee, 0xff, sizeof trustee );
561 memset( &oan, 0xff, sizeof(oan) );
562 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
563 szInheritedObjectTypeName, szTrusteeName);
564
565 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
566 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
567 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
568 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
569 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
570
571 ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
572 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
573 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
574 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
575
576 /* test BuildTrusteeWithObjectsAndNameA (test 3) */
577 memset( &trustee, 0xff, sizeof trustee );
578 memset( &oan, 0xff, sizeof(oan) );
579 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
580 NULL, szTrusteeName);
581
582 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
583 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
584 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
585 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
586 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
587
588 ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
589 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
590 ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
591 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
592 }
593
594 /* If the first isn't defined, assume none is */
595 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
596 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2L
597 #define SE_CREATE_TOKEN_PRIVILEGE 2L
598 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3L
599 #define SE_LOCK_MEMORY_PRIVILEGE 4L
600 #define SE_INCREASE_QUOTA_PRIVILEGE 5L
601 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6L
602 #define SE_TCB_PRIVILEGE 7L
603 #define SE_SECURITY_PRIVILEGE 8L
604 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9L
605 #define SE_LOAD_DRIVER_PRIVILEGE 10L
606 #define SE_SYSTEM_PROFILE_PRIVILEGE 11L
607 #define SE_SYSTEMTIME_PRIVILEGE 12L
608 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
609 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14L
610 #define SE_CREATE_PAGEFILE_PRIVILEGE 15L
611 #define SE_CREATE_PERMANENT_PRIVILEGE 16L
612 #define SE_BACKUP_PRIVILEGE 17L
613 #define SE_RESTORE_PRIVILEGE 18L
614 #define SE_SHUTDOWN_PRIVILEGE 19L
615 #define SE_DEBUG_PRIVILEGE 20L
616 #define SE_AUDIT_PRIVILEGE 21L
617 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22L
618 #define SE_CHANGE_NOTIFY_PRIVILEGE 23L
619 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24L
620 #define SE_UNDOCK_PRIVILEGE 25L
621 #define SE_SYNC_AGENT_PRIVILEGE 26L
622 #define SE_ENABLE_DELEGATION_PRIVILEGE 27L
623 #define SE_MANAGE_VOLUME_PRIVILEGE 28L
624 #define SE_IMPERSONATE_PRIVILEGE 29L
625 #define SE_CREATE_GLOBAL_PRIVILEGE 30L
626 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
627 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
628
629 static void test_allocateLuid(void)
630 {
631 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
632 LUID luid1, luid2;
633 BOOL ret;
634
635 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
636 if (!pAllocateLocallyUniqueId) return;
637
638 ret = pAllocateLocallyUniqueId(&luid1);
639 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
640 return;
641
642 ok(ret,
643 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
644 ret = pAllocateLocallyUniqueId(&luid2);
645 ok( ret,
646 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
647 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
648 "AllocateLocallyUniqueId returned a well-known LUID\n");
649 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
650 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
651 ret = pAllocateLocallyUniqueId(NULL);
652 ok( !ret && GetLastError() == ERROR_NOACCESS,
653 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
654 GetLastError());
655 }
656
657 static void test_lookupPrivilegeName(void)
658 {
659 BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
660 char buf[MAX_PATH]; /* arbitrary, seems long enough */
661 DWORD cchName = sizeof(buf);
662 LUID luid = { 0, 0 };
663 LONG i;
664 BOOL ret;
665
666 /* check whether it's available first */
667 pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
668 if (!pLookupPrivilegeNameA) return;
669 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
670 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
671 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
672 return;
673
674 /* check with a short buffer */
675 cchName = 0;
676 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
677 ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
678 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
679 "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %d\n",
680 GetLastError());
681 ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
682 "LookupPrivilegeNameA returned an incorrect required length for\n"
683 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
684 lstrlenA("SeCreateTokenPrivilege") + 1);
685 /* check a known value and its returned length on success */
686 cchName = sizeof(buf);
687 ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
688 cchName == strlen("SeCreateTokenPrivilege"),
689 "LookupPrivilegeNameA returned an incorrect output length for\n"
690 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
691 (int)strlen("SeCreateTokenPrivilege"));
692 /* check known values */
693 for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i <= SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
694 {
695 luid.LowPart = i;
696 cchName = sizeof(buf);
697 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
698 ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
699 "LookupPrivilegeNameA(0.%d) failed: %d\n", i, GetLastError());
700 }
701 /* check a bogus LUID */
702 luid.LowPart = 0xdeadbeef;
703 cchName = sizeof(buf);
704 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
705 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
706 "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
707 GetLastError());
708 /* check on a bogus system */
709 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
710 cchName = sizeof(buf);
711 ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
712 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
713 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
714 "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
715 GetLastError());
716 }
717
718 struct NameToLUID
719 {
720 const char *name;
721 DWORD lowPart;
722 };
723
724 static void test_lookupPrivilegeValue(void)
725 {
726 static const struct NameToLUID privs[] = {
727 { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
728 { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
729 { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
730 { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
731 { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
732 { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
733 { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
734 { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
735 { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
736 { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
737 { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
738 { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
739 { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
740 { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
741 { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
742 { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
743 { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
744 { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
745 { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
746 { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
747 { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
748 { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILEGE },
749 { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
750 { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
751 { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
752 { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
753 { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
754 { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
755 { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
756 };
757 BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
758 unsigned int i;
759 LUID luid;
760 BOOL ret;
761
762 /* check whether it's available first */
763 pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
764 if (!pLookupPrivilegeValueA) return;
765 ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
766 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
767 return;
768
769 /* check a bogus system name */
770 ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
771 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
772 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
773 "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
774 GetLastError());
775 /* check a NULL string */
776 ret = pLookupPrivilegeValueA(NULL, 0, &luid);
777 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
778 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
779 GetLastError());
780 /* check a bogus privilege name */
781 ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
782 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
783 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
784 GetLastError());
785 /* check case insensitive */
786 ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
787 ok( ret,
788 "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %d\n",
789 GetLastError());
790 for (i = 0; i < sizeof(privs) / sizeof(privs[0]); i++)
791 {
792 /* Not all privileges are implemented on all Windows versions, so
793 * don't worry if the call fails
794 */
795 if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
796 {
797 ok(luid.LowPart == privs[i].lowPart,
798 "LookupPrivilegeValueA returned an invalid LUID for %s\n",
799 privs[i].name);
800 }
801 }
802 }
803
804 static void test_luid(void)
805 {
806 test_allocateLuid();
807 test_lookupPrivilegeName();
808 test_lookupPrivilegeValue();
809 }
810
811 static void test_FileSecurity(void)
812 {
813 char wintmpdir [MAX_PATH];
814 char path [MAX_PATH];
815 char file [MAX_PATH];
816 HANDLE fh, token;
817 DWORD sdSize, retSize, rc, granted, priv_set_len;
818 PRIVILEGE_SET priv_set;
819 BOOL status;
820 BYTE *sd;
821 GENERIC_MAPPING mapping = { FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, FILE_ALL_ACCESS };
822 const SECURITY_INFORMATION request = OWNER_SECURITY_INFORMATION
823 | GROUP_SECURITY_INFORMATION
824 | DACL_SECURITY_INFORMATION;
825
826 if (!pGetFileSecurityA) {
827 win_skip ("GetFileSecurity is not available\n");
828 return;
829 }
830
831 if (!pSetFileSecurityA) {
832 win_skip ("SetFileSecurity is not available\n");
833 return;
834 }
835
836 if (!GetTempPathA (sizeof (wintmpdir), wintmpdir)) {
837 win_skip ("GetTempPathA failed\n");
838 return;
839 }
840
841 /* Create a temporary directory and in it a temporary file */
842 strcat (strcpy (path, wintmpdir), "rary");
843 SetLastError(0xdeadbeef);
844 rc = CreateDirectoryA (path, NULL);
845 ok (rc || GetLastError() == ERROR_ALREADY_EXISTS, "CreateDirectoryA "
846 "failed for '%s' with %d\n", path, GetLastError());
847
848 strcat (strcpy (file, path), "\\ess");
849 SetLastError(0xdeadbeef);
850 fh = CreateFileA (file, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
851 ok (fh != INVALID_HANDLE_VALUE, "CreateFileA "
852 "failed for '%s' with %d\n", file, GetLastError());
853 CloseHandle (fh);
854
855 /* For the temporary file ... */
856
857 /* Get size needed */
858 retSize = 0;
859 SetLastError(0xdeadbeef);
860 rc = pGetFileSecurityA (file, request, NULL, 0, &retSize);
861 if (!rc && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)) {
862 win_skip("GetFileSecurityA is not implemented\n");
863 goto cleanup;
864 }
865 ok (!rc, "GetFileSecurityA "
866 "was expected to fail for '%s'\n", file);
867 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
868 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
869 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
870
871 sdSize = retSize;
872 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
873
874 /* Get security descriptor for real */
875 retSize = -1;
876 SetLastError(0xdeadbeef);
877 rc = pGetFileSecurityA (file, request, sd, sdSize, &retSize);
878 ok (rc, "GetFileSecurityA "
879 "was not expected to fail '%s': %d\n", file, GetLastError());
880 ok (retSize == sdSize ||
881 broken(retSize == 0), /* NT4 */
882 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
883
884 /* Use it to set security descriptor */
885 SetLastError(0xdeadbeef);
886 rc = pSetFileSecurityA (file, request, sd);
887 ok (rc, "SetFileSecurityA "
888 "was not expected to fail '%s': %d\n", file, GetLastError());
889
890 HeapFree (GetProcessHeap (), 0, sd);
891
892 /* Repeat for the temporary directory ... */
893
894 /* Get size needed */
895 retSize = 0;
896 SetLastError(0xdeadbeef);
897 rc = pGetFileSecurityA (path, request, NULL, 0, &retSize);
898 ok (!rc, "GetFileSecurityA "
899 "was expected to fail for '%s'\n", path);
900 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
901 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
902 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
903
904 sdSize = retSize;
905 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
906
907 /* Get security descriptor for real */
908 retSize = -1;
909 SetLastError(0xdeadbeef);
910 rc = pGetFileSecurityA (path, request, sd, sdSize, &retSize);
911 ok (rc, "GetFileSecurityA "
912 "was not expected to fail '%s': %d\n", path, GetLastError());
913 ok (retSize == sdSize ||
914 broken(retSize == 0), /* NT4 */
915 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
916
917 /* Use it to set security descriptor */
918 SetLastError(0xdeadbeef);
919 rc = pSetFileSecurityA (path, request, sd);
920 ok (rc, "SetFileSecurityA "
921 "was not expected to fail '%s': %d\n", path, GetLastError());
922 HeapFree (GetProcessHeap (), 0, sd);
923
924 /* Old test */
925 strcpy (wintmpdir, "\\Should not exist");
926 SetLastError(0xdeadbeef);
927 rc = pGetFileSecurityA (wintmpdir, OWNER_SECURITY_INFORMATION, NULL, 0, &sdSize);
928 ok (!rc, "GetFileSecurityA should fail for not existing directories/files\n");
929 ok (GetLastError() == ERROR_FILE_NOT_FOUND,
930 "last error ERROR_FILE_NOT_FOUND expected, got %d\n", GetLastError());
931
932 cleanup:
933 /* Remove temporary file and directory */
934 DeleteFileA(file);
935 RemoveDirectoryA(path);
936
937 /* Test file access permissions for a file with FILE_ATTRIBUTE_ARCHIVE */
938 SetLastError(0xdeadbeef);
939 rc = GetTempPathA(sizeof(wintmpdir), wintmpdir);
940 ok(rc, "GetTempPath error %d\n", GetLastError());
941
942 SetLastError(0xdeadbeef);
943 rc = GetTempFileNameA(wintmpdir, "tmp", 0, file);
944 ok(rc, "GetTempFileName error %d\n", GetLastError());
945
946 rc = GetFileAttributesA(file);
947 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
948 ok(rc == FILE_ATTRIBUTE_ARCHIVE, "expected FILE_ATTRIBUTE_ARCHIVE got %#x\n", rc);
949
950 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
951 NULL, 0, &sdSize);
952 ok(!rc, "GetFileSecurity should fail\n");
953 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
954 "expected ERROR_INSUFFICIENT_BUFFER got %d\n", GetLastError());
955 ok(sdSize > sizeof(SECURITY_DESCRIPTOR), "got sd size %d\n", sdSize);
956
957 sd = HeapAlloc(GetProcessHeap (), 0, sdSize);
958 retSize = 0xdeadbeef;
959 SetLastError(0xdeadbeef);
960 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
961 sd, sdSize, &retSize);
962 ok(rc, "GetFileSecurity error %d\n", GetLastError());
963 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
964
965 SetLastError(0xdeadbeef);
966 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
967 ok(!rc, "OpenThreadToken should fail\n");
968 ok(GetLastError() == ERROR_NO_TOKEN, "expected ERROR_NO_TOKEN, got %d\n", GetLastError());
969
970 SetLastError(0xdeadbeef);
971 rc = ImpersonateSelf(SecurityIdentification);
972 ok(rc, "ImpersonateSelf error %d\n", GetLastError());
973
974 SetLastError(0xdeadbeef);
975 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
976 ok(rc, "OpenThreadToken error %d\n", GetLastError());
977
978 SetLastError(0xdeadbeef);
979 rc = RevertToSelf();
980 ok(rc, "RevertToSelf error %d\n", GetLastError());
981
982 priv_set_len = sizeof(priv_set);
983 granted = 0xdeadbeef;
984 status = 0xdeadbeef;
985 SetLastError(0xdeadbeef);
986 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
987 ok(rc, "AccessCheck error %d\n", GetLastError());
988 ok(status == 1, "expected 1, got %d\n", status);
989 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
990
991 granted = 0xdeadbeef;
992 status = 0xdeadbeef;
993 SetLastError(0xdeadbeef);
994 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
995 ok(rc, "AccessCheck error %d\n", GetLastError());
996 ok(status == 1, "expected 1, got %d\n", status);
997 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
998
999 granted = 0xdeadbeef;
1000 status = 0xdeadbeef;
1001 SetLastError(0xdeadbeef);
1002 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1003 ok(rc, "AccessCheck error %d\n", GetLastError());
1004 ok(status == 1, "expected 1, got %d\n", status);
1005 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1006
1007 granted = 0xdeadbeef;
1008 status = 0xdeadbeef;
1009 SetLastError(0xdeadbeef);
1010 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1011 ok(rc, "AccessCheck error %d\n", GetLastError());
1012 ok(status == 1, "expected 1, got %d\n", status);
1013 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1014
1015 granted = 0xdeadbeef;
1016 status = 0xdeadbeef;
1017 SetLastError(0xdeadbeef);
1018 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1019 ok(rc, "AccessCheck error %d\n", GetLastError());
1020 ok(status == 1, "expected 1, got %d\n", status);
1021 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1022
1023 granted = 0xdeadbeef;
1024 status = 0xdeadbeef;
1025 SetLastError(0xdeadbeef);
1026 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1027 ok(rc, "AccessCheck error %d\n", GetLastError());
1028 ok(status == 1, "expected 1, got %d\n", status);
1029 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1030
1031 granted = 0xdeadbeef;
1032 status = 0xdeadbeef;
1033 SetLastError(0xdeadbeef);
1034 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1035 ok(rc, "AccessCheck error %d\n", GetLastError());
1036 ok(status == 1, "expected 1, got %d\n", status);
1037 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1038
1039 SetLastError(0xdeadbeef);
1040 rc = AccessCheck(sd, token, 0xffffffff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1041 ok(!rc, "AccessCheck should fail\n");
1042 ok(GetLastError() == ERROR_GENERIC_NOT_MAPPED, "expected ERROR_GENERIC_NOT_MAPPED, got %d\n", GetLastError());
1043
1044 /* Test file access permissions for a file with FILE_ATTRIBUTE_READONLY */
1045 SetLastError(0xdeadbeef);
1046 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1047 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1048 retSize = 0xdeadbeef;
1049 SetLastError(0xdeadbeef);
1050 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1051 ok(!rc, "WriteFile should fail\n");
1052 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1053 ok(retSize == 0, "expected 0, got %d\n", retSize);
1054 CloseHandle(fh);
1055
1056 rc = GetFileAttributesA(file);
1057 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1058 todo_wine
1059 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1060 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1061
1062 SetLastError(0xdeadbeef);
1063 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1064 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1065 SetLastError(0xdeadbeef);
1066 rc = DeleteFileA(file);
1067 ok(rc, "DeleteFile error %d\n", GetLastError());
1068
1069 SetLastError(0xdeadbeef);
1070 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1071 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1072 retSize = 0xdeadbeef;
1073 SetLastError(0xdeadbeef);
1074 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1075 ok(!rc, "WriteFile should fail\n");
1076 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1077 ok(retSize == 0, "expected 0, got %d\n", retSize);
1078 CloseHandle(fh);
1079
1080 rc = GetFileAttributesA(file);
1081 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1082 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1083 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1084
1085 retSize = 0xdeadbeef;
1086 SetLastError(0xdeadbeef);
1087 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
1088 sd, sdSize, &retSize);
1089 ok(rc, "GetFileSecurity error %d\n", GetLastError());
1090 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
1091
1092 priv_set_len = sizeof(priv_set);
1093 granted = 0xdeadbeef;
1094 status = 0xdeadbeef;
1095 SetLastError(0xdeadbeef);
1096 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1097 ok(rc, "AccessCheck error %d\n", GetLastError());
1098 ok(status == 1, "expected 1, got %d\n", status);
1099 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
1100
1101 granted = 0xdeadbeef;
1102 status = 0xdeadbeef;
1103 SetLastError(0xdeadbeef);
1104 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1105 ok(rc, "AccessCheck error %d\n", GetLastError());
1106 todo_wine {
1107 ok(status == 1, "expected 1, got %d\n", status);
1108 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
1109 }
1110 granted = 0xdeadbeef;
1111 status = 0xdeadbeef;
1112 SetLastError(0xdeadbeef);
1113 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1114 ok(rc, "AccessCheck error %d\n", GetLastError());
1115 ok(status == 1, "expected 1, got %d\n", status);
1116 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1117
1118 granted = 0xdeadbeef;
1119 status = 0xdeadbeef;
1120 SetLastError(0xdeadbeef);
1121 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1122 ok(rc, "AccessCheck error %d\n", GetLastError());
1123 todo_wine {
1124 ok(status == 1, "expected 1, got %d\n", status);
1125 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1126 }
1127 granted = 0xdeadbeef;
1128 status = 0xdeadbeef;
1129 SetLastError(0xdeadbeef);
1130 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1131 ok(rc, "AccessCheck error %d\n", GetLastError());
1132 todo_wine {
1133 ok(status == 1, "expected 1, got %d\n", status);
1134 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1135 }
1136 granted = 0xdeadbeef;
1137 status = 0xdeadbeef;
1138 SetLastError(0xdeadbeef);
1139 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1140 ok(rc, "AccessCheck error %d\n", GetLastError());
1141 todo_wine {
1142 ok(status == 1, "expected 1, got %d\n", status);
1143 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1144 }
1145 granted = 0xdeadbeef;
1146 status = 0xdeadbeef;
1147 SetLastError(0xdeadbeef);
1148 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1149 ok(rc, "AccessCheck error %d\n", GetLastError());
1150 todo_wine {
1151 ok(status == 1, "expected 1, got %d\n", status);
1152 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1153 }
1154 SetLastError(0xdeadbeef);
1155 rc = DeleteFileA(file);
1156 ok(!rc, "DeleteFile should fail\n");
1157 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1158 SetLastError(0xdeadbeef);
1159 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1160 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1161 SetLastError(0xdeadbeef);
1162 rc = DeleteFileA(file);
1163 ok(rc, "DeleteFile error %d\n", GetLastError());
1164
1165 CloseHandle(token);
1166 HeapFree(GetProcessHeap(), 0, sd);
1167 }
1168
1169 static void test_AccessCheck(void)
1170 {
1171 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
1172 PACL Acl = NULL;
1173 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
1174 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
1175 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
1176 GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
1177 ACCESS_MASK Access;
1178 BOOL AccessStatus;
1179 HANDLE Token;
1180 HANDLE ProcessToken;
1181 BOOL ret;
1182 DWORD PrivSetLen;
1183 PRIVILEGE_SET *PrivSet;
1184 BOOL res;
1185 HMODULE NtDllModule;
1186 BOOLEAN Enabled;
1187 DWORD err;
1188 NTSTATUS ntret, ntAccessStatus;
1189
1190 NtDllModule = GetModuleHandleA("ntdll.dll");
1191 if (!NtDllModule)
1192 {
1193 skip("not running on NT, skipping test\n");
1194 return;
1195 }
1196 pRtlAdjustPrivilege = (void *)GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
1197 if (!pRtlAdjustPrivilege)
1198 {
1199 win_skip("missing RtlAdjustPrivilege, skipping test\n");
1200 return;
1201 }
1202
1203 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
1204 res = InitializeAcl(Acl, 256, ACL_REVISION);
1205 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1206 {
1207 skip("ACLs not implemented - skipping tests\n");
1208 HeapFree(GetProcessHeap(), 0, Acl);
1209 return;
1210 }
1211 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
1212
1213 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1214 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1215
1216 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1217 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
1218 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1219
1220 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1221 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1222 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1223
1224 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
1225
1226 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
1227 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
1228
1229 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1230 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1231
1232 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1233 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
1234 PrivSet->PrivilegeCount = 16;
1235
1236 res = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &ProcessToken);
1237 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
1238
1239 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
1240
1241 res = DuplicateToken(ProcessToken, SecurityImpersonation, &Token);
1242 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1243
1244 /* SD without owner/group */
1245 SetLastError(0xdeadbeef);
1246 Access = AccessStatus = 0x1abe11ed;
1247 ret = AccessCheck(SecurityDescriptor, Token, KEY_QUERY_VALUE, &Mapping,
1248 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1249 err = GetLastError();
1250 ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
1251 "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
1252 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1253 "Access and/or AccessStatus were changed!\n");
1254
1255 /* Set owner and group */
1256 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
1257 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
1258 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
1259 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
1260
1261 /* Generic access mask */
1262 SetLastError(0xdeadbeef);
1263 Access = AccessStatus = 0x1abe11ed;
1264 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1265 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1266 err = GetLastError();
1267 ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
1268 "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
1269 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1270 "Access and/or AccessStatus were changed!\n");
1271
1272 /* Generic access mask - no privilegeset buffer */
1273 SetLastError(0xdeadbeef);
1274 Access = AccessStatus = 0x1abe11ed;
1275 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1276 NULL, &PrivSetLen, &Access, &AccessStatus);
1277 err = GetLastError();
1278 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1279 "with ERROR_NOACCESS, instead of %d\n", err);
1280 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1281 "Access and/or AccessStatus were changed!\n");
1282
1283 /* Generic access mask - no returnlength */
1284 SetLastError(0xdeadbeef);
1285 Access = AccessStatus = 0x1abe11ed;
1286 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1287 PrivSet, NULL, &Access, &AccessStatus);
1288 err = GetLastError();
1289 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1290 "with ERROR_NOACCESS, instead of %d\n", err);
1291 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1292 "Access and/or AccessStatus were changed!\n");
1293
1294 /* Generic access mask - no privilegeset buffer, no returnlength */
1295 SetLastError(0xdeadbeef);
1296 Access = AccessStatus = 0x1abe11ed;
1297 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1298 NULL, NULL, &Access, &AccessStatus);
1299 err = GetLastError();
1300 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1301 "with ERROR_NOACCESS, instead of %d\n", err);
1302 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1303 "Access and/or AccessStatus were changed!\n");
1304
1305 /* sd with no dacl present */
1306 Access = AccessStatus = 0x1abe11ed;
1307 ret = SetSecurityDescriptorDacl(SecurityDescriptor, FALSE, NULL, FALSE);
1308 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1309 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1310 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1311 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1312 ok(AccessStatus && (Access == KEY_READ),
1313 "AccessCheck failed to grant access with error %d\n",
1314 GetLastError());
1315
1316 /* sd with no dacl present - no privilegeset buffer */
1317 SetLastError(0xdeadbeef);
1318 Access = AccessStatus = 0x1abe11ed;
1319 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1320 NULL, &PrivSetLen, &Access, &AccessStatus);
1321 err = GetLastError();
1322 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1323 "with ERROR_NOACCESS, instead of %d\n", err);
1324 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1325 "Access and/or AccessStatus were changed!\n");
1326
1327 if(pNtAccessCheck)
1328 {
1329 /* Generic access mask - no privilegeset buffer */
1330 SetLastError(0xdeadbeef);
1331 Access = ntAccessStatus = 0x1abe11ed;
1332 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1333 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1334 err = GetLastError();
1335 ok(ntret == STATUS_ACCESS_VIOLATION,
1336 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1337 ok(err == 0xdeadbeef,
1338 "NtAccessCheck shouldn't set last error, got %d\n", err);
1339 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1340 "Access and/or AccessStatus were changed!\n");
1341
1342 /* Generic access mask - no returnlength */
1343 SetLastError(0xdeadbeef);
1344 Access = ntAccessStatus = 0x1abe11ed;
1345 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1346 PrivSet, NULL, &Access, &ntAccessStatus);
1347 err = GetLastError();
1348 ok(ntret == STATUS_ACCESS_VIOLATION,
1349 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1350 ok(err == 0xdeadbeef,
1351 "NtAccessCheck shouldn't set last error, got %d\n", err);
1352 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1353 "Access and/or AccessStatus were changed!\n");
1354
1355 /* Generic access mask - no privilegeset buffer, no returnlength */
1356 SetLastError(0xdeadbeef);
1357 Access = ntAccessStatus = 0x1abe11ed;
1358 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1359 NULL, NULL, &Access, &ntAccessStatus);
1360 err = GetLastError();
1361 ok(ntret == STATUS_ACCESS_VIOLATION,
1362 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1363 ok(err == 0xdeadbeef,
1364 "NtAccessCheck shouldn't set last error, got %d\n", err);
1365 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1366 "Access and/or AccessStatus were changed!\n");
1367 }
1368 else
1369 win_skip("NtAccessCheck unavailable. Skipping.\n");
1370
1371 /* sd with NULL dacl */
1372 Access = AccessStatus = 0x1abe11ed;
1373 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, NULL, FALSE);
1374 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1375 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1376 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1377 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1378 ok(AccessStatus && (Access == KEY_READ),
1379 "AccessCheck failed to grant access with error %d\n",
1380 GetLastError());
1381 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1382 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1383 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1384 ok(AccessStatus && (Access == KEY_ALL_ACCESS),
1385 "AccessCheck failed to grant access with error %d\n",
1386 GetLastError());
1387
1388 /* sd with blank dacl */
1389 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1390 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1391 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1392 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1393 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1394 err = GetLastError();
1395 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1396 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1397 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1398
1399 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
1400 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
1401
1402 res = AddAccessDeniedAce(Acl, ACL_REVISION, KEY_SET_VALUE, AdminSid);
1403 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
1404
1405 /* sd with dacl */
1406 Access = AccessStatus = 0x1abe11ed;
1407 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1408 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1409 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1410 ok(AccessStatus && (Access == KEY_READ),
1411 "AccessCheck failed to grant access with error %d\n",
1412 GetLastError());
1413
1414 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1415 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1416 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1417 ok(AccessStatus,
1418 "AccessCheck failed to grant any access with error %d\n",
1419 GetLastError());
1420 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
1421
1422 /* Null PrivSet with null PrivSetLen pointer */
1423 SetLastError(0xdeadbeef);
1424 Access = AccessStatus = 0x1abe11ed;
1425 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1426 NULL, NULL, &Access, &AccessStatus);
1427 err = GetLastError();
1428 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1429 "failed with ERROR_NOACCESS, instead of %d\n", err);
1430 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1431 "Access and/or AccessStatus were changed!\n");
1432
1433 /* Null PrivSet with zero PrivSetLen */
1434 SetLastError(0xdeadbeef);
1435 Access = AccessStatus = 0x1abe11ed;
1436 PrivSetLen = 0;
1437 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1438 0, &PrivSetLen, &Access, &AccessStatus);
1439 err = GetLastError();
1440 todo_wine
1441 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1442 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1443 todo_wine
1444 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1445 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1446 "Access and/or AccessStatus were changed!\n");
1447
1448 /* Null PrivSet with insufficient PrivSetLen */
1449 SetLastError(0xdeadbeef);
1450 Access = AccessStatus = 0x1abe11ed;
1451 PrivSetLen = 1;
1452 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1453 0, &PrivSetLen, &Access, &AccessStatus);
1454 err = GetLastError();
1455 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1456 "failed with ERROR_NOACCESS, instead of %d\n", err);
1457 ok(PrivSetLen == 1, "PrivSetLen returns %d\n", PrivSetLen);
1458 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1459 "Access and/or AccessStatus were changed!\n");
1460
1461 /* Null PrivSet with insufficient PrivSetLen */
1462 SetLastError(0xdeadbeef);
1463 Access = AccessStatus = 0x1abe11ed;
1464 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1465 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1466 0, &PrivSetLen, &Access, &AccessStatus);
1467 err = GetLastError();
1468 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1469 "failed with ERROR_NOACCESS, instead of %d\n", err);
1470 ok(PrivSetLen == sizeof(PRIVILEGE_SET) - 1, "PrivSetLen returns %d\n", PrivSetLen);
1471 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1472 "Access and/or AccessStatus were changed!\n");
1473
1474 /* Null PrivSet with minimal sufficient PrivSetLen */
1475 SetLastError(0xdeadbeef);
1476 Access = AccessStatus = 0x1abe11ed;
1477 PrivSetLen = sizeof(PRIVILEGE_SET);
1478 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1479 0, &PrivSetLen, &Access, &AccessStatus);
1480 err = GetLastError();
1481 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1482 "failed with ERROR_NOACCESS, instead of %d\n", err);
1483 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1484 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1485 "Access and/or AccessStatus were changed!\n");
1486
1487 /* Valid PrivSet with zero PrivSetLen */
1488 SetLastError(0xdeadbeef);
1489 Access = AccessStatus = 0x1abe11ed;
1490 PrivSetLen = 0;
1491 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1492 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1493 err = GetLastError();
1494 todo_wine
1495 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1496 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1497 todo_wine
1498 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1499 todo_wine
1500 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1501 "Access and/or AccessStatus were changed!\n");
1502
1503 /* Valid PrivSet with insufficient PrivSetLen */
1504 SetLastError(0xdeadbeef);
1505 Access = AccessStatus = 0x1abe11ed;
1506 PrivSetLen = 1;
1507 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1508 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1509 err = GetLastError();
1510 todo_wine
1511 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1512 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1513 todo_wine
1514 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1515 todo_wine
1516 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1517 "Access and/or AccessStatus were changed!\n");
1518
1519 /* Valid PrivSet with insufficient PrivSetLen */
1520 SetLastError(0xdeadbeef);
1521 Access = AccessStatus = 0x1abe11ed;
1522 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1523 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1524 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1525 err = GetLastError();
1526 todo_wine
1527 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1528 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1529 todo_wine
1530 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1531 todo_wine
1532 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1533 "Access and/or AccessStatus were changed!\n");
1534
1535 /* Valid PrivSet with minimal sufficient PrivSetLen */
1536 SetLastError(0xdeadbeef);
1537 Access = AccessStatus = 0x1abe11ed;
1538 PrivSetLen = sizeof(PRIVILEGE_SET);
1539 memset(PrivSet, 0xcc, PrivSetLen);
1540 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1541 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1542 err = GetLastError();
1543 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1544 todo_wine
1545 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1546 ok(AccessStatus && (Access == KEY_READ),
1547 "AccessCheck failed to grant access with error %d\n", GetLastError());
1548 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1549 PrivSet->PrivilegeCount);
1550
1551 /* Valid PrivSet with sufficient PrivSetLen */
1552 SetLastError(0xdeadbeef);
1553 Access = AccessStatus = 0x1abe11ed;
1554 PrivSetLen = sizeof(PRIVILEGE_SET) + 1;
1555 memset(PrivSet, 0xcc, PrivSetLen);
1556 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1557 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1558 err = GetLastError();
1559 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1560 todo_wine
1561 ok(PrivSetLen == sizeof(PRIVILEGE_SET) + 1, "PrivSetLen returns %d\n", PrivSetLen);
1562 ok(AccessStatus && (Access == KEY_READ),
1563 "AccessCheck failed to grant access with error %d\n", GetLastError());
1564 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1565 PrivSet->PrivilegeCount);
1566
1567 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1568
1569 /* Null PrivSet with valid PrivSetLen */
1570 SetLastError(0xdeadbeef);
1571 Access = AccessStatus = 0x1abe11ed;
1572 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1573 0, &PrivSetLen, &Access, &AccessStatus);
1574 err = GetLastError();
1575 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1576 "failed with ERROR_NOACCESS, instead of %d\n", err);
1577 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1578 "Access and/or AccessStatus were changed!\n");
1579
1580 /* Access denied by SD */
1581 SetLastError(0xdeadbeef);
1582 Access = AccessStatus = 0x1abe11ed;
1583 ret = AccessCheck(SecurityDescriptor, Token, KEY_WRITE, &Mapping,
1584 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1585 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1586 err = GetLastError();
1587 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1588 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1589 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1590
1591 SetLastError(0xdeadbeef);
1592 PrivSet->PrivilegeCount = 16;
1593 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1594 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1595 ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
1596 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1597 GetLastError());
1598
1599 ret = ImpersonateLoggedOnUser(Token);
1600 ok(ret, "ImpersonateLoggedOnUser failed with error %d\n", GetLastError());
1601 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
1602 if (!ret)
1603 {
1604 /* Valid PrivSet with zero PrivSetLen */
1605 SetLastError(0xdeadbeef);
1606 Access = AccessStatus = 0x1abe11ed;
1607 PrivSetLen = 0;
1608 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1609 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1610 err = GetLastError();
1611 todo_wine
1612 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1613 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1614 todo_wine
1615 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1616 todo_wine
1617 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1618 "Access and/or AccessStatus were changed!\n");
1619
1620 /* Valid PrivSet with insufficient PrivSetLen */
1621 SetLastError(0xdeadbeef);
1622 Access = AccessStatus = 0x1abe11ed;
1623 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1624 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1625 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1626 err = GetLastError();
1627 todo_wine
1628 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1629 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1630 todo_wine
1631 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1632 todo_wine
1633 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1634 "Access and/or AccessStatus were changed!\n");
1635
1636 /* Valid PrivSet with minimal sufficient PrivSetLen */
1637 SetLastError(0xdeadbeef);
1638 Access = AccessStatus = 0x1abe11ed;
1639 PrivSetLen = sizeof(PRIVILEGE_SET);
1640 memset(PrivSet, 0xcc, PrivSetLen);
1641 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1642 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1643 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1644 "AccessCheck should have succeeded, error %d\n",
1645 GetLastError());
1646 ok(Access == ACCESS_SYSTEM_SECURITY,
1647 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1648 Access);
1649 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1650 PrivSet->PrivilegeCount);
1651
1652 /* Valid PrivSet with large PrivSetLen */
1653 SetLastError(0xdeadbeef);
1654 Access = AccessStatus = 0x1abe11ed;
1655 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1656 memset(PrivSet, 0xcc, PrivSetLen);
1657 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1658 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1659 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1660 "AccessCheck should have succeeded, error %d\n",
1661 GetLastError());
1662 ok(Access == ACCESS_SYSTEM_SECURITY,
1663 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1664 Access);
1665 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1666 PrivSet->PrivilegeCount);
1667 }
1668 else
1669 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
1670 ret);
1671 ret = RevertToSelf();
1672 ok(ret, "RevertToSelf failed with error %d\n", GetLastError());
1673
1674 /* test INHERIT_ONLY_ACE */
1675 ret = InitializeAcl(Acl, 256, ACL_REVISION);
1676 ok(ret, "InitializeAcl failed with error %d\n", GetLastError());
1677
1678 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1679 * the next ones.
1680 */
1681 if (pAddAccessAllowedAceEx)
1682 {
1683 ret = pAddAccessAllowedAceEx(Acl, ACL_REVISION, INHERIT_ONLY_ACE, KEY_READ, EveryoneSid);
1684 ok(ret, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
1685 }
1686 else
1687 win_skip("AddAccessAllowedAceEx is not available\n");
1688
1689 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1690 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1691 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1692 err = GetLastError();
1693 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1694 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1695 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1696
1697 CloseHandle(Token);
1698
1699 res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
1700 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1701
1702 SetLastError(0xdeadbeef);
1703 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1704 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1705 err = GetLastError();
1706 ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
1707 "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
1708
1709 CloseHandle(Token);
1710
1711 SetLastError(0xdeadbeef);
1712 ret = AccessCheck(SecurityDescriptor, ProcessToken, KEY_READ, &Mapping,
1713 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1714 err = GetLastError();
1715 ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
1716 "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
1717
1718 CloseHandle(ProcessToken);
1719
1720 if (EveryoneSid)
1721 FreeSid(EveryoneSid);
1722 if (AdminSid)
1723 FreeSid(AdminSid);
1724 if (UsersSid)
1725 FreeSid(UsersSid);
1726 HeapFree(GetProcessHeap(), 0, Acl);
1727 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
1728 HeapFree(GetProcessHeap(), 0, PrivSet);
1729 }
1730
1731 /* test GetTokenInformation for the various attributes */
1732 static void test_token_attr(void)
1733 {
1734 HANDLE Token, ImpersonationToken;
1735 DWORD Size, Size2;
1736 TOKEN_PRIVILEGES *Privileges;
1737 TOKEN_GROUPS *Groups;
1738 TOKEN_USER *User;
1739 TOKEN_DEFAULT_DACL *Dacl;
1740 BOOL ret;
1741 DWORD i, GLE;
1742 LPSTR SidString;
1743 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
1744 ACL *acl;
1745
1746 /* cygwin-like use case */
1747 SetLastError(0xdeadbeef);
1748 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Token);
1749 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
1750 {
1751 win_skip("OpenProcessToken is not implemented\n");
1752 return;
1753 }
1754 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1755 if (ret)
1756 {
1757 DWORD buf[256]; /* GetTokenInformation wants a dword-aligned buffer */
1758 Size = sizeof(buf);
1759 ret = GetTokenInformation(Token, TokenUser,(void*)buf, Size, &Size);
1760 ok(ret, "GetTokenInformation failed with error %d\n", GetLastError());
1761 Size = sizeof(ImpersonationLevel);
1762 ret = GetTokenInformation(Token, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1763 GLE = GetLastError();
1764 ok(!ret && (GLE == ERROR_INVALID_PARAMETER), "GetTokenInformation(TokenImpersonationLevel) on primary token should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GLE);
1765 CloseHandle(Token);
1766 }
1767
1768 if(!pConvertSidToStringSidA)
1769 {
1770 win_skip("ConvertSidToStringSidA is not available\n");
1771 return;
1772 }
1773
1774 SetLastError(0xdeadbeef);
1775 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &Token);
1776 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1777
1778 /* groups */
1779 /* insufficient buffer length */
1780 SetLastError(0xdeadbeef);
1781 Size2 = 0;
1782 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size2);
1783 ok(Size2 > 1, "got %d\n", Size2);
1784 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1785 "%d with error %d\n", ret, GetLastError());
1786 Size2 -= 1;
1787 Groups = HeapAlloc(GetProcessHeap(), 0, Size2);
1788 memset(Groups, 0xcc, Size2);
1789 Size = 0;
1790 ret = GetTokenInformation(Token, TokenGroups, Groups, Size2, &Size);
1791 ok(Size > 1, "got %d\n", Size);
1792 ok((!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER) || broken(ret) /* wow64 */,
1793 "%d with error %d\n", ret, GetLastError());
1794 if(!ret)
1795 ok(*((BYTE*)Groups) == 0xcc, "buffer altered\n");
1796
1797 HeapFree(GetProcessHeap(), 0, Groups);
1798
1799 SetLastError(0xdeadbeef);
1800 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
1801 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1802 "GetTokenInformation(TokenGroups) %s with error %d\n",
1803 ret ? "succeeded" : "failed", GetLastError());
1804 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1805 SetLastError(0xdeadbeef);
1806 ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
1807 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
1808 ok(GetLastError() == 0xdeadbeef,
1809 "GetTokenInformation shouldn't have set last error to %d\n",
1810 GetLastError());
1811 trace("TokenGroups:\n");
1812 for (i = 0; i < Groups->GroupCount; i++)
1813 {
1814 DWORD NameLength = 255;
1815 CHAR Name[255];
1816 DWORD DomainLength = 255;
1817 CHAR Domain[255];
1818 SID_NAME_USE SidNameUse;
1819 Name[0] = '\0';
1820 Domain[0] = '\0';
1821 ret = LookupAccountSidA(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
1822 if (ret)
1823 {
1824 pConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
1825 trace("%s, %s\\%s use: %d attr: 0x%08x\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
1826 LocalFree(SidString);
1827 }
1828 else trace("attr: 0x%08x LookupAccountSid failed with error %d\n", Groups->Groups[i].Attributes, GetLastError());
1829 }
1830 HeapFree(GetProcessHeap(), 0, Groups);
1831
1832 /* user */
1833 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
1834 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1835 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1836 User = HeapAlloc(GetProcessHeap(), 0, Size);
1837 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
1838 ok(ret,
1839 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1840
1841 pConvertSidToStringSidA(User->User.Sid, &SidString);
1842 trace("TokenUser: %s attr: 0x%08x\n", SidString, User->User.Attributes);
1843 LocalFree(SidString);
1844 HeapFree(GetProcessHeap(), 0, User);
1845
1846 /* privileges */
1847 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
1848 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1849 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1850 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
1851 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
1852 ok(ret,
1853 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1854 trace("TokenPrivileges:\n");
1855 for (i = 0; i < Privileges->PrivilegeCount; i++)
1856 {
1857 CHAR Name[256];
1858 DWORD NameLen = sizeof(Name)/sizeof(Name[0]);
1859 LookupPrivilegeNameA(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
1860 trace("\t%s, 0x%x\n", Name, Privileges->Privileges[i].Attributes);
1861 }
1862 HeapFree(GetProcessHeap(), 0, Privileges);
1863
1864 ret = DuplicateToken(Token, SecurityAnonymous, &ImpersonationToken);
1865 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
1866
1867 Size = sizeof(ImpersonationLevel);
1868 ret = GetTokenInformation(ImpersonationToken, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1869 ok(ret, "GetTokenInformation(TokenImpersonationLevel) failed with error %d\n", GetLastError());
1870 ok(ImpersonationLevel == SecurityAnonymous, "ImpersonationLevel should have been SecurityAnonymous instead of %d\n", ImpersonationLevel);
1871
1872 CloseHandle(ImpersonationToken);
1873
1874 /* default dacl */
1875 ret = GetTokenInformation(Token, TokenDefaultDacl, NULL, 0, &Size);
1876 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1877 "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1878
1879 Dacl = HeapAlloc(GetProcessHeap(), 0, Size);
1880 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size);
1881 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1882
1883 SetLastError(0xdeadbeef);
1884 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, 0);
1885 GLE = GetLastError();
1886 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1887 ok(GLE == ERROR_BAD_LENGTH, "expected ERROR_BAD_LENGTH got %u\n", GLE);
1888
1889 SetLastError(0xdeadbeef);
1890 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, Size);
1891 GLE = GetLastError();
1892 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1893 ok(GLE == ERROR_NOACCESS, "expected ERROR_NOACCESS got %u\n", GLE);
1894
1895 acl = Dacl->DefaultDacl;
1896 Dacl->DefaultDacl = NULL;
1897
1898 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1899 ok(ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1900
1901 Size2 = 0;
1902 Dacl->DefaultDacl = (ACL *)0xdeadbeef;
1903 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1904 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1905 ok(Dacl->DefaultDacl == NULL, "expected NULL, got %p\n", Dacl->DefaultDacl);
1906 ok(Size2 == sizeof(TOKEN_DEFAULT_DACL) || broken(Size2 == 2*sizeof(TOKEN_DEFAULT_DACL)), /* WoW64 */
1907 "got %u expected sizeof(TOKEN_DEFAULT_DACL)\n", Size2);
1908
1909 Dacl->DefaultDacl = acl;
1910 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1911 ok(ret, "SetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1912
1913 if (Size2 == sizeof(TOKEN_DEFAULT_DACL)) {
1914 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1915 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1916 } else
1917 win_skip("TOKEN_DEFAULT_DACL size too small on WoW64\n");
1918
1919 HeapFree(GetProcessHeap(), 0, Dacl);
1920 CloseHandle(Token);
1921 }
1922
1923 static void test_GetTokenInformation(void)
1924 {
1925 DWORD is_app_container, size;
1926 HANDLE token;
1927 BOOL ret;
1928
1929 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
1930 ok(ret, "OpenProcessToken failed: %u\n", GetLastError());
1931
1932 size = 0;
1933 is_app_container = 0xdeadbeef;
1934 ret = GetTokenInformation(token, TokenIsAppContainer, &is_app_container,
1935 sizeof(is_app_container), &size);
1936 ok(ret || broken(GetLastError() == ERROR_INVALID_PARAMETER ||
1937 GetLastError() == ERROR_INVALID_FUNCTION), /* pre-win8 */
1938 "GetTokenInformation failed: %u\n", GetLastError());
1939 if(ret) {
1940 ok(size == sizeof(is_app_container), "size = %u\n", size);
1941 ok(!is_app_container, "is_app_container = %x\n", is_app_container);
1942 }
1943
1944 CloseHandle(token);
1945 }
1946
1947 typedef union _MAX_SID
1948 {
1949 SID sid;
1950 char max[SECURITY_MAX_SID_SIZE];
1951 } MAX_SID;
1952
1953 static void test_sid_str(PSID * sid)
1954 {
1955 char *str_sid;
1956 BOOL ret = pConvertSidToStringSidA(sid, &str_sid);
1957 ok(ret, "ConvertSidToStringSidA() failed: %d\n", GetLastError());
1958 if (ret)
1959 {
1960 char account[MAX_PATH], domain[MAX_PATH];
1961 SID_NAME_USE use;
1962 DWORD acc_size = MAX_PATH;
1963 DWORD dom_size = MAX_PATH;
1964 ret = LookupAccountSidA (NULL, sid, account, &acc_size, domain, &dom_size, &use);
1965 ok(ret || GetLastError() == ERROR_NONE_MAPPED,
1966 "LookupAccountSid(%s) failed: %d\n", str_sid, GetLastError());
1967 if (ret)
1968 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
1969 else if (GetLastError() == ERROR_NONE_MAPPED)
1970 trace(" %s couldn't be mapped\n", str_sid);
1971 LocalFree(str_sid);
1972 }
1973 }
1974
1975 static const struct well_known_sid_value
1976 {
1977 BOOL without_domain;
1978 const char *sid_string;
1979 } well_known_sid_values[] = {
1980 /* 0 */ {TRUE, "S-1-0-0"}, {TRUE, "S-1-1-0"}, {TRUE, "S-1-2-0"}, {TRUE, "S-1-3-0"},
1981 /* 4 */ {TRUE, "S-1-3-1"}, {TRUE, "S-1-3-2"}, {TRUE, "S-1-3-3"}, {TRUE, "S-1-5"},
1982 /* 8 */ {FALSE, "S-1-5-1"}, {TRUE, "S-1-5-2"}, {TRUE, "S-1-5-3"}, {TRUE, "S-1-5-4"},
1983 /* 12 */ {TRUE, "S-1-5-6"}, {TRUE, "S-1-5-7"}, {TRUE, "S-1-5-8"}, {TRUE, "S-1-5-9"},
1984 /* 16 */ {TRUE, "S-1-5-10"}, {TRUE, "S-1-5-11"}, {TRUE, "S-1-5-12"}, {TRUE, "S-1-5-13"},
1985 /* 20 */ {TRUE, "S-1-5-14"}, {FALSE, NULL}, {TRUE, "S-1-5-18"}, {TRUE, "S-1-5-19"},
1986 /* 24 */ {TRUE, "S-1-5-20"}, {TRUE, "S-1-5-32"},
1987 /* 26 */ {FALSE, "S-1-5-32-544"}, {TRUE, "S-1-5-32-545"}, {TRUE, "S-1-5-32-546"},
1988 /* 29 */ {TRUE, "S-1-5-32-547"}, {TRUE, "S-1-5-32-548"}, {TRUE, "S-1-5-32-549"},
1989 /* 32 */ {TRUE, "S-1-5-32-550"}, {TRUE, "S-1-5-32-551"}, {TRUE, "S-1-5-32-552"},
1990 /* 35 */ {TRUE, "S-1-5-32-554"}, {TRUE, "S-1-5-32-555"}, {TRUE, "S-1-5-32-556"},
1991 /* 38 */ {FALSE, "S-1-5-21-12-23-34-45-56-500"}, {FALSE, "S-1-5-21-12-23-34-45-56-501"},
1992 /* 40 */ {FALSE, "S-1-5-21-12-23-34-45-56-502"}, {FALSE, "S-1-5-21-12-23-34-45-56-512"},
1993 /* 42 */ {FALSE, "S-1-5-21-12-23-34-45-56-513"}, {FALSE, "S-1-5-21-12-23-34-45-56-514"},
1994 /* 44 */ {FALSE, "S-1-5-21-12-23-34-45-56-515"}, {FALSE, "S-1-5-21-12-23-34-45-56-516"},
1995 /* 46 */ {FALSE, "S-1-5-21-12-23-34-45-56-517"}, {FALSE, "S-1-5-21-12-23-34-45-56-518"},
1996 /* 48 */ {FALSE, "S-1-5-21-12-23-34-45-56-519"}, {FALSE, "S-1-5-21-12-23-34-45-56-520"},
1997 /* 50 */ {FALSE, "S-1-5-21-12-23-34-45-56-553"},
1998 /* Added in Windows Server 2003 */
1999 /* 51 */ {TRUE, "S-1-5-64-10"}, {TRUE, "S-1-5-64-21"}, {TRUE, "S-1-5-64-14"},
2000 /* 54 */ {TRUE, "S-1-5-15"}, {TRUE, "S-1-5-1000"}, {FALSE, "S-1-5-32-557"},
2001 /* 57 */ {TRUE, "S-1-5-32-558"}, {TRUE, "S-1-5-32-559"}, {TRUE, "S-1-5-32-560"},
2002 /* 60 */ {TRUE, "S-1-5-32-561"}, {TRUE, "S-1-5-32-562"},
2003 /* Added in Windows Vista: */
2004 /* 62 */ {TRUE, "S-1-5-32-568"},
2005 /* 63 */ {TRUE, "S-1-5-17"}, {FALSE, "S-1-5-32-569"}, {TRUE, "S-1-16-0"},
2006 /* 66 */ {TRUE, "S-1-16-4096"}, {TRUE, "S-1-16-8192"}, {TRUE, "S-1-16-12288"},
2007 /* 69 */ {TRUE, "S-1-16-16384"}, {TRUE, "S-1-5-33"}, {TRUE, "S-1-3-4"},
2008 /* 72 */ {FALSE, "S-1-5-21-12-23-34-45-56-571"}, {FALSE, "S-1-5-21-12-23-34-45-56-572"},
2009 /* 74 */ {TRUE, "S-1-5-22"}, {FALSE, "S-1-5-21-12-23-34-45-56-521"}, {TRUE, "S-1-5-32-573"},
2010 /* 77 */ {FALSE, "S-1-5-21-12-23-34-45-56-498"}, {TRUE, "S-1-5-32-574"}, {TRUE, "S-1-16-8448"},
2011 /* 80 */ {FALSE, NULL}, {TRUE, "S-1-2-1"}, {TRUE, "S-1-5-65-1"}, {FALSE, NULL},
2012 /* 84 */ {TRUE, "S-1-15-2-1"},
2013 };
2014
2015 static void test_CreateWellKnownSid(void)
2016 {
2017 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2018 PSID domainsid, sid;
2019 DWORD size, error;
2020 BOOL ret;
2021 unsigned int i;
2022
2023 if (!pCreateWellKnownSid)
2024 {
2025 win_skip("CreateWellKnownSid not available\n");
2026 return;
2027 }
2028
2029 size = 0;
2030 SetLastError(0xdeadbeef);
2031 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2032 error = GetLastError();
2033 ok(!ret, "CreateWellKnownSid succeeded\n");
2034 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2035 ok(size, "expected size > 0\n");
2036
2037 SetLastError(0xdeadbeef);
2038 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2039 error = GetLastError();
2040 ok(!ret, "CreateWellKnownSid succeeded\n");
2041 ok(error == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %u\n", error);
2042
2043 sid = HeapAlloc(GetProcessHeap(), 0, size);
2044 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, sid, &size);
2045 ok(ret, "CreateWellKnownSid failed %u\n", GetLastError());
2046 HeapFree(GetProcessHeap(), 0, sid);
2047
2048 /* a domain sid usually have three subauthorities but we test that CreateWellKnownSid doesn't check it */
2049 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2050
2051 for (i = 0; i < sizeof(well_known_sid_values)/sizeof(well_known_sid_values[0]); i++)
2052 {
2053 const struct well_known_sid_value *value = &well_known_sid_values[i];
2054 char sid_buffer[SECURITY_MAX_SID_SIZE];
2055 LPSTR str;
2056 DWORD cb;
2057
2058 if (value->sid_string == NULL)
2059 continue;
2060
2061 /* some SIDs aren't implemented by all Windows versions - detect it */
2062 cb = sizeof(sid_buffer);
2063 if (!pCreateWellKnownSid(i, NULL, sid_buffer, &cb))
2064 {
2065 skip("Well known SID %u not implemented\n", i);
2066 continue;
2067 }
2068
2069 cb = sizeof(sid_buffer);
2070 ok(pCreateWellKnownSid(i, value->without_domain ? NULL : domainsid, sid_buffer, &cb), "Couldn't create well known sid %u\n", i);
2071 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2072 ok(IsValidSid(sid_buffer), "The sid is not valid\n");
2073 ok(pConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
2074 ok(strcmp(str, value->sid_string) == 0, "%d: SID mismatch - expected %s, got %s\n", i,
2075 value->sid_string, str);
2076 LocalFree(str);
2077
2078 if (value->without_domain)
2079 {
2080 char buf2[SECURITY_MAX_SID_SIZE];
2081 cb = sizeof(buf2);
2082 ok(pCreateWellKnownSid(i, domainsid, buf2, &cb), "Couldn't create well known sid %u with optional domain\n", i);
2083 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2084 ok(memcmp(buf2, sid_buffer, cb) == 0, "SID create with domain is different than without (%u)\n", i);
2085 }
2086 }
2087
2088 FreeSid(domainsid);
2089 }
2090
2091 static void test_LookupAccountSid(void)
2092 {
2093 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
2094 CHAR accountA[MAX_PATH], domainA[MAX_PATH], usernameA[MAX_PATH];
2095 DWORD acc_sizeA, dom_sizeA, user_sizeA;
2096 DWORD real_acc_sizeA, real_dom_sizeA;
2097 WCHAR accountW[MAX_PATH], domainW[MAX_PATH];
2098 DWORD acc_sizeW, dom_sizeW;
2099 DWORD real_acc_sizeW, real_dom_sizeW;
2100 PSID pUsersSid = NULL;
2101 SID_NAME_USE use;
2102 BOOL ret;
2103 DWORD error, size, cbti = 0;
2104 MAX_SID max_sid;
2105 CHAR *str_sidA;
2106 int i;
2107 HANDLE hToken;
2108 PTOKEN_USER ptiUser = NULL;
2109
2110 /* native windows crashes if account size, domain size, or name use is NULL */
2111
2112 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
2113 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
2114 ok(ret || (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED),
2115 "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2116
2117 /* not running on NT so give up */
2118 if (!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2119 return;
2120
2121 real_acc_sizeA = MAX_PATH;
2122 real_dom_sizeA = MAX_PATH;
2123 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2124 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2125
2126 /* try NULL account */
2127 acc_sizeA = MAX_PATH;
2128 dom_sizeA = MAX_PATH;
2129 ret = LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2130 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2131
2132 /* try NULL domain */
2133 acc_sizeA = MAX_PATH;
2134 dom_sizeA = MAX_PATH;
2135 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2136 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2137
2138 /* try a small account buffer */
2139 acc_sizeA = 1;
2140 dom_sizeA = MAX_PATH;
2141 accountA[0] = 0;
2142 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2143 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2144 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2145 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2146
2147 /* try a 0 sized account buffer */
2148 acc_sizeA = 0;
2149 dom_sizeA = MAX_PATH;
2150 accountA[0] = 0;
2151 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2152 /* this can fail or succeed depending on OS version but the size will always be returned */
2153 ok(acc_sizeA == real_acc_sizeA + 1,
2154 "LookupAccountSidA() Expected acc_size = %u, got %u\n",
2155 real_acc_sizeA + 1, acc_sizeA);
2156
2157 /* try a 0 sized account buffer */
2158 acc_sizeA = 0;
2159 dom_sizeA = MAX_PATH;
2160 LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2161 /* this can fail or succeed depending on OS version but the size will always be returned */
2162 ok(acc_sizeA == real_acc_sizeA + 1,
2163 "LookupAccountSid() Expected acc_size = %u, got %u\n",
2164 real_acc_sizeA + 1, acc_sizeA);
2165
2166 /* try a small domain buffer */
2167 dom_sizeA = 1;
2168 acc_sizeA = MAX_PATH;
2169 accountA[0] = 0;
2170 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2171 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2172 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2173 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2174
2175 /* try a 0 sized domain buffer */
2176 dom_sizeA = 0;
2177 acc_sizeA = MAX_PATH;
2178 accountA[0] = 0;
2179 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2180 /* this can fail or succeed depending on OS version but the size will always be returned */
2181 ok(dom_sizeA == real_dom_sizeA + 1,
2182 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2183 real_dom_sizeA + 1, dom_sizeA);
2184
2185 /* try a 0 sized domain buffer */
2186 dom_sizeA = 0;
2187 acc_sizeA = MAX_PATH;
2188 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2189 /* this can fail or succeed depending on OS version but the size will always be returned */
2190 ok(dom_sizeA == real_dom_sizeA + 1,
2191 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2192 real_dom_sizeA + 1, dom_sizeA);
2193
2194 real_acc_sizeW = MAX_PATH;
2195 real_dom_sizeW = MAX_PATH;
2196 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &real_acc_sizeW, domainW, &real_dom_sizeW, &use);
2197 ok(ret, "LookupAccountSidW() Expected TRUE, got FALSE\n");
2198
2199 /* try an invalid system name */
2200 real_acc_sizeA = MAX_PATH;
2201 real_dom_sizeA = MAX_PATH;
2202 ret = LookupAccountSidA("deepthought", pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2203 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2204 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2205 "LookupAccountSidA() Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %u\n", GetLastError());
2206
2207 /* native windows crashes if domainW or accountW is NULL */
2208
2209 /* try a small account buffer */
2210 acc_sizeW = 1;
2211 dom_sizeW = MAX_PATH;
2212 accountW[0] = 0;
2213 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2214 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2215 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2216 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2217
2218 /* try a 0 sized account buffer */
2219 acc_sizeW = 0;
2220 dom_sizeW = MAX_PATH;
2221 accountW[0] = 0;
2222 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2223 /* this can fail or succeed depending on OS version but the size will always be returned */
2224 ok(acc_sizeW == real_acc_sizeW + 1,
2225 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2226 real_acc_sizeW + 1, acc_sizeW);
2227
2228 /* try a 0 sized account buffer */
2229 acc_sizeW = 0;
2230 dom_sizeW = MAX_PATH;
2231 LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, domainW, &dom_sizeW, &use);
2232 /* this can fail or succeed depending on OS version but the size will always be returned */
2233 ok(acc_sizeW == real_acc_sizeW + 1,
2234 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2235 real_acc_sizeW + 1, acc_sizeW);
2236
2237 /* try a small domain buffer */
2238 dom_sizeW = 1;
2239 acc_sizeW = MAX_PATH;
2240 accountW[0] = 0;
2241 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2242 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2243 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2244 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2245
2246 /* try a 0 sized domain buffer */
2247 dom_sizeW = 0;
2248 acc_sizeW = MAX_PATH;
2249 accountW[0] = 0;
2250 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2251 /* this can fail or succeed depending on OS version but the size will always be returned */
2252 ok(dom_sizeW == real_dom_sizeW + 1,
2253 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2254 real_dom_sizeW + 1, dom_sizeW);
2255
2256 /* try a 0 sized domain buffer */
2257 dom_sizeW = 0;
2258 acc_sizeW = MAX_PATH;
2259 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, NULL, &dom_sizeW, &use);
2260 /* this can fail or succeed depending on OS version but the size will always be returned */
2261 ok(dom_sizeW == real_dom_sizeW + 1,
2262 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2263 real_dom_sizeW + 1, dom_sizeW);
2264
2265 acc_sizeW = dom_sizeW = use = 0;
2266 SetLastError(0xdeadbeef);
2267 ret = LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, NULL, &dom_sizeW, &use);
2268 error = GetLastError();
2269 ok(!ret, "LookupAccountSidW failed %u\n", GetLastError());
2270 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2271 ok(acc_sizeW, "expected non-zero account size\n");
2272 ok(dom_sizeW, "expected non-zero domain size\n");
2273 ok(!use, "expected zero use %u\n", use);
2274
2275 FreeSid(pUsersSid);
2276
2277 /* Test LookupAccountSid with Sid retrieved from token information.
2278 This assumes this process is running under the account of the current user.*/
2279 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_DUPLICATE, &hToken);
2280 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
2281 ret = GetTokenInformation(hToken, TokenUser, NULL, 0, &cbti);
2282 ok(!ret, "GetTokenInformation failed with error %d\n", GetLastError());
2283 ptiUser = HeapAlloc(GetProcessHeap(), 0, cbti);
2284 if (GetTokenInformation(hToken, TokenUser, ptiUser, cbti, &cbti))
2285 {
2286 acc_sizeA = dom_sizeA = MAX_PATH;
2287 ret = LookupAccountSidA(NULL, ptiUser->User.Sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2288 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2289 user_sizeA = MAX_PATH;
2290 ret = GetUserNameA(usernameA , &user_sizeA);
2291 ok(ret, "GetUserNameA() Expected TRUE, got FALSE\n");
2292 ok(lstrcmpA(usernameA, accountA) == 0, "LookupAccountSidA() Expected account name: %s got: %s\n", usernameA, accountA );
2293 }
2294 HeapFree(GetProcessHeap(), 0, ptiUser);
2295
2296 if (pCreateWellKnownSid && pConvertSidToStringSidA)
2297 {
2298 trace("Well Known SIDs:\n");
2299 for (i = 0; i <= 60; i++)
2300 {
2301 size = SECURITY_MAX_SID_SIZE;
2302 if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
2303 {
2304 if (pConvertSidToStringSidA(&max_sid.sid, &str_sidA))
2305 {
2306 acc_sizeA = MAX_PATH;
2307 dom_sizeA = MAX_PATH;
2308 if (LookupAccountSidA(NULL, &max_sid.sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use))
2309 trace(" %d: %s %s\\%s %d\n", i, str_sidA, domainA, accountA, use);
2310 LocalFree(str_sidA);
2311 }
2312 }
2313 else
2314 {
2315 if (GetLastError() != ERROR_INVALID_PARAMETER)
2316 trace(" CreateWellKnownSid(%d) failed: %d\n", i, GetLastError());
2317 else
2318 trace(" %d: not supported\n", i);
2319 }
2320 }
2321
2322 pLsaQueryInformationPolicy = (void *)GetProcAddress( hmod, "LsaQueryInformationPolicy");
2323 pLsaOpenPolicy = (void *)GetProcAddress( hmod, "LsaOpenPolicy");
2324 pLsaFreeMemory = (void *)GetProcAddress( hmod, "LsaFreeMemory");
2325 pLsaClose = (void *)GetProcAddress( hmod, "LsaClose");
2326
2327 if (pLsaQueryInformationPolicy && pLsaOpenPolicy && pLsaFreeMemory && pLsaClose)
2328 {
2329 NTSTATUS status;
2330 LSA_HANDLE handle;
2331 LSA_OBJECT_ATTRIBUTES object_attributes;
2332
2333 ZeroMemory(&object_attributes, sizeof(object_attributes));
2334 object_attributes.Length = sizeof(object_attributes);
2335
2336 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
2337 ok(status == STATUS_SUCCESS || status == STATUS_ACCESS_DENIED,
2338 "LsaOpenPolicy(POLICY_ALL_ACCESS) returned 0x%08x\n", status);
2339
2340 /* try a more restricted access mask if necessary */
2341 if (status == STATUS_ACCESS_DENIED) {
2342 trace("LsaOpenPolicy(POLICY_ALL_ACCESS) failed, trying POLICY_VIEW_LOCAL_INFORMATION\n");
2343 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_VIEW_LOCAL_INFORMATION, &handle);
2344 ok(status == STATUS_SUCCESS, "LsaOpenPolicy(POLICY_VIEW_LOCAL_INFORMATION) returned 0x%08x\n", status);
2345 }
2346
2347 if (status == STATUS_SUCCESS)
2348 {
2349 PPOLICY_ACCOUNT_DOMAIN_INFO info;
2350 status = pLsaQueryInformationPolicy(handle, PolicyAccountDomainInformation, (PVOID*)&info);
2351 ok(status == STATUS_SUCCESS, "LsaQueryInformationPolicy() failed, returned 0x%08x\n", status);
2352 if (status == STATUS_SUCCESS)
2353 {
2354 ok(info->DomainSid!=0, "LsaQueryInformationPolicy(PolicyAccountDomainInformation) missing SID\n");
2355 if (info->DomainSid)
2356 {
2357 int count = *GetSidSubAuthorityCount(info->DomainSid);
2358 CopySid(GetSidLengthRequired(count), &max_sid, info->DomainSid);
2359 test_sid_str((PSID)&max_sid.sid);
2360 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_ADMIN;
2361 max_sid.sid.SubAuthorityCount = count + 1;
2362 test_sid_str((PSID)&max_sid.sid);
2363 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_GUEST;
2364 test_sid_str((PSID)&max_sid.sid);
2365 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ADMINS;
2366 test_sid_str((PSID)&max_sid.sid);
2367 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_USERS;
2368 test_sid_str((PSID)&max_sid.sid);
2369 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_GUESTS;
2370 test_sid_str((PSID)&max_sid.sid);
2371 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_COMPUTERS;
2372 test_sid_str((PSID)&max_sid.sid);
2373 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CONTROLLERS;
2374 test_sid_str((PSID)&max_sid.sid);
2375 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CERT_ADMINS;
2376 test_sid_str((PSID)&max_sid.sid);
2377 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_SCHEMA_ADMINS;
2378 test_sid_str((PSID)&max_sid.sid);
2379 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS;
2380 test_sid_str((PSID)&max_sid.sid);
2381 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_POLICY_ADMINS;
2382 test_sid_str((PSID)&max_sid.sid);
2383 max_sid.sid.SubAuthority[count] = DOMAIN_ALIAS_RID_RAS_SERVERS;
2384 test_sid_str((PSID)&max_sid.sid);
2385 max_sid.sid.SubAuthority[count] = 1000; /* first user account */
2386 test_sid_str((PSID)&max_sid.sid);
2387 }
2388
2389 pLsaFreeMemory((LPVOID)info);
2390 }
2391
2392 status = pLsaClose(handle);
2393 ok(status == STATUS_SUCCESS, "LsaClose() failed, returned 0x%08x\n", status);
2394 }
2395 }
2396 }
2397 }
2398
2399 static BOOL get_sid_info(PSID psid, LPSTR *user, LPSTR *dom)
2400 {
2401 static CHAR account[UNLEN + 1];
2402 static CHAR domain[UNLEN + 1];
2403 DWORD size, dom_size;
2404 SID_NAME_USE use;
2405
2406 *user = account;
2407 *dom = domain;
2408
2409 size = dom_size = UNLEN + 1;
2410 account[0] = '\0';
2411 domain[0] = '\0';
2412 SetLastError(0xdeadbeef);
2413 return LookupAccountSidA(NULL, psid, account, &size, domain, &dom_size, &use);
2414 }
2415
2416 static void check_wellknown_name(const char* name, WELL_KNOWN_SID_TYPE result)
2417 {
2418 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2419 PSID domainsid = NULL;
2420 char wk_sid[SECURITY_MAX_SID_SIZE];
2421 DWORD cb;
2422
2423 DWORD sid_size, domain_size;
2424 SID_NAME_USE sid_use;
2425 LPSTR domain, account, sid_domain, wk_domain, wk_account;
2426 PSID psid;
2427 BOOL ret ,ret2;
2428
2429 sid_size = 0;
2430 domain_size = 0;
2431 ret = LookupAccountNameA(NULL, name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2432 ok(!ret, " %s Should have failed to lookup account name\n", name);
2433 psid = HeapAlloc(GetProcessHeap(),0,sid_size);
2434 domain = HeapAlloc(GetProcessHeap(),0,domain_size);
2435 ret = LookupAccountNameA(NULL, name, psid, &sid_size, domain, &domain_size, &sid_use);
2436
2437 if (!result)
2438 {
2439 ok(!ret, " %s Should have failed to lookup account name\n",name);
2440 goto cleanup;
2441 }
2442
2443 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2444 cb = sizeof(wk_sid);
2445 if (!pCreateWellKnownSid(result, domainsid, wk_sid, &cb))
2446 {
2447 win_skip("SID %i is not available on the system\n",result);
2448 goto cleanup;
2449 }
2450
2451 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2452 if (!ret2 && GetLastError() == ERROR_NONE_MAPPED)
2453 {
2454 win_skip("CreateWellKnownSid() succeeded but the account '%s' is not present (W2K)\n", name);
2455 goto cleanup;
2456 }
2457
2458 get_sid_info(psid, &account, &sid_domain);
2459
2460 ok(ret, "Failed to lookup account name %s\n",name);
2461 ok(sid_size != 0, "sid_size was zero\n");
2462
2463 ok(EqualSid(psid,wk_sid),"%s Sid %s fails to match well known sid %s!\n",
2464 name, debugstr_sid(psid), debugstr_sid(wk_sid));
2465
2466 ok(!lstrcmpA(account, wk_account), "Expected %s , got %s\n", account, wk_account);
2467 ok(!lstrcmpA(domain, wk_domain), "Expected %s, got %s\n", wk_domain, domain);
2468 ok(sid_use == SidTypeWellKnownGroup , "Expected Use (5), got %d\n", sid_use);
2469
2470 cleanup:
2471 FreeSid(domainsid);
2472 HeapFree(GetProcessHeap(),0,psid);
2473 HeapFree(GetProcessHeap(),0,domain);
2474 }
2475
2476 static void test_LookupAccountName(void)
2477 {
2478 DWORD sid_size, domain_size, user_size;
2479 DWORD sid_save, domain_save;
2480 CHAR user_name[UNLEN + 1];
2481 CHAR computer_name[UNLEN + 1];
2482 SID_NAME_USE sid_use;
2483 LPSTR domain, account, sid_dom;
2484 PSID psid;
2485 BOOL ret;
2486
2487 /* native crashes if (assuming all other parameters correct):
2488 * - peUse is NULL
2489 * - Sid is NULL and cbSid is > 0
2490 * - cbSid or cchReferencedDomainName are NULL
2491 * - ReferencedDomainName is NULL and cchReferencedDomainName is the correct size
2492 */
2493
2494 user_size = UNLEN + 1;
2495 SetLastError(0xdeadbeef);
2496 ret = GetUserNameA(user_name, &user_size);
2497 ok(ret, "Failed to get user name : %d\n", GetLastError());
2498
2499 /* get sizes */
2500 sid_size = 0;
2501 domain_size = 0;
2502 sid_use = 0xcafebabe;
2503 SetLastError(0xdeadbeef);
2504 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2505 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2506 {
2507 win_skip("LookupAccountNameA is not implemented\n");
2508 return;
2509 }
2510 ok(!ret, "Expected 0, got %d\n", ret);
2511 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2512 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2513 ok(sid_size != 0, "Expected non-zero sid size\n");
2514 ok(domain_size != 0, "Expected non-zero domain size\n");
2515 ok(sid_use == 0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2516
2517 sid_save = sid_size;
2518 domain_save = domain_size;
2519
2520 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2521 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2522
2523 /* try valid account name */
2524 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, domain, &domain_size, &sid_use);
2525 get_sid_info(psid, &account, &sid_dom);
2526 ok(ret, "Failed to lookup account name\n");
2527 ok(sid_size == GetLengthSid(psid), "Expected %d, got %d\n", GetLengthSid(psid), sid_size);
2528 ok(!lstrcmpA(account, user_name), "Expected %s, got %s\n", user_name, account);
2529 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2530 ok(domain_size == domain_save - 1, "Expected %d, got %d\n", domain_save - 1, domain_size);
2531 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2532 ok(sid_use == SidTypeUser, "Expected SidTypeUser (%d), got %d\n", SidTypeUser, sid_use);
2533 domain_size = domain_save;
2534 sid_size = sid_save;
2535
2536 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2537 {
2538 skip("Non-English locale (test with hardcoded 'Everyone')\n");
2539 }
2540 else
2541 {
2542 ret = LookupAccountNameA(NULL, "Everyone", psid, &sid_size, domain, &domain_size, &sid_use);
2543 get_sid_info(psid, &account, &sid_dom);
2544 ok(ret, "Failed to lookup account name\n");
2545 ok(sid_size != 0, "sid_size was zero\n");
2546 ok(!lstrcmpA(account, "Everyone"), "Expected Everyone, got %s\n", account);
2547 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2548 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2549 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2550 ok(sid_use == SidTypeWellKnownGroup, "Expected SidTypeWellKnownGroup (%d), got %d\n", SidTypeWellKnownGroup, sid_use);
2551 domain_size = domain_save;
2552 }
2553
2554 /* NULL Sid with zero sid size */
2555 SetLastError(0xdeadbeef);
2556 sid_size = 0;
2557 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2558 ok(!ret, "Expected 0, got %d\n", ret);
2559 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2560 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2561 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2562 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2563
2564 /* try cchReferencedDomainName - 1 */
2565 SetLastError(0xdeadbeef);
2566 domain_size--;
2567 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2568 ok(!ret, "Expected 0, got %d\n", ret);
2569 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2570 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2571 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2572 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2573
2574 /* NULL ReferencedDomainName with zero domain name size */
2575 SetLastError(0xdeadbeef);
2576 domain_size = 0;
2577 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, NULL, &domain_size, &sid_use);
2578 ok(!ret, "Expected 0, got %d\n", ret);
2579 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2580 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2581 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2582 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2583
2584 HeapFree(GetProcessHeap(), 0, psid);
2585 HeapFree(GetProcessHeap(), 0, domain);
2586
2587 /* get sizes for NULL account name */
2588 sid_size = 0;
2589 domain_size = 0;
2590 sid_use = 0xcafebabe;
2591 SetLastError(0xdeadbeef);
2592 ret = LookupAccountNameA(NULL, NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2593 if (!ret && GetLastError() == ERROR_NONE_MAPPED)
2594 win_skip("NULL account name doesn't work on NT4\n");
2595 else
2596 {
2597 ok(!ret, "Expected 0, got %d\n", ret);
2598 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2599 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2600 ok(sid_size != 0, "Expected non-zero sid size\n");
2601 ok(domain_size != 0, "Expected non-zero domain size\n");
2602 ok(sid_use == 0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2603
2604 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2605 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2606
2607 /* try NULL account name */
2608 ret = LookupAccountNameA(NULL, NULL, psid, &sid_size, domain, &domain_size, &sid_use);
2609 get_sid_info(psid, &account, &sid_dom);
2610 ok(ret, "Failed to lookup account name\n");
2611 /* Using a fixed string will not work on different locales */
2612 ok(!lstrcmpiA(account, domain),
2613 "Got %s for account and %s for domain, these should be the same\n", account, domain);
2614 ok(sid_use == SidTypeDomain, "Expected SidTypeDomain (%d), got %d\n", SidTypeDomain, sid_use);
2615
2616 HeapFree(GetProcessHeap(), 0, psid);
2617 HeapFree(GetProcessHeap(), 0, domain);
2618 }
2619
2620 /* try an invalid account name */
2621 SetLastError(0xdeadbeef);
2622 sid_size = 0;
2623 domain_size = 0;
2624 ret = LookupAccountNameA(NULL, "oogabooga", NULL, &sid_size, NULL, &domain_size, &sid_use);
2625 ok(!ret, "Expected 0, got %d\n", ret);
2626 ok(GetLastError() == ERROR_NONE_MAPPED ||
2627 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE),
2628 "Expected ERROR_NONE_MAPPED, got %d\n", GetLastError());
2629 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2630 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2631
2632 /* try an invalid system name */
2633 SetLastError(0xdeadbeef);
2634 sid_size = 0;
2635 domain_size = 0;
2636 ret = LookupAccountNameA("deepthought", NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2637 ok(!ret, "Expected 0, got %d\n", ret);
2638 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2639 "Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %d\n", GetLastError());
2640 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2641 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2642
2643 /* try with the computer name as the account name */
2644 domain_size = sizeof(computer_name);
2645 GetComputerNameA(computer_name, &domain_size);
2646 sid_size = 0;
2647 domain_size = 0;
2648 ret = LookupAccountNameA(NULL, computer_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2649 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER ||
2650 GetLastError() == ERROR_NONE_MAPPED /* in a domain */ ||
2651 broken(GetLastError() == ERROR_TRUSTED_DOMAIN_FAILURE) ||
2652 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE)),
2653 "LookupAccountNameA failed: %d\n", GetLastError());
2654 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
2655 {
2656 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2657 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2658 ret = LookupAccountNameA(NULL, computer_name, psid, &sid_size, domain, &domain_size, &sid_use);
2659 ok(ret, "LookupAccountNameA failed: %d\n", GetLastError());
2660 ok(sid_use == SidTypeDomain ||
2661 (sid_use == SidTypeUser && ! strcmp(computer_name, user_name)), "expected SidTypeDomain for %s, got %d\n", computer_name, sid_use);
2662 HeapFree(GetProcessHeap(), 0, domain);
2663 HeapFree(GetProcessHeap(), 0, psid);
2664 }
2665
2666 /* Well Known names */
2667 if (!pCreateWellKnownSid)
2668 {
2669 win_skip("CreateWellKnownSid not available\n");
2670 return;
2671 }
2672
2673 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2674 {
2675 skip("Non-English locale (skipping well known name creation tests)\n");
2676 return;
2677 }
2678
2679 check_wellknown_name("LocalService", WinLocalServiceSid);
2680 check_wellknown_name("Local Service", WinLocalServiceSid);
2681 /* 2 spaces */
2682 check_wellknown_name("Local Service", 0);
2683 check_wellknown_name("NetworkService", WinNetworkServiceSid);
2684 check_wellknown_name("Network Service", WinNetworkServiceSid);
2685
2686 /* example of some names where the spaces are not optional */
2687 check_wellknown_name("Terminal Server User", WinTerminalServerSid);
2688 check_wellknown_name("TerminalServer User", 0);
2689 check_wellknown_name("TerminalServerUser", 0);
2690 check_wellknown_name("Terminal ServerUser", 0);
2691
2692 check_wellknown_name("enterprise domain controllers",WinEnterpriseControllersSid);
2693 check_wellknown_name("enterprisedomain controllers", 0);
2694 check_wellknown_name("enterprise domaincontrollers", 0);
2695 check_wellknown_name("enterprisedomaincontrollers", 0);
2696
2697 /* case insensitivity */
2698 check_wellknown_name("lOCAlServICE", WinLocalServiceSid);
2699
2700 /* fully qualified account names */
2701 check_wellknown_name("NT AUTHORITY\\LocalService", WinLocalServiceSid);
2702 check_wellknown_name("nt authority\\Network Service", WinNetworkServiceSid);
2703 check_wellknown_name("nt authority test\\Network Service", 0);
2704 check_wellknown_name("Dummy\\Network Service", 0);
2705 check_wellknown_name("ntauthority\\Network Service", 0);
2706 }
2707
2708 static void test_security_descriptor(void)
2709 {
2710 SECURITY_DESCRIPTOR sd;
2711 char buf[8192];
2712 DWORD size;
2713 BOOL isDefault, isPresent, ret;
2714 PACL pacl;
2715 PSID psid;
2716
2717 SetLastError(0xdeadbeef);
2718 ret = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
2719 if (ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2720 {
2721 win_skip("InitializeSecurityDescriptor is not implemented\n");
2722 return;
2723 }
2724
2725 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2726 expect_eq(psid, NULL, PSID, "%p");
2727 expect_eq(isDefault, FALSE, BOOL, "%d");
2728 sd.Control |= SE_DACL_PRESENT | SE_SACL_PRESENT;
2729
2730 SetLastError(0xdeadbeef);
2731 size = 5;
2732 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), FALSE, BOOL, "%d");
2733 expect_eq(GetLastError(), ERROR_INSUFFICIENT_BUFFER, DWORD, "%u");
2734 ok(size > 5, "Size not increased\n");
2735 if (size <= 8192)
2736 {
2737 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), TRUE, BOOL, "%d");
2738 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2739 expect_eq(psid, NULL, PSID, "%p");
2740 expect_eq(isDefault, FALSE, BOOL, "%d");
2741 ok(GetSecurityDescriptorGroup(&sd, &psid, &isDefault), "GetSecurityDescriptorGroup failed\n");
2742 expect_eq(psid, NULL, PSID, "%p");
2743 expect_eq(isDefault, FALSE, BOOL, "%d");
2744 ok(GetSecurityDescriptorDacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorDacl failed\n");
2745 expect_eq(isPresent, TRUE, BOOL, "%d");
2746 expect_eq(psid, NULL, PSID, "%p");
2747 expect_eq(isDefault, FALSE, BOOL, "%d");
2748 ok(GetSecurityDescriptorSacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorSacl failed\n");
2749 expect_eq(isPresent, TRUE, BOOL, "%d");
2750 expect_eq(psid, NULL, PSID, "%p");
2751 expect_eq(isDefault, FALSE, BOOL, "%d");
2752 }
2753 }
2754
2755 #define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,0,__LINE__)
2756 #define TEST_GRANTED_ACCESS2(a,b,c) test_granted_access(a,b,c,__LINE__)
2757 static void test_granted_access(HANDLE handle, ACCESS_MASK access,
2758 ACCESS_MASK alt, int line)
2759 {
2760 OBJECT_BASIC_INFORMATION obj_info;
2761 NTSTATUS status;
2762
2763 if (!pNtQueryObject)
2764 {
2765 skip_(__FILE__, line)("Not NT platform - skipping tests\n");
2766 return;
2767 }
2768
2769 status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
2770 sizeof(obj_info), NULL );
2771 ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
2772 if (alt)
2773 ok_(__FILE__, line)(obj_info.GrantedAccess == access ||
2774 obj_info.GrantedAccess == alt, "Granted access should be 0x%08x "
2775 "or 0x%08x, instead of 0x%08x\n", access, alt, obj_info.GrantedAccess);
2776 else
2777 ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Granted access should "
2778 "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
2779 }
2780
2781 #define CHECK_SET_SECURITY(o,i,e) \
2782 do{ \
2783 BOOL res_; \
2784 DWORD err; \
2785 SetLastError( 0xdeadbeef ); \
2786 res_ = SetKernelObjectSecurity( o, i, SecurityDescriptor ); \
2787 err = GetLastError(); \
2788 if (e == ERROR_SUCCESS) \
2789 ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
2790 else \
2791 ok(!res_ && err == e, "SetKernelObjectSecurity should have failed " \
2792 "with %s, instead of %d\n", #e, err); \
2793 }while(0)
2794
2795 static void test_process_security(void)
2796 {
2797 BOOL res;
2798 PTOKEN_OWNER owner;
2799 PTOKEN_PRIMARY_GROUP group;
2800 PSID AdminSid = NULL, UsersSid = NULL;
2801 PACL Acl = NULL;
2802 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
2803 char buffer[MAX_PATH];
2804 PROCESS_INFORMATION info;
2805 STARTUPINFOA startup;
2806 SECURITY_ATTRIBUTES psa;
2807 HANDLE token, event;
2808 DWORD size;
2809 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
2810 PSID EveryoneSid = NULL;
2811
2812 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
2813 res = InitializeAcl(Acl, 256, ACL_REVISION);
2814 if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2815 {
2816 win_skip("ACLs not implemented - skipping tests\n");
2817 HeapFree(GetProcessHeap(), 0, Acl);
2818 return;
2819 }
2820 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
2821
2822 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
2823 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2824
2825 /* get owner from the token we might be running as a user not admin */
2826 res = OpenProcessToken( GetCurrentProcess(), MAXIMUM_ALLOWED, &token );
2827 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
2828 if (!res)
2829 {
2830 HeapFree(GetProcessHeap(), 0, Acl);
2831 return;
2832 }
2833
2834 res = GetTokenInformation( token, TokenOwner, NULL, 0, &size );
2835 ok(!res, "Expected failure, got %d\n", res);
2836 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2837 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2838
2839 owner = HeapAlloc(GetProcessHeap(), 0, size);
2840 res = GetTokenInformation( token, TokenOwner, owner, size, &size );
2841 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2842 AdminSid = ((TOKEN_OWNER*)owner)->Owner;
2843
2844 res = GetTokenInformation( token, TokenPrimaryGroup, NULL, 0, &size );
2845 ok(!res, "Expected failure, got %d\n", res);
2846 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2847 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2848
2849 group = HeapAlloc(GetProcessHeap(), 0, size);
2850 res = GetTokenInformation( token, TokenPrimaryGroup, group, size, &size );
2851 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2852 UsersSid = ((TOKEN_PRIMARY_GROUP*)group)->PrimaryGroup;
2853
2854 CloseHandle( token );
2855 if (!res)
2856 {
2857 HeapFree(GetProcessHeap(), 0, group);
2858 HeapFree(GetProcessHeap(), 0, owner);
2859 HeapFree(GetProcessHeap(), 0, Acl);
2860 return;
2861 }
2862
2863 res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
2864 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
2865 res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
2866 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
2867
2868 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
2869 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
2870 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
2871
2872 event = CreateEventA( NULL, TRUE, TRUE, "test_event" );
2873 ok(event != NULL, "CreateEvent %d\n", GetLastError());
2874
2875 SecurityDescriptor->Revision = 0;
2876 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_UNKNOWN_REVISION );
2877 SecurityDescriptor->Revision = SECURITY_DESCRIPTOR_REVISION;
2878
2879 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2880 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2881 CHECK_SET_SECURITY( event, SACL_SECURITY_INFORMATION, ERROR_ACCESS_DENIED );
2882 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2883 /* NULL DACL is valid and means that everyone has access */
2884 SecurityDescriptor->Control |= SE_DACL_PRESENT;
2885 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2886
2887 /* Set owner and group and dacl */
2888 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
2889 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
2890 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_SUCCESS );
2891 test_owner_equal( event, AdminSid, __LINE__ );
2892
2893 res = SetSecurityDescriptorGroup(SecurityDescriptor, EveryoneSid, FALSE);
2894 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2895 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2896 test_group_equal( event, EveryoneSid, __LINE__ );
2897
2898 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2899 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2900 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2901 /* setting a dacl should not change the owner or group */
2902 test_owner_equal( event, AdminSid, __LINE__ );
2903 test_group_equal( event, EveryoneSid, __LINE__ );
2904
2905 /* Test again with a different SID in case the previous SID also happens to
2906 * be the one that is incorrectly replacing the group. */
2907 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, FALSE);
2908 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2909 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2910 test_group_equal( event, UsersSid, __LINE__ );
2911
2912 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2913 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2914 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2915 test_group_equal( event, UsersSid, __LINE__ );
2916
2917 sprintf(buffer, "%s tests/security.c test", myARGV[0]);
2918 memset(&startup, 0, sizeof(startup));
2919 startup.cb = sizeof(startup);
2920 startup.dwFlags = STARTF_USESHOWWINDOW;
2921 startup.wShowWindow = SW_SHOWNORMAL;
2922
2923 psa.nLength = sizeof(psa);
2924 psa.lpSecurityDescriptor = SecurityDescriptor;
2925 psa.bInheritHandle = TRUE;
2926
2927 /* Doesn't matter what ACL say we should get full access for ourselves */
2928 res = CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info );
2929 ok(res, "CreateProcess with err:%d\n", GetLastError());
2930 TEST_GRANTED_ACCESS2( info.hProcess, PROCESS_ALL_ACCESS_NT4,
2931 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
2932 winetest_wait_child_process( info.hProcess );
2933
2934 FreeSid(EveryoneSid);
2935 CloseHandle( info.hProcess );
2936 CloseHandle( info.hThread );
2937 CloseHandle( event );
2938 HeapFree(GetProcessHeap(), 0, group);
2939 HeapFree(GetProcessHeap(), 0, owner);
2940 HeapFree(GetProcessHeap(), 0, Acl);
2941 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
2942 }
2943
2944 static void test_process_security_child(void)
2945 {
2946 HANDLE handle, handle1;
2947 BOOL ret;
2948 DWORD err;
2949
2950 handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
2951 ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
2952 TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
2953
2954 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2955 &handle1, 0, TRUE, DUPLICATE_SAME_ACCESS );
2956 ok(ret, "duplicating handle err:%d\n", GetLastError());
2957 TEST_GRANTED_ACCESS( handle1, PROCESS_TERMINATE );
2958
2959 CloseHandle( handle1 );
2960
2961 SetLastError( 0xdeadbeef );
2962 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2963 &handle1, PROCESS_ALL_ACCESS, TRUE, 0 );
2964 err = GetLastError();
2965 todo_wine
2966 ok(!ret && err == ERROR_ACCESS_DENIED, "duplicating handle should have failed "
2967 "with STATUS_ACCESS_DENIED, instead of err:%d\n", err);
2968
2969 CloseHandle( handle );
2970
2971 /* These two should fail - they are denied by ACL */
2972 handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
2973 todo_wine
2974 ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
2975 handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
2976 todo_wine
2977 ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
2978
2979 /* Documented privilege elevation */
2980 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
2981 &handle, 0, TRUE, DUPLICATE_SAME_ACCESS );
2982 ok(ret, "duplicating handle err:%d\n", GetLastError());
2983 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
2984 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
2985
2986 CloseHandle( handle );
2987
2988 /* Same only explicitly asking for all access rights */
2989 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
2990 &handle, PROCESS_ALL_ACCESS, TRUE, 0 );
2991 ok(ret, "duplicating handle err:%d\n", GetLastError());
2992 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
2993 PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION );
2994 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2995 &handle1, PROCESS_VM_READ, TRUE, 0 );
2996 ok(ret, "duplicating handle err:%d\n", GetLastError());
2997 TEST_GRANTED_ACCESS( handle1, PROCESS_VM_READ );
2998 CloseHandle( handle1 );
2999 CloseHandle( handle );
3000 }
3001
3002 static void test_impersonation_level(void)
3003 {
3004 HANDLE Token, ProcessToken;
3005 HANDLE Token2;
3006 DWORD Size;
3007 TOKEN_PRIVILEGES *Privileges;
3008 TOKEN_USER *User;
3009 PRIVILEGE_SET *PrivilegeSet;
3010 BOOL AccessGranted;
3011 BOOL ret;
3012 HKEY hkey;
3013 DWORD error;
3014
3015 pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
3016 if( !pDuplicateTokenEx ) {
3017 win_skip("DuplicateTokenEx is not available\n");
3018 return;
3019 }
3020 SetLastError(0xdeadbeef);
3021 ret = ImpersonateSelf(SecurityAnonymous);
3022 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3023 {
3024 win_skip("ImpersonateSelf is not implemented\n");
3025 return;
3026 }
3027 ok(ret, "ImpersonateSelf(SecurityAnonymous) failed with error %d\n", GetLastError());
3028 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3029 ok(!ret, "OpenThreadToken should have failed\n");
3030 error = GetLastError();
3031 ok(error == ERROR_CANT_OPEN_ANONYMOUS, "OpenThreadToken on anonymous token should have returned ERROR_CANT_OPEN_ANONYMOUS instead of %d\n", error);
3032 /* can't perform access check when opening object against an anonymous impersonation token */
3033 todo_wine {
3034 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3035 ok(error == ERROR_INVALID_HANDLE || error == ERROR_CANT_OPEN_ANONYMOUS || error == ERROR_BAD_IMPERSONATION_LEVEL,
3036 "RegOpenKeyEx failed with %d\n", error);
3037 }
3038 RevertToSelf();
3039
3040 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &ProcessToken);
3041 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
3042
3043 ret = pDuplicateTokenEx(ProcessToken,
3044 TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL,
3045 SecurityAnonymous, TokenImpersonation, &Token);
3046 ok(ret, "DuplicateTokenEx failed with error %d\n", GetLastError());
3047 /* can't increase the impersonation level */
3048 ret = DuplicateToken(Token, SecurityIdentification, &Token2);
3049 error = GetLastError();
3050 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL,
3051 "Duplicating a token and increasing the impersonation level should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3052 /* we can query anything from an anonymous token, including the user */
3053 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
3054 error = GetLastError();
3055 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenUser) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3056 User = HeapAlloc(GetProcessHeap(), 0, Size);
3057 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
3058 ok(ret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3059 HeapFree(GetProcessHeap(), 0, User);
3060
3061 /* PrivilegeCheck fails with SecurityAnonymous level */
3062 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
3063 error = GetLastError();
3064 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenPrivileges) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3065 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
3066 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
3067 ok(ret, "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
3068
3069 PrivilegeSet = HeapAlloc(GetProcessHeap(), 0, FIELD_OFFSET(PRIVILEGE_SET, Privilege[Privileges->PrivilegeCount]));
3070 PrivilegeSet->PrivilegeCount = Privileges->PrivilegeCount;
3071 memcpy(PrivilegeSet->Privilege, Privileges->Privileges, PrivilegeSet->PrivilegeCount * sizeof(PrivilegeSet->Privilege[0]));
3072 PrivilegeSet->Control = PRIVILEGE_SET_ALL_NECESSARY;
3073 HeapFree(GetProcessHeap(), 0, Privileges);
3074
3075 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3076 error = GetLastError();
3077 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL, "PrivilegeCheck for SecurityAnonymous token should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3078
3079 CloseHandle(Token);
3080
3081 ret = ImpersonateSelf(SecurityIdentification);
3082 ok(ret, "ImpersonateSelf(SecurityIdentification) failed with error %d\n", GetLastError());
3083 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3084 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3085
3086 /* can't perform access check when opening object against an identification impersonation token */
3087 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3088 todo_wine {
3089 ok(error == ERROR_INVALID_HANDLE || error == ERROR_BAD_IMPERSONATION_LEVEL,
3090 "RegOpenKeyEx should have failed with ERROR_INVALID_HANDLE or ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3091 }
3092 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3093 ok(ret, "PrivilegeCheck for SecurityIdentification failed with error %d\n", GetLastError());
3094 CloseHandle(Token);
3095 RevertToSelf();
3096
3097 ret = ImpersonateSelf(SecurityImpersonation);
3098 ok(ret, "ImpersonateSelf(SecurityImpersonation) failed with error %d\n", GetLastError());
3099 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3100 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3101 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3102 ok(error == ERROR_SUCCESS, "RegOpenKeyEx should have succeeded instead of failing with %d\n", error);
3103 RegCloseKey(hkey);
3104 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3105 ok(ret, "PrivilegeCheck for SecurityImpersonation failed with error %d\n", GetLastError());
3106 RevertToSelf();
3107
3108 CloseHandle(Token);
3109 CloseHandle(ProcessToken);
3110
3111 HeapFree(GetProcessHeap(), 0, PrivilegeSet);
3112 }
3113
3114 static void test_SetEntriesInAclW(void)
3115 {
3116 DWORD res;
3117 PSID EveryoneSid = NULL, UsersSid = NULL;
3118 PACL OldAcl = NULL, NewAcl;
3119 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3120 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3121 EXPLICIT_ACCESSW ExplicitAccess;
3122 static const WCHAR wszEveryone[] = {'E','v','e','r','y','o','n','e',0};
3123 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3124
3125 if (!pSetEntriesInAclW)
3126 {
3127 win_skip("SetEntriesInAclW is not available\n");
3128 return;
3129 }
3130
3131 NewAcl = (PACL)0xdeadbeef;
3132 res = pSetEntriesInAclW(0, NULL, NULL, &NewAcl);
3133 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3134 {
3135 win_skip("SetEntriesInAclW is not implemented\n");
3136 return;
3137 }
3138 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3139 ok(NewAcl == NULL ||
3140 broken(NewAcl != NULL), /* NT4 */
3141 "NewAcl=%p, expected NULL\n", NewAcl);
3142 LocalFree(NewAcl);
3143
3144 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3145 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3146 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3147 {
3148 win_skip("ACLs not implemented - skipping tests\n");
3149 HeapFree(GetProcessHeap(), 0, OldAcl);
3150 return;
3151 }
3152 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3153
3154 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3155 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3156
3157 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3158 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3159 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3160
3161 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3162 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3163
3164 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3165 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3166 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3167 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3168 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3169 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3170 ExplicitAccess.Trustee.MultipleTrusteeOperation = 0xDEADBEEF;
3171 ExplicitAccess.Trustee.pMultipleTrustee = (PVOID)0xDEADBEEF;
3172 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3173 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3174 ok(NewAcl != NULL, "returned acl was NULL\n");
3175 LocalFree(NewAcl);
3176
3177 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3178 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3179 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3180 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3181 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3182 ok(NewAcl != NULL, "returned acl was NULL\n");
3183 LocalFree(NewAcl);
3184
3185 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3186 {
3187 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3188 }
3189 else
3190 {
3191 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3192 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszEveryone;
3193 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3194 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3195 ok(NewAcl != NULL, "returned acl was NULL\n");
3196 LocalFree(NewAcl);
3197
3198 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3199 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3200 ok(res == ERROR_INVALID_PARAMETER ||
3201 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3202 "SetEntriesInAclW failed: %u\n", res);
3203 ok(NewAcl == NULL ||
3204 broken(NewAcl != NULL), /* NT4 */
3205 "returned acl wasn't NULL: %p\n", NewAcl);
3206
3207 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3208 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3209 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3210 ok(res == ERROR_INVALID_PARAMETER ||
3211 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3212 "SetEntriesInAclW failed: %u\n", res);
3213 ok(NewAcl == NULL ||
3214 broken(NewAcl != NULL), /* NT4 */
3215 "returned acl wasn't NULL: %p\n", NewAcl);
3216
3217 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3218 ExplicitAccess.grfAccessMode = SET_ACCESS;
3219 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3220 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3221 ok(NewAcl != NULL, "returned acl was NULL\n");
3222 LocalFree(NewAcl);
3223 }
3224
3225 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3226 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
3227 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3228 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3229 ok(NewAcl != NULL, "returned acl was NULL\n");
3230 LocalFree(NewAcl);
3231
3232 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3233 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3234 ExplicitAccess.Trustee.ptstrName = UsersSid;
3235 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3236 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3237 ok(NewAcl != NULL, "returned acl was NULL\n");
3238 LocalFree(NewAcl);
3239
3240 FreeSid(UsersSid);
3241 FreeSid(EveryoneSid);
3242 HeapFree(GetProcessHeap(), 0, OldAcl);
3243 }
3244
3245 static void test_SetEntriesInAclA(void)
3246 {
3247 DWORD res;
3248 PSID EveryoneSid = NULL, UsersSid = NULL;
3249 PACL OldAcl = NULL, NewAcl;
3250 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3251 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3252 EXPLICIT_ACCESSA ExplicitAccess;
3253 static const CHAR szEveryone[] = {'E','v','e','r','y','o','n','e',0};
3254 static const CHAR szCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3255
3256 if (!pSetEntriesInAclA)
3257 {
3258 win_skip("SetEntriesInAclA is not available\n");
3259 return;
3260 }
3261
3262 NewAcl = (PACL)0xdeadbeef;
3263 res = pSetEntriesInAclA(0, NULL, NULL, &NewAcl);
3264 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3265 {
3266 win_skip("SetEntriesInAclA is not implemented\n");
3267 return;
3268 }
3269 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3270 ok(NewAcl == NULL ||
3271 broken(NewAcl != NULL), /* NT4 */
3272 "NewAcl=%p, expected NULL\n", NewAcl);
3273 LocalFree(NewAcl);
3274
3275 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3276 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3277 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3278 {
3279 win_skip("ACLs not implemented - skipping tests\n");
3280 HeapFree(GetProcessHeap(), 0, OldAcl);
3281 return;
3282 }
3283 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3284
3285 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3286 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3287
3288 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3289 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3290 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3291
3292 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3293 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3294
3295 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3296 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3297 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3298 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3299 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3300 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3301 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3302 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3303 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3304 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3305 ok(NewAcl != NULL, "returned acl was NULL\n");
3306 LocalFree(NewAcl);
3307
3308 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3309 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3310 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3311 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3312 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3313 ok(NewAcl != NULL, "returned acl was NULL\n");
3314 LocalFree(NewAcl);
3315
3316 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3317 {
3318 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3319 }
3320 else
3321 {
3322 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3323 ExplicitAccess.Trustee.ptstrName = (LPSTR)szEveryone;
3324 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3325 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3326 ok(NewAcl != NULL, "returned acl was NULL\n");
3327 LocalFree(NewAcl);
3328
3329 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3330 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3331 ok(res == ERROR_INVALID_PARAMETER ||
3332 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3333 "SetEntriesInAclA failed: %u\n", res);
3334 ok(NewAcl == NULL ||
3335 broken(NewAcl != NULL), /* NT4 */
3336 "returned acl wasn't NULL: %p\n", NewAcl);
3337
3338 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3339 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3340 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3341 ok(res == ERROR_INVALID_PARAMETER ||
3342 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3343 "SetEntriesInAclA failed: %u\n", res);
3344 ok(NewAcl == NULL ||
3345 broken(NewAcl != NULL), /* NT4 */
3346 "returned acl wasn't NULL: %p\n", NewAcl);
3347
3348 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3349 ExplicitAccess.grfAccessMode = SET_ACCESS;
3350 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3351 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3352 ok(NewAcl != NULL, "returned acl was NULL\n");
3353 LocalFree(NewAcl);
3354 }
3355
3356 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3357 ExplicitAccess.Trustee.ptstrName = (LPSTR)szCurrentUser;
3358 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3359 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3360 ok(NewAcl != NULL, "returned acl was NULL\n");
3361 LocalFree(NewAcl);
3362
3363 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3364 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3365 ExplicitAccess.Trustee.ptstrName = UsersSid;
3366 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3367 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3368 ok(NewAcl != NULL, "returned acl was NULL\n");
3369 LocalFree(NewAcl);
3370
3371 FreeSid(UsersSid);
3372 FreeSid(EveryoneSid);
3373 HeapFree(GetProcessHeap(), 0, OldAcl);
3374 }
3375
3376 /* helper function for test_CreateDirectoryA */
3377 static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
3378 {
3379 UNICODE_STRING strW;
3380 ANSI_STRING str;
3381 NTSTATUS status;
3382 BOOLEAN ret;
3383
3384 pRtlInitAnsiString(&str, name);
3385
3386 status = pRtlAnsiStringToUnicodeString(&strW, &str, TRUE);
3387 ok(!status, "RtlAnsiStringToUnicodeString failed with %08x\n", status);
3388
3389 ret = pRtlDosPathNameToNtPathName_U(strW.Buffer, nameW, NULL, NULL);
3390 ok(ret, "RtlDosPathNameToNtPathName_U failed\n");
3391
3392 pRtlFreeUnicodeString(&strW);
3393 }
3394
3395 static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask,
3396 BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
3397 {
3398 ACL_SIZE_INFORMATION acl_size;
3399 ACCESS_ALLOWED_ACE *ace;
3400 BOOL bret;
3401
3402 bret = pGetAclInformation(dacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3403 ok_(__FILE__, line)(bret, "GetAclInformation failed\n");
3404
3405 todo_wine_if (todo_count)
3406 ok_(__FILE__, line)(acl_size.AceCount == 2,
3407 "GetAclInformation returned unexpected entry count (%d != 2)\n",
3408 acl_size.AceCount);
3409
3410 if (acl_size.AceCount > 0)
3411 {
3412 bret = pGetAce(dacl, 0, (VOID **)&ace);
3413 ok_(__FILE__, line)(bret, "Failed to get Current User ACE\n");
3414
3415 bret = EqualSid(&ace->SidStart, user_sid);
3416 todo_wine_if (todo_sid)
3417 ok_(__FILE__, line)(bret, "Current User ACE (%s) != Current User SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3418
3419 todo_wine_if (todo_flags)
3420 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3421 "Current User ACE has unexpected flags (0x%x != 0x%x)\n",
3422 ((ACE_HEADER *)ace)->AceFlags, flags);
3423
3424 ok_(__FILE__, line)(ace->Mask == mask,
3425 "Current User ACE has unexpected mask (0x%x != 0x%x)\n",
3426 ace->Mask, mask);
3427 }
3428 if (acl_size.AceCount > 1)
3429 {
3430 bret = pGetAce(dacl, 1, (VOID **)&ace);
3431 ok_(__FILE__, line)(bret, "Failed to get Administators Group ACE\n");
3432
3433 bret = EqualSid(&ace->SidStart, admin_sid);
3434 todo_wine_if (todo_sid)
3435 ok_(__FILE__, line)(bret, "Administators Group ACE (%s) != Administators Group SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3436
3437 todo_wine_if (todo_flags)
3438 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3439 "Administators Group ACE has unexpected flags (0x%x != 0x%x)\n",
3440 ((ACE_HEADER *)ace)->AceFlags, flags);
3441
3442 ok_(__FILE__, line)(ace->Mask == mask,
3443 "Administators Group ACE has unexpected mask (0x%x != 0x%x)\n",
3444 ace->Mask, mask);
3445 }
3446 }
3447
3448 static void test_CreateDirectoryA(void)
3449 {
3450 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3451 DWORD sid_size = sizeof(admin_ptr), user_size;
3452 PSID admin_sid = (PSID) admin_ptr, user_sid;
3453 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
3454 PSECURITY_DESCRIPTOR pSD = &sd;
3455 ACL_SIZE_INFORMATION acl_size;
3456 UNICODE_STRING tmpfileW;
3457 SECURITY_ATTRIBUTES sa;
3458 OBJECT_ATTRIBUTES attr;
3459 char tmpfile[MAX_PATH];
3460 char tmpdir[MAX_PATH];
3461 HANDLE token, hTemp;
3462 IO_STATUS_BLOCK io;
3463 struct _SID *owner;
3464 BOOL bret = TRUE;
3465 NTSTATUS status;
3466 DWORD error;
3467 PACL pDacl;
3468
3469 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3470 {
3471 win_skip("Required functions are not available\n");
3472 return;
3473 }
3474
3475 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3476 {
3477 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3478 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3479 }
3480 if (!bret)
3481 {
3482 win_skip("Failed to get current user token\n");
3483 return;
3484 }
3485 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3486 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3487 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3488 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3489 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3490 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3491 CloseHandle( token );
3492 user_sid = ((TOKEN_USER *)user)->User.Sid;
3493
3494 sa.nLength = sizeof(sa);
3495 sa.lpSecurityDescriptor = pSD;
3496 sa.bInheritHandle = TRUE;
3497 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3498 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3499 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3500 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3501 ok(bret, "Failed to initialize ACL.\n");
3502 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3503 GENERIC_ALL, user_sid);
3504 ok(bret, "Failed to add Current User to ACL.\n");
3505 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3506 GENERIC_ALL, admin_sid);
3507 ok(bret, "Failed to add Administrator Group to ACL.\n");
3508 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3509 ok(bret, "Failed to add ACL to security descriptor.\n");
3510
3511 GetTempPathA(MAX_PATH, tmpdir);
3512 lstrcatA(tmpdir, "Please Remove Me");
3513 bret = CreateDirectoryA(tmpdir, &sa);
3514 ok(bret == TRUE, "CreateDirectoryA(%s) failed err=%d\n", tmpdir, GetLastError());
3515 HeapFree(GetProcessHeap(), 0, pDacl);
3516
3517 SetLastError(0xdeadbeef);
3518 error = pGetNamedSecurityInfoA(tmpdir, SE_FILE_OBJECT,
3519 OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, (PSID*)&owner,
3520 NULL, &pDacl, NULL, &pSD);
3521 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3522 {
3523 win_skip("GetNamedSecurityInfoA is not implemented\n");
3524 goto done;
3525 }
3526 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3527 test_inherited_dacl(pDacl, admin_sid, user_sid, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3528 0x1f01ff, FALSE, TRUE, FALSE, __LINE__);
3529 LocalFree(pSD);
3530
3531 /* Test inheritance of ACLs in CreateFile without security descriptor */
3532 strcpy(tmpfile, tmpdir);
3533 lstrcatA(tmpfile, "/tmpfile");
3534
3535 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, NULL,
3536 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3537 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3538
3539 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3540 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3541 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3542 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3543 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3544 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3545 LocalFree(pSD);
3546 CloseHandle(hTemp);
3547
3548 /* Test inheritance of ACLs in CreateFile with security descriptor -
3549 * When a security descriptor is set, then inheritance doesn't take effect */
3550 pSD = &sd;
3551 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3552 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3553 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3554 ok(bret, "Failed to initialize ACL\n");
3555 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3556 ok(bret, "Failed to add ACL to security descriptor\n");
3557
3558 strcpy(tmpfile, tmpdir);
3559 lstrcatA(tmpfile, "/tmpfile");
3560
3561 sa.nLength = sizeof(sa);
3562 sa.lpSecurityDescriptor = pSD;
3563 sa.bInheritHandle = TRUE;
3564 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, &sa,
3565 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3566 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3567 HeapFree(GetProcessHeap(), 0, pDacl);
3568
3569 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3570 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3571 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3572 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3573 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3574 ok(bret, "GetAclInformation failed\n");
3575 todo_wine
3576 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3577 acl_size.AceCount);
3578 LocalFree(pSD);
3579
3580 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3581 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3582 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3583 todo_wine
3584 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3585 if (error == ERROR_SUCCESS)
3586 {
3587 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3588 ok(bret, "GetAclInformation failed\n");
3589 todo_wine
3590 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3591 acl_size.AceCount);
3592 LocalFree(pSD);
3593 }
3594 CloseHandle(hTemp);
3595
3596 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3597 strcpy(tmpfile, tmpdir);
3598 lstrcatA(tmpfile, "/tmpfile");
3599 get_nt_pathW(tmpfile, &tmpfileW);
3600
3601 attr.Length = sizeof(attr);
3602 attr.RootDirectory = 0;
3603 attr.ObjectName = &tmpfileW;
3604 attr.Attributes = OBJ_CASE_INSENSITIVE;
3605 attr.SecurityDescriptor = NULL;
3606 attr.SecurityQualityOfService = NULL;
3607
3608 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3609 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3610 ok(!status, "NtCreateFile failed with %08x\n", status);
3611 pRtlFreeUnicodeString(&tmpfileW);
3612
3613 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3614 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3615 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3616 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3617 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3618 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3619 LocalFree(pSD);
3620 CloseHandle(hTemp);
3621
3622 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3623 * When a security descriptor is set, then inheritance doesn't take effect */
3624 pSD = &sd;
3625 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3626 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3627 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3628 ok(bret, "Failed to initialize ACL\n");
3629 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3630 ok(bret, "Failed to add ACL to security descriptor\n");
3631
3632 strcpy(tmpfile, tmpdir);
3633 lstrcatA(tmpfile, "/tmpfile");
3634 get_nt_pathW(tmpfile, &tmpfileW);
3635
3636 attr.Length = sizeof(attr);
3637 attr.RootDirectory = 0;
3638 attr.ObjectName = &tmpfileW;
3639 attr.Attributes = OBJ_CASE_INSENSITIVE;
3640 attr.SecurityDescriptor = pSD;
3641 attr.SecurityQualityOfService = NULL;
3642
3643 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3644 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3645 ok(!status, "NtCreateFile failed with %08x\n", status);
3646 pRtlFreeUnicodeString(&tmpfileW);
3647 HeapFree(GetProcessHeap(), 0, pDacl);
3648
3649 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3650 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3651 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3652 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3653 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3654 ok(bret, "GetAclInformation failed\n");
3655 todo_wine
3656 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3657 acl_size.AceCount);
3658 LocalFree(pSD);
3659
3660 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3661 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3662 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3663 todo_wine
3664 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3665 if (error == ERROR_SUCCESS)
3666 {
3667 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3668 ok(bret, "GetAclInformation failed\n");
3669 todo_wine
3670 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3671 acl_size.AceCount);
3672 LocalFree(pSD);
3673 }
3674 CloseHandle(hTemp);
3675
3676 done:
3677 HeapFree(GetProcessHeap(), 0, user);
3678 bret = RemoveDirectoryA(tmpdir);
3679 ok(bret == TRUE, "RemoveDirectoryA should always succeed\n");
3680 }
3681
3682 static void test_GetNamedSecurityInfoA(void)
3683 {
3684 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3685 char system_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3686 char users_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3687 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3688 PSID admin_sid = (PSID) admin_ptr, users_sid = (PSID) users_ptr;
3689 PSID system_sid = (PSID) system_ptr, user_sid, localsys_sid;
3690 DWORD sid_size = sizeof(admin_ptr), user_size;
3691 char invalid_path[] = "/an invalid file path";
3692 int users_ace_id = -1, admins_ace_id = -1, i;
3693 char software_key[] = "MACHINE\\Software";
3694 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH+sizeof(void*)];
3695 SECURITY_DESCRIPTOR_CONTROL control;
3696 ACL_SIZE_INFORMATION acl_size;
3697 CHAR windows_dir[MAX_PATH];
3698 PSECURITY_DESCRIPTOR pSD;
3699 ACCESS_ALLOWED_ACE *ace;
3700 BOOL bret = TRUE, isNT4;
3701 char tmpfile[MAX_PATH];
3702 DWORD error, revision;
3703 BOOL owner_defaulted;
3704 BOOL group_defaulted;
3705 BOOL dacl_defaulted;
3706 HANDLE token, hTemp, h;
3707 PSID owner, group;
3708 BOOL dacl_present;
3709 PACL pDacl;
3710 BYTE flags;
3711 NTSTATUS status;
3712
3713 if (!pSetNamedSecurityInfoA || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3714 {
3715 win_skip("Required functions are not available\n");
3716 return;
3717 }
3718
3719 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3720 {
3721 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3722 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3723 }
3724 if (!bret)
3725 {
3726 win_skip("Failed to get current user token\n");
3727 return;
3728 }
3729 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3730 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3731 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3732 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3733 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3734 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3735 CloseHandle( token );
3736 user_sid = ((TOKEN_USER *)user)->User.Sid;
3737
3738 bret = GetWindowsDirectoryA(windows_dir, MAX_PATH);
3739 ok(bret, "GetWindowsDirectory failed with error %d\n", GetLastError());
3740
3741 SetLastError(0xdeadbeef);
3742 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,
3743 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
3744 NULL, NULL, NULL, NULL, &pSD);
3745 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3746 {
3747 win_skip("GetNamedSecurityInfoA is not implemented\n");
3748 HeapFree(GetProcessHeap(), 0, user);
3749 return;
3750 }
3751 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3752
3753 bret = GetSecurityDescriptorControl(pSD, &control, &revision);
3754 ok(bret, "GetSecurityDescriptorControl failed with error %d\n", GetLastError());
3755 ok((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == (SE_SELF_RELATIVE|SE_DACL_PRESENT) ||
3756 broken((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT), /* NT4 */
3757 "control (0x%x) doesn't have (SE_SELF_RELATIVE|SE_DACL_PRESENT) flags set\n", control);
3758 ok(revision == SECURITY_DESCRIPTOR_REVISION1, "revision was %d instead of 1\n", revision);
3759
3760 isNT4 = (control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT;
3761
3762 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3763 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3764 ok(owner != NULL, "owner should not be NULL\n");
3765
3766 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
3767 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
3768 ok(group != NULL, "group should not be NULL\n");
3769 LocalFree(pSD);
3770
3771
3772 /* NULL descriptor tests */
3773 if(isNT4)
3774 {
3775 win_skip("NT4 does not support GetNamedSecutityInfo with a NULL descriptor\n");
3776 HeapFree(GetProcessHeap(), 0, user);
3777 return;
3778 }
3779
3780 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3781 NULL, NULL, NULL, NULL, NULL);
3782 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3783
3784 pDacl = NULL;
3785 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3786 NULL, NULL, &pDacl, NULL, &pSD);
3787 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3788 ok(pDacl != NULL, "DACL should not be NULL\n");
3789 LocalFree(pSD);
3790
3791 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,
3792 NULL, NULL, &pDacl, NULL, NULL);
3793 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3794
3795 /* Test behavior of SetNamedSecurityInfo with an invalid path */
3796 SetLastError(0xdeadbeef);
3797 error = pSetNamedSecurityInfoA(invalid_path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3798 NULL, NULL, NULL);
3799 ok(error == ERROR_FILE_NOT_FOUND, "Unexpected error returned: 0x%x\n", error);
3800 ok(GetLastError() == 0xdeadbeef, "Expected last error to remain unchanged.\n");
3801
3802 /* Create security descriptor information and test that it comes back the same */
3803 pSD = &sd;
3804 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3805 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3806 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3807 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3808 ok(bret, "Failed to initialize ACL.\n");
3809 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3810 ok(bret, "Failed to add Current User to ACL.\n");
3811 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
3812 ok(bret, "Failed to add Administrator Group to ACL.\n");
3813 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3814 ok(bret, "Failed to add ACL to security descriptor.\n");
3815 GetTempFileNameA(".", "foo", 0, tmpfile);
3816 hTemp = CreateFileA(tmpfile, WRITE_DAC|GENERIC_WRITE, FILE_SHARE_DELETE|FILE_SHARE_READ,
3817 NULL, OPEN_EXISTING, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3818 SetLastError(0xdeadbeef);
3819 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3820 NULL, pDacl, NULL);
3821 HeapFree(GetProcessHeap(), 0, pDacl);
3822 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3823 {
3824 win_skip("SetNamedSecurityInfoA is not implemented\n");
3825 HeapFree(GetProcessHeap(), 0, user);
3826 CloseHandle(hTemp);
3827 return;
3828 }
3829 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3830 SetLastError(0xdeadbeef);
3831 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3832 NULL, NULL, &pDacl, NULL, &pSD);
3833 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3834 {
3835 win_skip("GetNamedSecurityInfoA is not implemented\n");
3836 HeapFree(GetProcessHeap(), 0, user);
3837 CloseHandle(hTemp);
3838 return;
3839 }
3840 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3841
3842 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3843 ok(bret, "GetAclInformation failed\n");
3844 if (acl_size.AceCount > 0)
3845 {
3846 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3847 ok(bret, "Failed to get Current User ACE.\n");
3848 bret = EqualSid(&ace->SidStart, user_sid);
3849 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
3850 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3851 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3852 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3853 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
3854 ace->Mask);
3855 }
3856 if (acl_size.AceCount > 1)
3857 {
3858 bret = pGetAce(pDacl, 1, (VOID **)&ace);
3859 ok(bret, "Failed to get Administators Group ACE.\n");
3860 bret = EqualSid(&ace->SidStart, admin_sid);
3861 todo_wine ok(bret || broken(!bret) /* win2k */,
3862 "Administators Group ACE (%s) != Administators Group SID (%s).\n",
3863 debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3864 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3865 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3866 ok(ace->Mask == 0x1f01ff || broken(ace->Mask == GENERIC_ALL) /* win2k */,
3867 "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n", ace->Mask);
3868 }
3869 LocalFree(pSD);
3870
3871 /* show that setting empty DACL is not removing all file permissions */
3872 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3873 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3874 ok(bret, "Failed to initialize ACL.\n");
3875 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3876 NULL, NULL, pDacl, NULL);
3877 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3878 HeapFree(GetProcessHeap(), 0, pDacl);
3879
3880 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3881 NULL, NULL, &pDacl, NULL, &pSD);
3882 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3883
3884 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3885 ok(bret, "GetAclInformation failed\n");
3886 if (acl_size.AceCount > 0)
3887 {
3888 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3889 ok(bret, "Failed to get ACE.\n");
3890 todo_wine ok(((ACE_HEADER *)ace)->AceFlags & INHERITED_ACE,
3891 "ACE has unexpected flags: 0x%x\n", ((ACE_HEADER *)ace)->AceFlags);
3892 }
3893 LocalFree(pSD);
3894
3895 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3896 NULL, OPEN_EXISTING, 0, NULL);
3897 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3898 CloseHandle(h);
3899
3900 /* test setting NULL DACL */
3901 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3902 DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL);
3903 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3904
3905 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3906 NULL, NULL, &pDacl, NULL, &pSD);
3907 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3908 todo_wine ok(!pDacl, "pDacl != NULL\n");
3909 LocalFree(pSD);
3910
3911 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3912 NULL, OPEN_EXISTING, 0, NULL);
3913 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3914 CloseHandle(h);
3915
3916 /* NtSetSecurityObject doesn't inherit DACL entries */
3917 pSD = sd+sizeof(void*)-((ULONG_PTR)sd)%sizeof(void*);
3918 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3919 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3920 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3921 ok(bret, "Failed to initialize ACL.\n");
3922 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3923 ok(bret, "Failed to add ACL to security descriptor.\n");
3924 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3925 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3926
3927 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3928 NULL, OPEN_EXISTING, 0, NULL);
3929 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3930 CloseHandle(h);
3931
3932 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ, SE_DACL_AUTO_INHERIT_REQ);
3933 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3934 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3935
3936 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3937 NULL, OPEN_EXISTING, 0, NULL);
3938 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3939 CloseHandle(h);
3940
3941 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED,
3942 SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED);
3943 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3944 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3945
3946 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3947 NULL, OPEN_EXISTING, 0, NULL);
3948 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3949 CloseHandle(h);
3950
3951 /* test if DACL is properly mapped to permission */
3952 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3953 ok(bret, "Failed to initialize ACL.\n");
3954 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3955 ok(bret, "Failed to add Current User to ACL.\n");
3956 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3957 ok(bret, "Failed to add Current User to ACL.\n");
3958 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3959 ok(bret, "Failed to add ACL to security descriptor.\n");
3960 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3961 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3962
3963 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3964 NULL, OPEN_EXISTING, 0, NULL);
3965 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3966 CloseHandle(h);
3967
3968 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3969 ok(bret, "Failed to initialize ACL.\n");
3970 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3971 ok(bret, "Failed to add Current User to ACL.\n");
3972 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3973 ok(bret, "Failed to add Current User to ACL.\n");
3974 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3975 ok(bret, "Failed to add ACL to security descriptor.\n");
3976 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3977 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3978
3979 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3980 NULL, OPEN_EXISTING, 0, NULL);
3981 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3982 HeapFree(GetProcessHeap(), 0, pDacl);
3983 HeapFree(GetProcessHeap(), 0, user);
3984 CloseHandle(hTemp);
3985
3986 /* Test querying the ownership of a built-in registry key */
3987 sid_size = sizeof(system_ptr);
3988 pCreateWellKnownSid(WinLocalSystemSid, NULL, system_sid, &sid_size);
3989 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY,
3990 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
3991 NULL, NULL, NULL, NULL, &pSD);
3992 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3993
3994 bret = AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &localsys_sid);
3995 ok(bret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3996
3997 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3998 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3999 ok(owner != NULL, "owner should not be NULL\n");
4000 ok(EqualSid(owner, admin_sid) || EqualSid(owner, localsys_sid),
4001 "MACHINE\\Software owner SID (%s) != Administrators SID (%s) or Local System Sid (%s).\n",
4002 debugstr_sid(owner), debugstr_sid(admin_sid), debugstr_sid(localsys_sid));
4003
4004 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
4005 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
4006 ok(group != NULL, "group should not be NULL\n");
4007 ok(EqualSid(group, admin_sid) || broken(EqualSid(group, system_sid)) /* before Win7 */
4008 || broken(((SID*)group)->SubAuthority[0] == SECURITY_NT_NON_UNIQUE) /* Vista */,
4009 "MACHINE\\Software group SID (%s) != Local System SID (%s or %s)\n",
4010 debugstr_sid(group), debugstr_sid(admin_sid), debugstr_sid(system_sid));
4011 LocalFree(pSD);
4012
4013 /* Test querying the DACL of a built-in registry key */
4014 sid_size = sizeof(users_ptr);
4015 pCreateWellKnownSid(WinBuiltinUsersSid, NULL, users_sid, &sid_size);
4016 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
4017 NULL, NULL, NULL, NULL, &pSD);
4018 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4019
4020 bret = GetSecurityDescriptorDacl(pSD, &dacl_present, &pDacl, &dacl_defaulted);
4021 ok(bret, "GetSecurityDescriptorDacl failed with error %d\n", GetLastError());
4022 ok(dacl_present, "DACL should be present\n");
4023 ok(pDacl && IsValidAcl(pDacl), "GetSecurityDescriptorDacl returned invalid DACL.\n");
4024 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4025 ok(bret, "GetAclInformation failed\n");
4026 ok(acl_size.AceCount != 0, "GetAclInformation returned no ACLs\n");
4027 for (i=0; i<acl_size.AceCount; i++)
4028 {
4029 bret = pGetAce(pDacl, i, (VOID **)&ace);
4030 ok(bret, "Failed to get ACE %d.\n", i);
4031 bret = EqualSid(&ace->SidStart, users_sid);
4032 if (bret) users_ace_id = i;
4033 bret = EqualSid(&ace->SidStart, admin_sid);
4034 if (bret) admins_ace_id = i;
4035 }
4036 ok(users_ace_id != -1 || broken(users_ace_id == -1) /* win2k */,
4037 "Bultin Users ACE not found.\n");
4038 if (users_ace_id != -1)
4039 {
4040 bret = pGetAce(pDacl, users_ace_id, (VOID **)&ace);
4041 ok(bret, "Failed to get Builtin Users ACE.\n");
4042 flags = ((ACE_HEADER *)ace)->AceFlags;
4043 ok(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)
4044 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4045 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4046 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4047 "Builtin Users ACE has unexpected flags (0x%x != 0x%x)\n", flags,
4048 INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE);
4049 ok(ace->Mask == GENERIC_READ
4050 || broken(ace->Mask == KEY_READ), /* win 10 */
4051 "Builtin Users ACE has unexpected mask (0x%x != 0x%x)\n",
4052 ace->Mask, GENERIC_READ);
4053 }
4054 ok(admins_ace_id != -1, "Bultin Admins ACE not found.\n");
4055 if (admins_ace_id != -1)
4056 {
4057 bret = pGetAce(pDacl, admins_ace_id, (VOID **)&ace);
4058 ok(bret, "Failed to get Builtin Admins ACE.\n");
4059 flags = ((ACE_HEADER *)ace)->AceFlags;
4060 ok(flags == 0x0
4061 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4062 || broken(flags == (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) /* win7 */
4063 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)) /* win8+ */
4064 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4065 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4066 "Builtin Admins ACE has unexpected flags (0x%x != 0x0)\n", flags);
4067 ok(ace->Mask == KEY_ALL_ACCESS || broken(ace->Mask == GENERIC_ALL) /* w2k8 */,
4068 "Builtin Admins ACE has unexpected mask (0x%x != 0x%x)\n", ace->Mask, KEY_ALL_ACCESS);
4069 }
4070
4071 FreeSid(localsys_sid);
4072 LocalFree(pSD);
4073 }
4074
4075 static void test_ConvertStringSecurityDescriptor(void)
4076 {
4077 BOOL ret;
4078 PSECURITY_DESCRIPTOR pSD;
4079 static const WCHAR Blank[] = { 0 };
4080 unsigned int i;
4081 static const struct
4082 {
4083 const char *sidstring;
4084 DWORD revision;
4085 BOOL ret;
4086 DWORD GLE;
4087 DWORD altGLE;
4088 } cssd[] =
4089 {
4090 { "D:(A;;GA;;;WD)", 0xdeadbeef, FALSE, ERROR_UNKNOWN_REVISION },
4091 /* test ACE string type */
4092 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4093 { "D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4094 { "ERROR:(D;;GA;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_PARAMETER },
4095 /* test ACE string with spaces */
4096 { " D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4097 { "D: (D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4098 { "D:( D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4099 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4100 { "D:(D; ;GA;;;WD)", SDDL_REVISION_1, TRUE },
4101 { "D:(D;; GA;;;WD)", SDDL_REVISION_1, TRUE },
4102 { "D:(D;;GA ;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4103 { "D:(D;;GA; ;;WD)", SDDL_REVISION_1, TRUE },
4104 { "D:(D;;GA;; ;WD)", SDDL_REVISION_1, TRUE },
4105 { "D:(D;;GA;;; WD)", SDDL_REVISION_1, TRUE },
4106 { "D:(D;;GA;;;WD )", SDDL_REVISION_1, TRUE },
4107 /* test ACE string access rights */
4108 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4109 { "D:(A;;GRGWGX;;;WD)", SDDL_REVISION_1, TRUE },
4110 { "D:(A;;RCSDWDWO;;;WD)", SDDL_REVISION_1, TRUE },
4111 { "D:(A;;RPWPCCDCLCSWLODTCR;;;WD)", SDDL_REVISION_1, TRUE },
4112 { "D:(A;;FAFRFWFX;;;WD)", SDDL_REVISION_1, TRUE },
4113 { "D:(A;;KAKRKWKX;;;WD)", SDDL_REVISION_1, TRUE },
4114 { "D:(A;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4115 { "S:(AU;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4116 /* test ACE string access right error case */
4117 { "D:(A;;ROB;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4118 /* test behaviour with empty strings */
4119 { "", SDDL_REVISION_1, TRUE },
4120 /* test ACE string SID */
4121 { "D:(D;;GA;;;S-1-0-0)", SDDL_REVISION_1, TRUE },
4122 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4123 };
4124
4125 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4126 {
4127 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4128 return;
4129 }
4130
4131 for (i = 0; i < sizeof(cssd)/sizeof(cssd[0]); i++)
4132 {
4133 DWORD GLE;
4134
4135 SetLastError(0xdeadbeef);
4136 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4137 cssd[i].sidstring, cssd[i].revision, &pSD, NULL);
4138 GLE = GetLastError();
4139 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4140 if (!cssd[i].ret)
4141 ok(GLE == cssd[i].GLE ||
4142 (cssd[i].altGLE && GLE == cssd[i].altGLE),
4143 "(%02u) Unexpected last error %d\n", i, GLE);
4144 if (ret)
4145 LocalFree(pSD);
4146 }
4147
4148 /* test behaviour with NULL parameters */
4149 SetLastError(0xdeadbeef);
4150 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4151 NULL, 0xdeadbeef, &pSD, NULL);
4152 todo_wine
4153 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4154 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4155 GetLastError());
4156
4157 SetLastError(0xdeadbeef);
4158 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4159 NULL, 0xdeadbeef, &pSD, NULL);
4160 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4161 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4162 GetLastError());
4163
4164 SetLastError(0xdeadbeef);
4165 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4166 "D:(A;;ROB;;;WD)", 0xdeadbeef, NULL, NULL);
4167 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4168 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4169 GetLastError());
4170
4171 SetLastError(0xdeadbeef);
4172 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4173 "D:(A;;ROB;;;WD)", SDDL_REVISION_1, NULL, NULL);
4174 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4175 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4176 GetLastError());
4177
4178 /* test behaviour with empty strings */
4179 SetLastError(0xdeadbeef);
4180 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4181 Blank, SDDL_REVISION_1, &pSD, NULL);
4182 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4183 LocalFree(pSD);
4184
4185 SetLastError(0xdeadbeef);
4186 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4187 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4188 ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
4189 "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
4190 if (ret) LocalFree(pSD);
4191 }
4192
4193 static void test_ConvertSecurityDescriptorToString(void)
4194 {
4195 SECURITY_DESCRIPTOR desc;
4196 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4197 LPSTR string;
4198 DWORD size;
4199 PSID psid, psid2;
4200 PACL pacl;
4201 char sid_buf[256];
4202 char acl_buf[8192];
4203 ULONG len;
4204
4205 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4206 {
4207 win_skip("ConvertSecurityDescriptorToStringSecurityDescriptor is not available\n");
4208 return;
4209 }
4210 if (!pCreateWellKnownSid)
4211 {
4212 win_skip("CreateWellKnownSid is not available\n");
4213 return;
4214 }
4215
4216 /* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4217 * don't replicate this feature so we only test len >= strlen+1. */
4218 #define CHECK_RESULT_AND_FREE(exp_str) \
4219 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4220 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4221 LocalFree(string);
4222
4223 #define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4224 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4225 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4226 LocalFree(string);
4227
4228 InitializeSecurityDescriptor(&desc, SECURITY_DESCRIPTOR_REVISION);
4229 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4230 CHECK_RESULT_AND_FREE("");
4231
4232 size = 4096;
4233 pCreateWellKnownSid(WinLocalSid, NULL, sid_buf, &size);
4234 SetSecurityDescriptorOwner(&desc, sid_buf, FALSE);
4235 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4236 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4237
4238 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4239 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4240 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4241
4242 size = sizeof(sid_buf);
4243 pCreateWellKnownSid(WinLocalSystemSid, NULL, sid_buf, &size);
4244 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4245 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4246 CHECK_RESULT_AND_FREE("O:SY");
4247
4248 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4249 SetSecurityDescriptorGroup(&desc, psid, TRUE);
4250 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4251 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576");
4252
4253 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4254 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4255
4256 pacl = (PACL)acl_buf;
4257 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4258 SetSecurityDescriptorDacl(&desc, TRUE, pacl, TRUE);
4259 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4260 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4261
4262 SetSecurityDescriptorDacl(&desc, TRUE, pacl, FALSE);
4263 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4264 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4265
4266 pConvertStringSidToSidA("S-1-5-6", &psid2);
4267 pAddAccessAllowedAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, 0xf0000000, psid2);
4268 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4269 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)");
4270
4271 pAddAccessAllowedAceEx(pacl, ACL_REVISION, INHERIT_ONLY_ACE|INHERITED_ACE, 0x00000003, psid2);
4272 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4273 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4274
4275 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4276 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4277 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4278
4279
4280 pacl = (PACL)acl_buf;
4281 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4282 SetSecurityDescriptorSacl(&desc, TRUE, pacl, FALSE);
4283 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4284 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:");
4285
4286 /* fails in win2k */
4287 SetSecurityDescriptorDacl(&desc, TRUE, NULL, FALSE);
4288 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4289 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4290 {
4291 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4292 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4293 }
4294
4295 /* fails in win2k */
4296 pAddAuditAccessAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, FILE_GENERIC_READ|FILE_GENERIC_WRITE, psid2, TRUE, FALSE);
4297 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4298 {
4299 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4300 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4301 }
4302
4303 LocalFree(psid2);
4304 LocalFree(psid);
4305 }
4306
4307 static void test_SetSecurityDescriptorControl (PSECURITY_DESCRIPTOR sec)
4308 {
4309 SECURITY_DESCRIPTOR_CONTROL ref;
4310 SECURITY_DESCRIPTOR_CONTROL test;
4311
4312 SECURITY_DESCRIPTOR_CONTROL const mutable
4313 = SE_DACL_AUTO_INHERIT_REQ | SE_SACL_AUTO_INHERIT_REQ
4314 | SE_DACL_AUTO_INHERITED | SE_SACL_AUTO_INHERITED
4315 | SE_DACL_PROTECTED | SE_SACL_PROTECTED
4316 | 0x00000040 | 0x00000080 /* not defined in winnt.h */
4317 ;
4318 SECURITY_DESCRIPTOR_CONTROL const immutable
4319 = SE_OWNER_DEFAULTED | SE_GROUP_DEFAULTED
4320 | SE_DACL_PRESENT | SE_DACL_DEFAULTED
4321 | SE_SACL_PRESENT | SE_SACL_DEFAULTED
4322 | SE_RM_CONTROL_VALID | SE_SELF_RELATIVE
4323 ;
4324
4325 int bit;
4326 DWORD dwRevision;
4327 LPCSTR fmt = "Expected error %s, got %u\n";
4328
4329 GetSecurityDescriptorControl (sec, &ref, &dwRevision);
4330
4331 /* The mutable bits are mutable regardless of the truth of
4332 SE_DACL_PRESENT and/or SE_SACL_PRESENT */
4333
4334 /* Check call barfs if any bit-of-interest is immutable */
4335 for (bit = 0; bit < 16; ++bit)
4336 {
4337 SECURITY_DESCRIPTOR_CONTROL const bitOfInterest = 1 << bit;
4338 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitOfInterest;
4339
4340 SECURITY_DESCRIPTOR_CONTROL ctrl;
4341
4342 DWORD dwExpect = (bitOfInterest & immutable)
4343 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4344 LPCSTR strExpect = (bitOfInterest & immutable)
4345 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4346
4347 ctrl = (bitOfInterest & mutable) ? ref + bitOfInterest : ref;
4348 setOrClear ^= bitOfInterest;
4349 SetLastError (0xbebecaca);
4350 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4351 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4352 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4353 expect_eq(test, ctrl, int, "%x");
4354
4355 setOrClear ^= bitOfInterest;
4356 SetLastError (0xbebecaca);
4357 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4358 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4359 GetSecurityDescriptorControl (sec, &test, &dwRevision);
4360 expect_eq(test, ref, int, "%x");
4361 }
4362
4363 /* Check call barfs if any bit-to-set is immutable
4364 even when not a bit-of-interest */
4365 for (bit = 0; bit < 16; ++bit)
4366 {
4367 SECURITY_DESCRIPTOR_CONTROL const bitsOfInterest = mutable;
4368 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitsOfInterest;
4369
4370 SECURITY_DESCRIPTOR_CONTROL ctrl;
4371
4372 DWORD dwExpect = ((1 << bit) & immutable)
4373 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4374 LPCSTR strExpect = ((1 << bit) & immutable)
4375 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4376
4377 ctrl = ((1 << bit) & immutable) ? test : ref | mutable;
4378 setOrClear ^= bitsOfInterest;
4379 SetLastError (0xbebecaca);
4380 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4381 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4382 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4383 expect_eq(test, ctrl, int, "%x");
4384
4385 ctrl = ((1 << bit) & immutable) ? test : ref | (1 << bit);
4386 setOrClear ^= bitsOfInterest;
4387 SetLastError (0xbebecaca);
4388 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4389 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4390 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4391 expect_eq(test, ctrl, int, "%x");
4392 }
4393 }
4394
4395 static void test_PrivateObjectSecurity(void)
4396 {
4397 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4398 SECURITY_DESCRIPTOR_CONTROL ctrl;
4399 PSECURITY_DESCRIPTOR sec;
4400 DWORD dwDescSize;
4401 DWORD dwRevision;
4402 DWORD retSize;
4403 LPSTR string;
4404 ULONG len;
4405 PSECURITY_DESCRIPTOR buf;
4406 BOOL ret;
4407
4408 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4409 {
4410 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4411 return;
4412 }
4413
4414 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4415 "O:SY"
4416 "G:S-1-5-21-93476-23408-4576"
4417 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
4418 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4419 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4420 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4421
4422 test_SetSecurityDescriptorControl(sec);
4423
4424 LocalFree(sec);
4425
4426 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4427 "O:SY"
4428 "G:S-1-5-21-93476-23408-4576",
4429 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4430
4431 test_SetSecurityDescriptorControl(sec);
4432
4433 LocalFree(sec);
4434
4435 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4436 "O:SY"
4437 "G:S-1-5-21-93476-23408-4576"
4438 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4439 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4440 buf = HeapAlloc(GetProcessHeap(), 0, dwDescSize);
4441 pSetSecurityDescriptorControl(sec, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
4442 GetSecurityDescriptorControl(sec, &ctrl, &dwRevision);
4443 expect_eq(ctrl, 0x9014, int, "%x");
4444
4445 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4446 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4447 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4448 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4449 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4450 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4451 expect_eq(ctrl, 0x8000, int, "%x");
4452
4453 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4454 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4455 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4456 ret = pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len);
4457 ok(ret, "Conversion failed err=%u\n", GetLastError());
4458 CHECK_ONE_OF_AND_FREE("G:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)",
4459 "G:S-1-5-21-93476-23408-4576D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"); /* Win7 */
4460 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4461 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8004, int, "%x");
4462
4463 ret = GetPrivateObjectSecurity(sec, sec_info, buf, dwDescSize, &retSize);
4464 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4465 ok(retSize == dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4466 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4467 CHECK_ONE_OF_AND_FREE("O:SY"
4468 "G:S-1-5-21-93476-23408-4576"
4469 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4470 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4471 "O:SY"
4472 "G:S-1-5-21-93476-23408-4576"
4473 "D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4474 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)"); /* Win7 */
4475 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4476 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8014, int, "%x");
4477
4478 SetLastError(0xdeadbeef);
4479 ok(GetPrivateObjectSecurity(sec, sec_info, buf, 5, &retSize) == FALSE, "GetPrivateObjectSecurity should have failed\n");
4480 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected error ERROR_INSUFFICIENT_BUFFER, got %u\n", GetLastError());
4481
4482 LocalFree(sec);
4483 HeapFree(GetProcessHeap(), 0, buf);
4484 }
4485 #undef CHECK_RESULT_AND_FREE
4486 #undef CHECK_ONE_OF_AND_FREE
4487
4488 static void test_acls(void)
4489 {
4490 char buffer[256];
4491 PACL pAcl = (PACL)buffer;
4492 BOOL ret;
4493
4494 SetLastError(0xdeadbeef);
4495 ret = InitializeAcl(pAcl, sizeof(ACL) - 1, ACL_REVISION);
4496 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4497 {
4498 win_skip("InitializeAcl is not implemented\n");
4499 return;
4500 }
4501
4502 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4503
4504 SetLastError(0xdeadbeef);
4505 ret = InitializeAcl(pAcl, 0xffffffff, ACL_REVISION);
4506 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4507
4508 SetLastError(0xdeadbeef);
4509 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION1);
4510 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4511
4512 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION2);
4513 ok(ret, "InitializeAcl(ACL_REVISION2) failed with error %d\n", GetLastError());
4514
4515 ret = IsValidAcl(pAcl);
4516 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4517
4518 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION3);
4519 ok(ret, "InitializeAcl(ACL_REVISION3) failed with error %d\n", GetLastError());
4520
4521 ret = IsValidAcl(pAcl);
4522 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4523
4524 SetLastError(0xdeadbeef);
4525 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION4);
4526 if (GetLastError() != ERROR_INVALID_PARAMETER)
4527 {
4528 ok(ret, "InitializeAcl(ACL_REVISION4) failed with error %d\n", GetLastError());
4529
4530 ret = IsValidAcl(pAcl);
4531 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4532 }
4533 else
4534 win_skip("ACL_REVISION4 is not implemented on NT4\n");
4535
4536 SetLastError(0xdeadbeef);
4537 ret = InitializeAcl(pAcl, sizeof(buffer), -1);
4538 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4539 }
4540
4541 static void test_GetSecurityInfo(void)
4542 {
4543 char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
4544 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
4545 DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
4546 PSID admin_sid = (PSID) admin_ptr, user_sid;
4547 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
4548 ACL_SIZE_INFORMATION acl_size;
4549 PSECURITY_DESCRIPTOR pSD;
4550 ACCESS_ALLOWED_ACE *ace;
4551 HANDLE token, obj;
4552 PSID owner, group;
4553 BOOL bret = TRUE;
4554 PACL pDacl;
4555 DWORD ret;
4556
4557 if (!pGetSecurityInfo || !pSetSecurityInfo)
4558 {
4559 win_skip("[Get|Set]SecurityInfo is not available\n");
4560 return;
4561 }
4562
4563 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
4564 {
4565 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
4566 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
4567 }
4568 if (!bret)
4569 {
4570 win_skip("Failed to get current user token\n");
4571 return;
4572 }
4573 bret = GetTokenInformation(token, TokenUser, b, l, &l);
4574 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
4575 CloseHandle( token );
4576 user_sid = ((TOKEN_USER *)b)->User.Sid;
4577
4578 /* Create something. Files have lots of associated security info. */
4579 obj = CreateFileA(myARGV[0], GENERIC_READ|WRITE_DAC, FILE_SHARE_READ, NULL,
4580 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4581 if (obj == INVALID_HANDLE_VALUE)
4582 {
4583 skip("Couldn't create an object for GetSecurityInfo test\n");
4584 return;
4585 }
4586
4587 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4588 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4589 &owner, &group, &pDacl, NULL, &pSD);
4590 if (ret == ERROR_CALL_NOT_IMPLEMENTED)
4591 {
4592 win_skip("GetSecurityInfo is not implemented\n");
4593 CloseHandle(obj);
4594 return;
4595 }
4596 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4597 ok(pSD != NULL, "GetSecurityInfo\n");
4598 ok(owner != NULL, "GetSecurityInfo\n");
4599 ok(group != NULL, "GetSecurityInfo\n");
4600 if (pDacl != NULL)
4601 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4602 else
4603 win_skip("No ACL information returned\n");
4604
4605 LocalFree(pSD);
4606
4607 if (!pCreateWellKnownSid)
4608 {
4609 win_skip("NULL parameter test would crash on NT4\n");
4610 CloseHandle(obj);
4611 return;
4612 }
4613
4614 /* If we don't ask for the security descriptor, Windows will still give us
4615 the other stuff, leaving us no way to free it. */
4616 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4617 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4618 &owner, &group, &pDacl, NULL, NULL);
4619 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4620 ok(owner != NULL, "GetSecurityInfo\n");
4621 ok(group != NULL, "GetSecurityInfo\n");
4622 if (pDacl != NULL)
4623 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4624 else
4625 win_skip("No ACL information returned\n");
4626
4627 /* Create security descriptor information and test that it comes back the same */
4628 pSD = &sd;
4629 pDacl = (PACL)&dacl;
4630 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
4631 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
4632 bret = InitializeAcl(pDacl, sizeof(dacl), ACL_REVISION);
4633 ok(bret, "Failed to initialize ACL.\n");
4634 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4635 ok(bret, "Failed to add Current User to ACL.\n");
4636 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
4637 ok(bret, "Failed to add Administrator Group to ACL.\n");
4638 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4639 ok(bret, "Failed to add ACL to security descriptor.\n");
4640 ret = pSetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4641 NULL, NULL, pDacl, NULL);
4642 ok(ret == ERROR_SUCCESS, "SetSecurityInfo returned %d\n", ret);
4643 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4644 NULL, NULL, &pDacl, NULL, &pSD);
4645 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4646 ok(pDacl && IsValidAcl(pDacl), "GetSecurityInfo returned invalid DACL.\n");
4647 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4648 ok(bret, "GetAclInformation failed\n");
4649 if (acl_size.AceCount > 0)
4650 {
4651 bret = pGetAce(pDacl, 0, (VOID **)&ace);
4652 ok(bret, "Failed to get Current User ACE.\n");
4653 bret = EqualSid(&ace->SidStart, user_sid);
4654 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
4655 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
4656 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4657 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4658 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4659 ace->Mask);
4660 }
4661 if (acl_size.AceCount > 1)
4662 {
4663 bret = pGetAce(pDacl, 1, (VOID **)&ace);
4664 ok(bret, "Failed to get Administators Group ACE.\n");
4665 bret = EqualSid(&ace->SidStart, admin_sid);
4666 todo_wine ok(bret, "Administators Group ACE (%s) != Administators Group SID (%s).\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
4667 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4668 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4669 ok(ace->Mask == 0x1f01ff, "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4670 ace->Mask);
4671 }
4672 LocalFree(pSD);
4673 CloseHandle(obj);
4674 }
4675
4676 static void test_GetSidSubAuthority(void)
4677 {
4678 PSID psid = NULL;
4679
4680 if (!pGetSidSubAuthority || !pConvertStringSidToSidA || !pIsValidSid || !pGetSidSubAuthorityCount)
4681 {
4682 win_skip("Some functions not available\n");
4683 return;
4684 }
4685 /* Note: on windows passing in an invalid index like -1, lets GetSidSubAuthority return 0x05000000 but
4686 still GetLastError returns ERROR_SUCCESS then. We don't test these unlikely cornercases here for now */
4687 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576",&psid),"ConvertStringSidToSidA failed\n");
4688 ok(pIsValidSid(psid),"Sid is not valid\n");
4689 SetLastError(0xbebecaca);
4690 ok(*pGetSidSubAuthorityCount(psid) == 4,"GetSidSubAuthorityCount gave %d expected 4\n",*pGetSidSubAuthorityCount(psid));
4691 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4692 SetLastError(0xbebecaca);
4693 ok(*pGetSidSubAuthority(psid,0) == 21,"GetSidSubAuthority gave %d expected 21\n",*pGetSidSubAuthority(psid,0));
4694 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4695 SetLastError(0xbebecaca);
4696 ok(*pGetSidSubAuthority(psid,1) == 93476,"GetSidSubAuthority gave %d expected 93476\n",*pGetSidSubAuthority(psid,1));
4697 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4698 SetLastError(0xbebecaca);
4699 ok(pGetSidSubAuthority(psid,4) != NULL,"Expected out of bounds GetSidSubAuthority to return a non-NULL pointer\n");
4700 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4701 LocalFree(psid);
4702 }
4703
4704 static void test_CheckTokenMembership(void)
4705 {
4706 PTOKEN_GROUPS token_groups;
4707 DWORD size;
4708 HANDLE process_token, token;
4709 BOOL is_member;
4710 BOOL ret;
4711 DWORD i;
4712
4713 if (!pCheckTokenMembership)
4714 {
4715 win_skip("CheckTokenMembership is not available\n");
4716 return;
4717 }
4718 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4719 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
4720
4721 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
4722 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
4723
4724 /* groups */
4725 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
4726 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
4727 "GetTokenInformation(TokenGroups) %s with error %d\n",
4728 ret ? "succeeded" : "failed", GetLastError());
4729 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
4730 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
4731 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
4732
4733 for (i = 0; i < token_groups->GroupCount; i++)
4734 {
4735 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
4736 break;
4737 }
4738
4739 if (i == token_groups->GroupCount)
4740 {
4741 HeapFree(GetProcessHeap(), 0, token_groups);
4742 CloseHandle(token);
4743 skip("user not a member of any group\n");
4744 return;
4745 }
4746
4747 is_member = FALSE;
4748 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
4749 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4750 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4751
4752 is_member = FALSE;
4753 ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
4754 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4755 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4756
4757 is_member = TRUE;
4758 SetLastError(0xdeadbeef);
4759 ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
4760 ok(!ret && GetLastError() == ERROR_NO_IMPERSONATION_TOKEN,
4761 "CheckTokenMembership with process token %s with error %d\n",
4762 ret ? "succeeded" : "failed", GetLastError());
4763 ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
4764
4765 HeapFree(GetProcessHeap(), 0, token_groups);
4766 CloseHandle(token);
4767 CloseHandle(process_token);
4768 }
4769
4770 static void test_EqualSid(void)
4771 {
4772 PSID sid1, sid2;
4773 BOOL ret;
4774 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
4775 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
4776
4777 SetLastError(0xdeadbeef);
4778 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4779 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid1);
4780 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4781 {
4782 win_skip("AllocateAndInitializeSid is not implemented\n");
4783 return;
4784 }
4785 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4786 ok(GetLastError() == 0xdeadbeef,
4787 "AllocateAndInitializeSid shouldn't have set last error to %d\n",
4788 GetLastError());
4789
4790 ret = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID,
4791 0, 0, 0, 0, 0, 0, 0, &sid2);
4792 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4793
4794 SetLastError(0xdeadbeef);
4795 ret = EqualSid(sid1, sid2);
4796 ok(!ret, "World and domain admins sids shouldn't have been equal\n");
4797 ok(GetLastError() == ERROR_SUCCESS ||
4798 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4799 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4800 GetLastError());
4801
4802 SetLastError(0xdeadbeef);
4803 sid2 = FreeSid(sid2);
4804 ok(!sid2, "FreeSid should have returned NULL instead of %p\n", sid2);
4805 ok(GetLastError() == 0xdeadbeef,
4806 "FreeSid shouldn't have set last error to %d\n",
4807 GetLastError());
4808
4809 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4810 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid2);
4811 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4812
4813 SetLastError(0xdeadbeef);
4814 ret = EqualSid(sid1, sid2);
4815 ok(ret, "Same sids should have been equal %s != %s\n",
4816 debugstr_sid(sid1), debugstr_sid(sid2));
4817 ok(GetLastError() == ERROR_SUCCESS ||
4818 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4819 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4820 GetLastError());
4821
4822 ((SID *)sid2)->Revision = 2;
4823 SetLastError(0xdeadbeef);
4824 ret = EqualSid(sid1, sid2);
4825 ok(!ret, "EqualSid with invalid sid should have returned FALSE\n");
4826 ok(GetLastError() == ERROR_SUCCESS ||
4827 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4828 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4829 GetLastError());
4830 ((SID *)sid2)->Revision = SID_REVISION;
4831
4832 FreeSid(sid1);
4833 FreeSid(sid2);
4834 }
4835
4836 static void test_GetUserNameA(void)
4837 {
4838 char buffer[UNLEN + 1], filler[UNLEN + 1];
4839 DWORD required_len, buffer_len;
4840 BOOL ret;
4841
4842 /* Test crashes on Windows. */
4843 if (0)
4844 {
4845 SetLastError(0xdeadbeef);
4846 GetUserNameA(NULL, NULL);
4847 }
4848
4849 SetLastError(0xdeadbeef);
4850 required_len = 0;
4851 ret = GetUserNameA(NULL, &required_len);
4852 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4853 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4854 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4855
4856 SetLastError(0xdeadbeef);
4857 required_len = 1;
4858 ret = GetUserNameA(NULL, &required_len);
4859 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4860 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4861 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4862
4863 /* Tests crashes on Windows. */
4864 if (0)
4865 {
4866 SetLastError(0xdeadbeef);
4867 required_len = UNLEN + 1;
4868 GetUserNameA(NULL, &required_len);
4869
4870 SetLastError(0xdeadbeef);
4871 GetUserNameA(buffer, NULL);
4872 }
4873
4874 memset(filler, 'x', sizeof(filler));
4875
4876 /* Note that GetUserNameA on XP and newer outputs the number of bytes
4877 * required for a Unicode string, which affects a test in the next block. */
4878 SetLastError(0xdeadbeef);
4879 memcpy(buffer, filler, sizeof(filler));
4880 required_len = 0;
4881 ret = GetUserNameA(buffer, &required_len);
4882 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4883 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
4884 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4885 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4886
4887 SetLastError(0xdeadbeef);
4888 memcpy(buffer, filler, sizeof(filler));
4889 buffer_len = required_len;
4890 ret = GetUserNameA(buffer, &buffer_len);
4891 ok(ret == TRUE, "GetUserNameA returned %d, last error %u\n", ret, GetLastError());
4892 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
4893 ok(buffer_len == required_len ||
4894 broken(buffer_len == required_len / sizeof(WCHAR)), /* XP+ */
4895 "Outputted buffer length was %u\n", buffer_len);
4896
4897 /* Use the reported buffer size from the last GetUserNameA call and pass
4898 * a length that is one less than the required value. */
4899 SetLastError(0xdeadbeef);
4900 memcpy(buffer, filler, sizeof(filler));
4901 buffer_len--;
4902 ret = GetUserNameA(buffer, &buffer_len);
4903 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4904 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was untouched\n");
4905 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4906 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4907 }
4908
4909 static void test_GetUserNameW(void)
4910 {
4911 WCHAR buffer[UNLEN + 1], filler[UNLEN + 1];
4912 DWORD required_len, buffer_len;
4913 BOOL ret;
4914
4915 /* Test crashes on Windows. */
4916 if (0)
4917 {
4918 SetLastError(0xdeadbeef);
4919 GetUserNameW(NULL, NULL);
4920 }
4921
4922 SetLastError(0xdeadbeef);
4923 required_len = 0;
4924 ret = GetUserNameW(NULL, &required_len);
4925 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4926 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4927 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4928
4929 SetLastError(0xdeadbeef);
4930 required_len = 1;
4931 ret = GetUserNameW(NULL, &required_len);
4932 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4933 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4934 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4935
4936 /* Tests crash on Windows. */
4937 if (0)
4938 {
4939 SetLastError(0xdeadbeef);
4940 required_len = UNLEN + 1;
4941 GetUserNameW(NULL, &required_len);
4942
4943 SetLastError(0xdeadbeef);
4944 GetUserNameW(buffer, NULL);
4945 }
4946
4947 memset(filler, 'x', sizeof(filler));
4948
4949 SetLastError(0xdeadbeef);
4950 memcpy(buffer, filler, sizeof(filler));
4951 required_len = 0;
4952 ret = GetUserNameW(buffer, &required_len);
4953 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4954 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
4955 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4956 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4957
4958 SetLastError(0xdeadbeef);
4959 memcpy(buffer, filler, sizeof(filler));
4960 buffer_len = required_len;
4961 ret = GetUserNameW(buffer, &buffer_len);
4962 ok(ret == TRUE, "GetUserNameW returned %d, last error %u\n", ret, GetLastError());
4963 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
4964 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4965
4966 /* GetUserNameW on XP and newer writes a truncated portion of the username string to the buffer. */
4967 SetLastError(0xdeadbeef);
4968 memcpy(buffer, filler, sizeof(filler));
4969 buffer_len--;
4970 ret = GetUserNameW(buffer, &buffer_len);
4971 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4972 ok(!memcmp(buffer, filler, sizeof(filler)) ||
4973 broken(memcmp(buffer, filler, sizeof(filler)) != 0), /* XP+ */
4974 "Output buffer was altered\n");
4975 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4976 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4977 }
4978
4979 static void test_CreateRestrictedToken(void)
4980 {
4981 HANDLE process_token, token, r_token;
4982 PTOKEN_GROUPS token_groups, groups2;
4983 SID_AND_ATTRIBUTES sattr;
4984 SECURITY_IMPERSONATION_LEVEL level;
4985 TOKEN_TYPE type;
4986 BOOL is_member;
4987 DWORD size;
4988 BOOL ret;
4989 DWORD i, j;
4990
4991 if (!pCreateRestrictedToken)
4992 {
4993 win_skip("CreateRestrictedToken is not available\n");
4994 return;
4995 }
4996
4997 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4998 ok(ret, "got error %d\n", GetLastError());
4999
5000 ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
5001 NULL, SecurityImpersonation, TokenImpersonation, &token);
5002 ok(ret, "got error %d\n", GetLastError());
5003
5004 /* groups */
5005 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
5006 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
5007 "got %d with error %d\n", ret, GetLastError());
5008 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5009 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5010 ok(ret, "got error %d\n", GetLastError());
5011
5012 for (i = 0; i < token_groups->GroupCount; i++)
5013 {
5014 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5015 break;
5016 }
5017
5018 if (i == token_groups->GroupCount)
5019 {
5020 HeapFree(GetProcessHeap(), 0, token_groups);
5021 CloseHandle(token);
5022 skip("User not a member of any group\n");
5023 return;
5024 }
5025
5026 is_member = FALSE;
5027 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5028 ok(ret, "got error %d\n", GetLastError());
5029 ok(is_member, "not a member\n");
5030
5031 /* disable a SID in new token */
5032 sattr.Sid = token_groups->Groups[i].Sid;
5033 sattr.Attributes = 0;
5034 r_token = NULL;
5035 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
5036 ok(ret, "got error %d\n", GetLastError());
5037
5038 if (ret)
5039 {
5040 /* check if a SID is enabled */
5041 is_member = TRUE;
5042 ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
5043 ok(ret, "got error %d\n", GetLastError());
5044 todo_wine ok(!is_member, "not a member\n");
5045
5046 ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
5047 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
5048 ret, GetLastError());
5049 groups2 = HeapAlloc(GetProcessHeap(), 0, size);
5050 ret = GetTokenInformation(r_token, TokenGroups, groups2, size, &size);
5051 ok(ret, "got error %d\n", GetLastError());
5052
5053 for (j = 0; j < groups2->GroupCount; j++)
5054 {
5055 if (EqualSid(groups2->Groups[j].Sid, token_groups->Groups[i].Sid))
5056 break;
5057 }
5058
5059 todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
5060 "got wrong attributes\n");
5061 todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
5062 "got wrong attributes\n");
5063
5064 HeapFree(GetProcessHeap(), 0, groups2);
5065
5066 size = sizeof(type);
5067 ret = GetTokenInformation(r_token, TokenType, &type, size, &size);
5068 ok(ret, "got error %d\n", GetLastError());
5069 ok(type == TokenImpersonation, "got type %u\n", type);
5070
5071 size = sizeof(level);
5072 ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
5073 ok(ret, "got error %d\n", GetLastError());
5074 ok(level == SecurityImpersonation, "got level %u\n", type);
5075 }
5076
5077 HeapFree(GetProcessHeap(), 0, token_groups);
5078 CloseHandle(r_token);
5079 CloseHandle(token);
5080 CloseHandle(process_token);
5081 }
5082
5083 static void validate_default_security_descriptor(SECURITY_DESCRIPTOR *sd)
5084 {
5085 BOOL ret, present, defaulted;
5086 ACL *acl;
5087 void *sid;
5088
5089 ret = IsValidSecurityDescriptor(sd);
5090 ok(ret, "security descriptor is not valid\n");
5091
5092 present = -1;
5093 defaulted = -1;
5094 acl = (void *)0xdeadbeef;
5095 SetLastError(0xdeadbeef);
5096 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
5097 ok(ret, "GetSecurityDescriptorDacl error %d\n", GetLastError());
5098 todo_wine
5099 ok(present == 1, "acl is not present\n");
5100 todo_wine
5101 ok(acl != (void *)0xdeadbeef && acl != NULL, "acl pointer is not set\n");
5102 ok(defaulted == 0, "defaulted is set to TRUE\n");
5103
5104 defaulted = -1;
5105 sid = (void *)0xdeadbeef;
5106 SetLastError(0xdeadbeef);
5107 ret = GetSecurityDescriptorOwner(sd, &sid, &defaulted);
5108 ok(ret, "GetSecurityDescriptorOwner error %d\n", GetLastError());
5109 todo_wine
5110 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5111 ok(defaulted == 0, "defaulted is set to TRUE\n");
5112
5113 defaulted = -1;
5114 sid = (void *)0xdeadbeef;
5115 SetLastError(0xdeadbeef);
5116 ret = GetSecurityDescriptorGroup(sd, &sid, &defaulted);
5117 ok(ret, "GetSecurityDescriptorGroup error %d\n", GetLastError());
5118 todo_wine
5119 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5120 ok(defaulted == 0, "defaulted is set to TRUE\n");
5121 }
5122
5123 static void test_default_handle_security(HANDLE token, HANDLE handle, GENERIC_MAPPING *mapping)
5124 {
5125 DWORD ret, granted, priv_set_len;
5126 BOOL status;
5127 PRIVILEGE_SET priv_set;
5128 SECURITY_DESCRIPTOR *sd;
5129
5130 sd = test_get_security_descriptor(handle, __LINE__);
5131 validate_default_security_descriptor(sd);
5132
5133 priv_set_len = sizeof(priv_set);
5134 granted = 0xdeadbeef;
5135 status = 0xdeadbeef;
5136 SetLastError(0xdeadbeef);
5137 ret = AccessCheck(sd, token, MAXIMUM_ALLOWED, mapping, &priv_set, &priv_set_len, &granted, &status);
5138 todo_wine {
5139 ok(ret, "AccessCheck error %d\n", GetLastError());
5140 ok(status == 1, "expected 1, got %d\n", status);
5141 ok(granted == mapping->GenericAll, "expected all access %#x, got %#x\n", mapping->GenericAll, granted);
5142 }
5143 priv_set_len = sizeof(priv_set);
5144 granted = 0xdeadbeef;
5145 status = 0xdeadbeef;
5146 SetLastError(0xdeadbeef);
5147 ret = AccessCheck(sd, token, 0, mapping, &priv_set, &priv_set_len, &granted, &status);
5148 todo_wine {
5149 ok(ret, "AccessCheck error %d\n", GetLastError());
5150 ok(status == 0 || broken(status == 1) /* NT4 */, "expected 0, got %d\n", status);
5151 ok(granted == 0 || broken(granted == mapping->GenericRead) /* NT4 */, "expected 0, got %#x\n", granted);
5152 }
5153 priv_set_len = sizeof(priv_set);
5154 granted = 0xdeadbeef;
5155 status = 0xdeadbeef;
5156 SetLastError(0xdeadbeef);
5157 ret = AccessCheck(sd, token, ACCESS_SYSTEM_SECURITY, mapping, &priv_set, &priv_set_len, &granted, &status);
5158 todo_wine {
5159 ok(ret, "AccessCheck error %d\n", GetLastError());
5160 ok(status == 0, "expected 0, got %d\n", status);
5161 ok(granted == 0, "expected 0, got %#x\n", granted);
5162 }
5163 priv_set_len = sizeof(priv_set);
5164 granted = 0xdeadbeef;
5165 status = 0xdeadbeef;
5166 SetLastError(0xdeadbeef);
5167 ret = AccessCheck(sd, token, mapping->GenericRead, mapping, &priv_set, &priv_set_len, &granted, &status);
5168 todo_wine {
5169 ok(ret, "AccessCheck error %d\n", GetLastError());
5170 ok(status == 1, "expected 1, got %d\n", status);
5171 ok(granted == mapping->GenericRead, "expected read access %#x, got %#x\n", mapping->GenericRead, granted);
5172 }
5173 priv_set_len = sizeof(priv_set);
5174 granted = 0xdeadbeef;
5175 status = 0xdeadbeef;
5176 SetLastError(0xdeadbeef);
5177 ret = AccessCheck(sd, token, mapping->GenericWrite, mapping, &priv_set, &priv_set_len, &granted, &status);
5178 todo_wine {
5179 ok(ret, "AccessCheck error %d\n", GetLastError());
5180 ok(status == 1, "expected 1, got %d\n", status);
5181 ok(granted == mapping->GenericWrite, "expected write access %#x, got %#x\n", mapping->GenericWrite, granted);
5182 }
5183 priv_set_len = sizeof(priv_set);
5184 granted = 0xdeadbeef;
5185 status = 0xdeadbeef;
5186 SetLastError(0xdeadbeef);
5187 ret = AccessCheck(sd, token, mapping->GenericExecute, mapping, &priv_set, &priv_set_len, &granted, &status);
5188 todo_wine {
5189 ok(ret, "AccessCheck error %d\n", GetLastError());
5190 ok(status == 1, "expected 1, got %d\n", status);
5191 ok(granted == mapping->GenericExecute, "expected execute access %#x, got %#x\n", mapping->GenericExecute, granted);
5192 }
5193 HeapFree(GetProcessHeap(), 0, sd);
5194 }
5195
5196 static ACCESS_MASK get_obj_access(HANDLE obj)
5197 {
5198 OBJECT_BASIC_INFORMATION info;
5199 NTSTATUS status;
5200
5201 if (!pNtQueryObject) return 0;
5202
5203 status = pNtQueryObject(obj, ObjectBasicInformation, &info, sizeof(info), NULL);
5204 ok(!status, "NtQueryObject error %#x\n", status);
5205
5206 return info.GrantedAccess;
5207 }
5208
5209 static void test_mutex_security(HANDLE token)
5210 {
5211 DWORD ret, i, access;
5212 HANDLE mutex, dup;
5213 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE | SYNCHRONIZE,
5214 STANDARD_RIGHTS_WRITE | MUTEX_MODIFY_STATE | SYNCHRONIZE,
5215 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5216 STANDARD_RIGHTS_ALL | MUTEX_ALL_ACCESS };
5217 static const struct
5218 {
5219 int generic, mapped;
5220 } map[] =
5221 {
5222 { 0, 0 },
5223 { GENERIC_READ, STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE },
5224 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE },
5225 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5226 { GENERIC_ALL, STANDARD_RIGHTS_ALL | MUTANT_QUERY_STATE }
5227 };
5228
5229 SetLastError(0xdeadbeef);
5230 mutex = OpenMutexA(0, FALSE, "WineTestMutex");
5231 ok(!mutex, "mutex should not exist\n");
5232 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5233
5234 SetLastError(0xdeadbeef);
5235 mutex = CreateMutexA(NULL, FALSE, "WineTestMutex");
5236 ok(mutex != 0, "CreateMutex error %d\n", GetLastError());
5237
5238 access = get_obj_access(mutex);
5239 ok(access == MUTANT_ALL_ACCESS, "expected MUTANT_ALL_ACCESS, got %#x\n", access);
5240
5241 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5242 {
5243 SetLastError( 0xdeadbeef );
5244 ret = DuplicateHandle(GetCurrentProcess(), mutex, GetCurrentProcess(), &dup,
5245 map[i].generic, FALSE, 0);
5246 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5247
5248 access = get_obj_access(dup);
5249 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5250
5251 CloseHandle(dup);
5252
5253 SetLastError(0xdeadbeef);
5254 dup = OpenMutexA(0, FALSE, "WineTestMutex");
5255 todo_wine
5256 ok(!dup, "OpenMutex should fail\n");
5257 todo_wine
5258 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5259 }
5260
5261 test_default_handle_security(token, mutex, &mapping);
5262
5263 CloseHandle (mutex);
5264 }
5265
5266 static void test_event_security(HANDLE token)
5267 {
5268 DWORD ret, i, access;
5269 HANDLE event, dup;
5270 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | EVENT_QUERY_STATE | SYNCHRONIZE,
5271 STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE | SYNCHRONIZE,
5272 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5273 STANDARD_RIGHTS_ALL | EVENT_ALL_ACCESS };
5274 static const struct
5275 {
5276 int generic, mapped;
5277 } map[] =
5278 {
5279 { 0, 0 },
5280 { GENERIC_READ, STANDARD_RIGHTS_READ | EVENT_QUERY_STATE },
5281 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE },
5282 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5283 { GENERIC_ALL, STANDARD_RIGHTS_ALL | EVENT_QUERY_STATE | EVENT_MODIFY_STATE }
5284 };
5285
5286 SetLastError(0xdeadbeef);
5287 event = OpenEventA(0, FALSE, "WineTestEvent");
5288 ok(!event, "event should not exist\n");
5289 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5290
5291 SetLastError(0xdeadbeef);
5292 event = CreateEventA(NULL, FALSE, FALSE, "WineTestEvent");
5293 ok(event != 0, "CreateEvent error %d\n", GetLastError());
5294
5295 access = get_obj_access(event);
5296 ok(access == EVENT_ALL_ACCESS, "expected EVENT_ALL_ACCESS, got %#x\n", access);
5297
5298 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5299 {
5300 SetLastError( 0xdeadbeef );
5301 ret = DuplicateHandle(GetCurrentProcess(), event, GetCurrentProcess(), &dup,
5302 map[i].generic, FALSE, 0);
5303 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5304
5305 access = get_obj_access(dup);
5306 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5307
5308 CloseHandle(dup);
5309
5310 SetLastError(0xdeadbeef);
5311 dup = OpenEventA(0, FALSE, "WineTestEvent");
5312 todo_wine
5313 ok(!dup, "OpenEvent should fail\n");
5314 todo_wine
5315 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5316 }
5317
5318 test_default_handle_security(token, event, &mapping);
5319
5320 CloseHandle(event);
5321 }
5322
5323 static void test_semaphore_security(HANDLE token)
5324 {
5325 DWORD ret, i, access;
5326 HANDLE sem, dup;
5327 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE,
5328 STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE,
5329 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5330 STANDARD_RIGHTS_ALL | SEMAPHORE_ALL_ACCESS };
5331 static const struct
5332 {
5333 int generic, mapped;
5334 } map[] =
5335 {
5336 { 0, 0 },
5337 { GENERIC_READ, STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE },
5338 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE },
5339 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5340 { GENERIC_ALL, STANDARD_RIGHTS_ALL | SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE }
5341 };
5342
5343 SetLastError(0xdeadbeef);
5344 sem = OpenSemaphoreA(0, FALSE, "WineTestSemaphore");
5345 ok(!sem, "semaphore should not exist\n");
5346 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5347
5348 SetLastError(0xdeadbeef);
5349 sem = CreateSemaphoreA(NULL, 0, 10, "WineTestSemaphore");
5350 ok(sem != 0, "CreateSemaphore error %d\n", GetLastError());
5351
5352 access = get_obj_access(sem);
5353 ok(access == SEMAPHORE_ALL_ACCESS, "expected SEMAPHORE_ALL_ACCESS, got %#x\n", access);
5354
5355 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5356 {
5357 SetLastError( 0xdeadbeef );
5358 ret = DuplicateHandle(GetCurrentProcess(), sem, GetCurrentProcess(), &dup,
5359 map[i].generic, FALSE, 0);
5360 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5361
5362 access = get_obj_access(dup);
5363 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5364
5365 CloseHandle(dup);
5366 }
5367
5368 test_default_handle_security(token, sem, &mapping);
5369
5370 CloseHandle(sem);
5371 }
5372
5373 #define WINE_TEST_PIPE "\\\\.\\pipe\\WineTestPipe"
5374 static void test_named_pipe_security(HANDLE token)
5375 {
5376 DWORD ret, i, access;
5377 HANDLE pipe, file, dup;
5378 GENERIC_MAPPING mapping = { FILE_GENERIC_READ,
5379 FILE_GENERIC_WRITE,
5380 FILE_GENERIC_EXECUTE,
5381 STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS };
5382 static const struct
5383 {
5384 int todo, generic, mapped;
5385 } map[] =
5386 {
5387 { 0, 0, 0 },
5388 { 1, GENERIC_READ, FILE_GENERIC_READ },
5389 { 1, GENERIC_WRITE, FILE_GENERIC_WRITE },
5390 { 1, GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5391 { 1, GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5392 };
5393 static const struct
5394 {
5395 DWORD open_mode;
5396 DWORD access;
5397 } creation_access[] =
5398 {
5399 { PIPE_ACCESS_INBOUND, FILE_GENERIC_READ },
5400 { PIPE_ACCESS_OUTBOUND, FILE_GENERIC_WRITE },
5401 { PIPE_ACCESS_DUPLEX, FILE_GENERIC_READ|FILE_GENERIC_WRITE },
5402 { PIPE_ACCESS_INBOUND|WRITE_DAC, FILE_GENERIC_READ|WRITE_DAC },
5403 { PIPE_ACCESS_INBOUND|WRITE_OWNER, FILE_GENERIC_READ|WRITE_OWNER }
5404 /* ACCESS_SYSTEM_SECURITY is also valid, but will fail with ERROR_PRIVILEGE_NOT_HELD */
5405 };
5406
5407 /* Test the different security access options for pipes */
5408 for (i = 0; i < sizeof(creation_access)/sizeof(creation_access[0]); i++)
5409 {
5410 SetLastError(0xdeadbeef);
5411 pipe = CreateNamedPipeA(WINE_TEST_PIPE, creation_access[i].open_mode,
5412 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 0, 0,
5413 NMPWAIT_USE_DEFAULT_WAIT, NULL);
5414 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe(0x%x) error %d\n",
5415 creation_access[i].open_mode, GetLastError());
5416 access = get_obj_access(pipe);
5417 ok(access == creation_access[i].access,
5418 "CreateNamedPipeA(0x%x) pipe expected access 0x%x (got 0x%x)\n",
5419 creation_access[i].open_mode, creation_access[i].access, access);
5420 CloseHandle(pipe);
5421 }
5422
5423 SetLastError(0xdeadbeef);
5424 pipe = CreateNamedPipeA(WINE_TEST_PIPE, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE,
5425 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES,
5426 0, 0, NMPWAIT_USE_DEFAULT_WAIT, NULL);
5427 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe error %d\n", GetLastError());
5428
5429 test_default_handle_security(token, pipe, &mapping);
5430
5431 SetLastError(0xdeadbeef);
5432 file = CreateFileA(WINE_TEST_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
5433 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5434
5435 access = get_obj_access(file);
5436 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5437
5438 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5439 {
5440 SetLastError( 0xdeadbeef );
5441 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5442 map[i].generic, FALSE, 0);
5443 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5444
5445 access = get_obj_access(dup);
5446 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5447
5448 CloseHandle(dup);
5449 }
5450
5451 CloseHandle(file);
5452 CloseHandle(pipe);
5453
5454 SetLastError(0xdeadbeef);
5455 file = CreateFileA("\\\\.\\pipe\\", FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0);
5456 ok(file != INVALID_HANDLE_VALUE || broken(file == INVALID_HANDLE_VALUE) /* before Vista */, "CreateFile error %d\n", GetLastError());
5457
5458 if (file != INVALID_HANDLE_VALUE)
5459 {
5460 access = get_obj_access(file);
5461 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5462
5463 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5464 {
5465 SetLastError( 0xdeadbeef );
5466 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5467 map[i].generic, FALSE, 0);
5468 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5469
5470 access = get_obj_access(dup);
5471 todo_wine_if (map[i].todo)
5472 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5473
5474 CloseHandle(dup);
5475 }
5476 }
5477
5478 CloseHandle(file);
5479 }
5480
5481 static void test_file_security(HANDLE token)
5482 {
5483 DWORD ret, i, access, bytes;
5484 HANDLE file, dup;
5485 static const struct
5486 {
5487 int generic, mapped;
5488 } map[] =
5489 {
5490 { 0, 0 },
5491 { GENERIC_READ, FILE_GENERIC_READ },
5492 { GENERIC_WRITE, FILE_GENERIC_WRITE },
5493 { GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5494 { GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5495 };
5496 char temp_path[MAX_PATH];
5497 char file_name[MAX_PATH];
5498 char buf[16];
5499
5500 GetTempPathA(MAX_PATH, temp_path);
5501 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5502
5503 /* file */
5504 SetLastError(0xdeadbeef);
5505 file = CreateFileA(file_name, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
5506 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5507
5508 access = get_obj_access(file);
5509 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5510
5511 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5512 {
5513 SetLastError( 0xdeadbeef );
5514 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5515 map[i].generic, FALSE, 0);
5516 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5517
5518 access = get_obj_access(dup);
5519 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5520
5521 CloseHandle(dup);
5522 }
5523
5524 CloseHandle(file);
5525
5526 SetLastError(0xdeadbeef);
5527 file = CreateFileA(file_name, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
5528 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5529
5530 access = get_obj_access(file);
5531 todo_wine
5532 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5533
5534 bytes = 0xdeadbeef;
5535 SetLastError(0xdeadbeef);
5536 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5537 ok(!ret, "ReadFile should fail\n");
5538 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5539 ok(bytes == 0, "expected 0, got %u\n", bytes);
5540
5541 CloseHandle(file);
5542
5543 SetLastError(0xdeadbeef);
5544 file = CreateFileA(file_name, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0);
5545 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5546
5547 access = get_obj_access(file);
5548 todo_wine
5549 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5550
5551 bytes = 0xdeadbeef;
5552 SetLastError(0xdeadbeef);
5553 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5554 ok(!ret, "ReadFile should fail\n");
5555 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5556 ok(bytes == 0, "expected 0, got %u\n", bytes);
5557
5558 CloseHandle(file);
5559 DeleteFileA(file_name);
5560
5561 /* directory */
5562 SetLastError(0xdeadbeef);
5563 file = CreateFileA(temp_path, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5564 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5565
5566 access = get_obj_access(file);
5567 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5568
5569 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5570 {
5571 SetLastError( 0xdeadbeef );
5572 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5573 map[i].generic, FALSE, 0);
5574 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5575
5576 access = get_obj_access(dup);
5577 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5578
5579 CloseHandle(dup);
5580 }
5581
5582 CloseHandle(file);
5583
5584 SetLastError(0xdeadbeef);
5585 file = CreateFileA(temp_path, 0, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5586 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5587
5588 access = get_obj_access(file);
5589 todo_wine
5590 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5591
5592 CloseHandle(file);
5593
5594 SetLastError(0xdeadbeef);
5595 file = CreateFileA(temp_path, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5596 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5597
5598 access = get_obj_access(file);
5599 todo_wine
5600 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5601
5602 CloseHandle(file);
5603 }
5604
5605 static void test_filemap_security(void)
5606 {
5607 char temp_path[MAX_PATH];
5608 char file_name[MAX_PATH];
5609 DWORD ret, i, access;
5610 HANDLE file, mapping, dup, created_mapping;
5611 static const struct
5612 {
5613 int generic, mapped;
5614 BOOL open_only;
5615 } map[] =
5616 {
5617 { 0, 0 },
5618 { GENERIC_READ, STANDARD_RIGHTS_READ | SECTION_QUERY | SECTION_MAP_READ },
5619 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SECTION_MAP_WRITE },
5620 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SECTION_MAP_EXECUTE },
5621 { GENERIC_ALL, STANDARD_RIGHTS_REQUIRED | SECTION_ALL_ACCESS },
5622 { SECTION_MAP_READ | SECTION_MAP_WRITE, SECTION_MAP_READ | SECTION_MAP_WRITE },
5623 { SECTION_MAP_WRITE, SECTION_MAP_WRITE },
5624 { SECTION_MAP_READ | SECTION_QUERY, SECTION_MAP_READ | SECTION_QUERY },
5625 { SECTION_QUERY, SECTION_MAP_READ, TRUE },
5626 { SECTION_QUERY | SECTION_MAP_READ, SECTION_QUERY | SECTION_MAP_READ }
5627 };
5628 static const struct
5629 {
5630 int prot, mapped;
5631 } prot_map[] =
5632 {
5633 { 0, 0 },
5634 { PAGE_NOACCESS, 0 },
5635 { PAGE_READONLY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5636 { PAGE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE },
5637 { PAGE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5638 { PAGE_EXECUTE, 0 },
5639 { PAGE_EXECUTE_READ, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE },
5640 { PAGE_EXECUTE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE },
5641 { PAGE_EXECUTE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE }
5642 };
5643
5644 GetTempPathA(MAX_PATH, temp_path);
5645 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5646
5647 SetLastError(0xdeadbeef);
5648 file = CreateFileA(file_name, GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE, 0, NULL, CREATE_ALWAYS, 0, 0);
5649 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5650 SetFilePointer(file, 4096, NULL, FILE_BEGIN);
5651 SetEndOfFile(file);
5652
5653 for (i = 0; i < sizeof(prot_map)/sizeof(prot_map[0]); i++)
5654 {
5655 if (map[i].open_only) continue;
5656
5657 SetLastError(0xdeadbeef);
5658 mapping = CreateFileMappingW(file, NULL, prot_map[i].prot, 0, 4096, NULL);
5659 if (prot_map[i].mapped)
5660 {
5661 if (!mapping)
5662 {
5663 /* NT4 and win2k don't support EXEC on file mappings */
5664 if (prot_map[i].prot == PAGE_EXECUTE_READ || prot_map[i].prot == PAGE_EXECUTE_READWRITE || prot_map[i].prot == PAGE_EXECUTE_WRITECOPY)
5665 {
5666 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5667 continue;
5668 }
5669 }
5670 ok(mapping != 0, "CreateFileMapping(%04x) error %d\n", prot_map[i].prot, GetLastError());
5671 }
5672 else
5673 {
5674 ok(!mapping, "CreateFileMapping(%04x) should fail\n", prot_map[i].prot);
5675 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
5676 continue;
5677 }
5678
5679 access = get_obj_access(mapping);
5680 ok(access == prot_map[i].mapped, "%d: expected %#x, got %#x\n", i, prot_map[i].mapped, access);
5681
5682 CloseHandle(mapping);
5683 }
5684
5685 SetLastError(0xdeadbeef);
5686 mapping = CreateFileMappingW(file, NULL, PAGE_EXECUTE_READWRITE, 0, 4096, NULL);
5687 if (!mapping)
5688 {
5689 /* NT4 and win2k don't support EXEC on file mappings */
5690 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5691 CloseHandle(file);
5692 DeleteFileA(file_name);
5693 return;
5694 }
5695 ok(mapping != 0, "CreateFileMapping error %d\n", GetLastError());
5696
5697 access = get_obj_access(mapping);
5698 ok(access == (STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE),
5699 "expected STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, got %#x\n", access);
5700
5701 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5702 {
5703 if (map[i].open_only) continue;
5704
5705 SetLastError( 0xdeadbeef );
5706 ret = DuplicateHandle(GetCurrentProcess(), mapping, GetCurrentProcess(), &dup,
5707 map[i].generic, FALSE, 0);
5708 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5709
5710 access = get_obj_access(dup);
5711 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5712
5713 CloseHandle(dup);
5714 }
5715
5716 CloseHandle(mapping);
5717 CloseHandle(file);
5718 DeleteFileA(file_name);
5719
5720 created_mapping = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000,
5721 "Wine Test Open Mapping");
5722 ok(created_mapping != NULL, "CreateFileMapping failed with error %u\n", GetLastError());
5723
5724 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5725 {
5726 if (!map[i].generic) continue;
5727
5728 mapping = OpenFileMappingA(map[i].generic, FALSE, "Wine Test Open Mapping");
5729 ok(mapping != NULL, "OpenFileMapping failed with error %d\n", GetLastError());
5730 access = get_obj_access(mapping);
5731 ok(access == map[i].mapped, "%d: unexpected access flags %#x, expected %#x\n",
5732 i, access, map[i].mapped);
5733 CloseHandle(mapping);
5734 }
5735
5736 CloseHandle(created_mapping);
5737 }
5738
5739 static void test_thread_security(void)
5740 {
5741 DWORD ret, i, access;
5742 HANDLE thread, dup;
5743 static const struct
5744 {
5745 int generic, mapped;
5746 } map[] =
5747 {
5748 { 0, 0 },
5749 { GENERIC_READ, STANDARD_RIGHTS_READ | THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT },
5750 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | THREAD_SET_INFORMATION | THREAD_SET_CONTEXT | THREAD_TERMINATE | THREAD_SUSPEND_RESUME | 0x4 },
5751 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5752 { GENERIC_ALL, THREAD_ALL_ACCESS_NT4 }
5753 };
5754
5755 SetLastError(0xdeadbeef);
5756 thread = CreateThread(NULL, 0, (void *)0xdeadbeef, NULL, CREATE_SUSPENDED, &ret);
5757 ok(thread != 0, "CreateThread error %d\n", GetLastError());
5758
5759 access = get_obj_access(thread);
5760 ok(access == THREAD_ALL_ACCESS_NT4 || access == THREAD_ALL_ACCESS_VISTA, "expected THREAD_ALL_ACCESS, got %#x\n", access);
5761
5762 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5763 {
5764 SetLastError( 0xdeadbeef );
5765 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5766 map[i].generic, FALSE, 0);
5767 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5768
5769 access = get_obj_access(dup);
5770 switch (map[i].generic)
5771 {
5772 case GENERIC_READ:
5773 case GENERIC_EXECUTE:
5774 ok(access == map[i].mapped ||
5775 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5776 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5777 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5778 break;
5779 case GENERIC_WRITE:
5780 todo_wine
5781 ok(access == map[i].mapped ||
5782 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION) /* Vista+ */ ||
5783 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5784 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5785 break;
5786 case GENERIC_ALL:
5787 ok(access == map[i].mapped || access == THREAD_ALL_ACCESS_VISTA,
5788 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5789 break;
5790 default:
5791 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5792 break;
5793 }
5794
5795 CloseHandle(dup);
5796 }
5797
5798 SetLastError( 0xdeadbeef );
5799 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5800 THREAD_QUERY_INFORMATION, FALSE, 0);
5801 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5802 access = get_obj_access(dup);
5803 ok(access == (THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5804 access == THREAD_QUERY_INFORMATION /* before Vista */,
5805 "expected THREAD_QUERY_INFORMATION|THREAD_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5806 CloseHandle(dup);
5807
5808 TerminateThread(thread, 0);
5809 CloseHandle(thread);
5810 }
5811
5812 static void test_process_access(void)
5813 {
5814 DWORD ret, i, access;
5815 HANDLE process, dup;
5816 STARTUPINFOA sti;
5817 PROCESS_INFORMATION pi;
5818 char cmdline[] = "winver.exe";
5819 static const struct
5820 {
5821 int generic, mapped;
5822 } map[] =
5823 {
5824 { 0, 0 },
5825 { GENERIC_READ, STANDARD_RIGHTS_READ | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ },
5826 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME |
5827 PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION },
5828 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5829 { GENERIC_ALL, PROCESS_ALL_ACCESS_NT4 }
5830 };
5831
5832 memset(&sti, 0, sizeof(sti));
5833 sti.cb = sizeof(sti);
5834 SetLastError(0xdeadbeef);
5835 ret = CreateProcessA(NULL, cmdline, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sti, &pi);
5836 ok(ret, "CreateProcess() error %d\n", GetLastError());
5837
5838 CloseHandle(pi.hThread);
5839 process = pi.hProcess;
5840
5841 access = get_obj_access(process);
5842 ok(access == PROCESS_ALL_ACCESS_NT4 || access == PROCESS_ALL_ACCESS_VISTA, "expected PROCESS_ALL_ACCESS, got %#x\n", access);
5843
5844 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5845 {
5846 SetLastError( 0xdeadbeef );
5847 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5848 map[i].generic, FALSE, 0);
5849 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5850
5851 access = get_obj_access(dup);
5852 switch (map[i].generic)
5853 {
5854 case GENERIC_READ:
5855 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */,
5856 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5857 break;
5858 case GENERIC_WRITE:
5859 ok(access == map[i].mapped ||
5860 access == (map[i].mapped | PROCESS_TERMINATE) /* before Vista */ ||
5861 access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */ ||
5862 access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION) /* Win10 Anniversary Update */,
5863 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5864 break;
5865 case GENERIC_EXECUTE:
5866 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE) /* Vista+ */,
5867 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5868 break;
5869 case GENERIC_ALL:
5870 ok(access == map[i].mapped || access == PROCESS_ALL_ACCESS_VISTA,
5871 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5872 break;
5873 default:
5874 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5875 break;
5876 }
5877
5878 CloseHandle(dup);
5879 }
5880
5881 SetLastError( 0xdeadbeef );
5882 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5883 PROCESS_QUERY_INFORMATION, FALSE, 0);
5884 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5885 access = get_obj_access(dup);
5886 ok(access == (PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5887 access == PROCESS_QUERY_INFORMATION /* before Vista */,
5888 "expected PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5889 CloseHandle(dup);
5890
5891 TerminateProcess(process, 0);
5892 CloseHandle(process);
5893 }
5894
5895 static BOOL validate_impersonation_token(HANDLE token, DWORD *token_type)
5896 {
5897 DWORD ret, needed;
5898 TOKEN_TYPE type;
5899 SECURITY_IMPERSONATION_LEVEL sil;
5900
5901 type = 0xdeadbeef;
5902 needed = 0;
5903 SetLastError(0xdeadbeef);
5904 ret = GetTokenInformation(token, TokenType, &type, sizeof(type), &needed);
5905 ok(ret, "GetTokenInformation error %d\n", GetLastError());
5906 ok(needed == sizeof(type), "GetTokenInformation should return required buffer length\n");
5907 ok(type == TokenPrimary || type == TokenImpersonation, "expected TokenPrimary or TokenImpersonation, got %d\n", type);
5908
5909 *token_type = type;
5910 if (type != TokenImpersonation) return FALSE;
5911
5912 needed = 0;
5913 SetLastError(0xdeadbeef);
5914 ret = GetTokenInformation(token, TokenImpersonationLevel, &sil, sizeof(sil), &needed);
5915 ok(ret, "GetTokenInformation error %d\n", GetLastError());
5916 ok(needed == sizeof(sil), "GetTokenInformation should return required buffer length\n");
5917 ok(sil == SecurityImpersonation, "expected SecurityImpersonation, got %d\n", sil);
5918
5919 needed = 0xdeadbeef;
5920 SetLastError(0xdeadbeef);
5921 ret = GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &needed);
5922 ok(!ret, "GetTokenInformation should fail\n");
5923 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5924 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5925 ok(needed > sizeof(TOKEN_DEFAULT_DACL), "GetTokenInformation returned empty default DACL\n");
5926
5927 needed = 0xdeadbeef;
5928 SetLastError(0xdeadbeef);
5929 ret = GetTokenInformation(token, TokenOwner, NULL, 0, &needed);
5930 ok(!ret, "GetTokenInformation should fail\n");
5931 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5932 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5933 ok(needed > sizeof(TOKEN_OWNER), "GetTokenInformation returned empty token owner\n");
5934
5935 needed = 0xdeadbeef;
5936 SetLastError(0xdeadbeef);
5937 ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &needed);
5938 ok(!ret, "GetTokenInformation should fail\n");
5939 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5940 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5941 ok(needed > sizeof(TOKEN_PRIMARY_GROUP), "GetTokenInformation returned empty token primary group\n");
5942
5943 return TRUE;
5944 }
5945
5946 static void test_kernel_objects_security(void)
5947 {
5948 HANDLE token, process_token;
5949 DWORD ret, token_type;
5950
5951 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &process_token);
5952 ok(ret, "OpenProcessToken error %d\n", GetLastError());
5953
5954 ret = validate_impersonation_token(process_token, &token_type);
5955 ok(token_type == TokenPrimary, "expected TokenPrimary, got %d\n", token_type);
5956 ok(!ret, "access token should not be an impersonation token\n");
5957
5958 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
5959 ok(ret, "DuplicateToken error %d\n", GetLastError());
5960
5961 ret = validate_impersonation_token(token, &token_type);
5962 ok(ret, "access token should be a valid impersonation token\n");
5963 ok(token_type == TokenImpersonation, "expected TokenImpersonation, got %d\n", token_type);
5964
5965 test_mutex_security(token);
5966 test_event_security(token);
5967 test_named_pipe_security(token);
5968 test_semaphore_security(token);
5969 test_file_security(token);
5970 test_filemap_security();
5971 test_thread_security();
5972 test_process_access();
5973 /* FIXME: test other kernel object types */
5974
5975 CloseHandle(process_token);
5976 CloseHandle(token);
5977 }
5978
5979 static void test_TokenIntegrityLevel(void)
5980 {
5981 TOKEN_MANDATORY_LABEL *tml;
5982 BYTE buffer[64]; /* using max. 28 byte in win7 x64 */
5983 HANDLE token;
5984 DWORD size;
5985 DWORD res;
5986 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
5987 {SECURITY_MANDATORY_HIGH_RID}};
5988 static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
5989 {SECURITY_MANDATORY_MEDIUM_RID}};
5990
5991 SetLastError(0xdeadbeef);
5992 res = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
5993 ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
5994
5995 SetLastError(0xdeadbeef);
5996 res = GetTokenInformation(token, TokenIntegrityLevel, buffer, sizeof(buffer), &size);
5997
5998 /* not supported before Vista */
5999 if (!res && ((GetLastError() == ERROR_INVALID_PARAMETER) || GetLastError() == ERROR_INVALID_FUNCTION))
6000 {
6001 win_skip("TokenIntegrityLevel not supported\n");
6002 CloseHandle(token);
6003 return;
6004 }
6005
6006 ok(res, "got %u with %u (expected TRUE)\n", res, GetLastError());
6007 if (!res)
6008 {
6009 CloseHandle(token);
6010 return;
6011 }
6012
6013 tml = (TOKEN_MANDATORY_LABEL*) buffer;
6014 ok(tml->Label.Attributes == (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED),
6015 "got 0x%x (expected 0x%x)\n", tml->Label.Attributes, (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED));
6016
6017 ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
6018 "got %s (expected %s or %s)\n", debugstr_sid(tml->Label.Sid),
6019 debugstr_sid(&medium_level), debugstr_sid(&high_level));
6020
6021 CloseHandle(token);
6022 }
6023
6024 static void test_default_dacl_owner_sid(void)
6025 {
6026 HANDLE handle;
6027 BOOL ret, defaulted, present, found;
6028 DWORD size, index;
6029 SECURITY_DESCRIPTOR *sd;
6030 SECURITY_ATTRIBUTES sa;
6031 PSID owner;
6032 ACL *dacl;
6033 ACCESS_ALLOWED_ACE *ace;
6034
6035 sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
6036 ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
6037 ok( ret, "error %u\n", GetLastError() );
6038
6039 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6040 sa.lpSecurityDescriptor = sd;
6041 sa.bInheritHandle = FALSE;
6042 handle = CreateEventA( &sa, TRUE, TRUE, "test_event" );
6043 ok( handle != NULL, "error %u\n", GetLastError() );
6044
6045 size = 0;
6046 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
6047 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
6048
6049 sd = HeapAlloc( GetProcessHeap(), 0, size );
6050 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
6051 ok( ret, "error %u\n", GetLastError() );
6052
6053 owner = (void *)0xdeadbeef;
6054 defaulted = TRUE;
6055 ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
6056 ok( ret, "error %u\n", GetLastError() );
6057 ok( owner != (void *)0xdeadbeef, "owner not set\n" );
6058 ok( !defaulted, "owner defaulted\n" );
6059
6060 dacl = (void *)0xdeadbeef;
6061 present = FALSE;
6062 defaulted = TRUE;
6063 ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
6064 ok( ret, "error %u\n", GetLastError() );
6065 ok( present, "dacl not present\n" );
6066 ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
6067 ok( !defaulted, "dacl defaulted\n" );
6068
6069 index = 0;
6070 found = FALSE;
6071 while (pGetAce( dacl, index++, (void **)&ace ))
6072 {
6073 if (EqualSid( &ace->SidStart, owner )) found = TRUE;
6074 }
6075 ok( found, "owner sid not found in dacl\n" );
6076
6077 HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
6078 HeapFree( GetProcessHeap(), 0, sd );
6079 CloseHandle( handle );
6080 }
6081
6082 static void test_AdjustTokenPrivileges(void)
6083 {
6084 TOKEN_PRIVILEGES tp, prev;
6085 HANDLE token;
6086 DWORD len;
6087 LUID luid;
6088 BOOL ret;
6089
6090 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
6091 return;
6092
6093 if (!LookupPrivilegeValueA(NULL, SE_BACKUP_NAME, &luid))
6094 {
6095 CloseHandle(token);
6096 return;
6097 }
6098
6099 tp.PrivilegeCount = 1;
6100 tp.Privileges[0].Luid = luid;
6101 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6102
6103 len = 0xdeadbeef;
6104 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, &len);
6105 ok(ret, "got %d\n", ret);
6106 ok(len == 0xdeadbeef, "got length %d\n", len);
6107
6108 /* revert */
6109 tp.PrivilegeCount = 1;
6110 tp.Privileges[0].Luid = luid;
6111 tp.Privileges[0].Attributes = 0;
6112 AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &prev, NULL);
6113
6114 CloseHandle(token);
6115 }
6116
6117 static void test_AddAce(void)
6118 {
6119 static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
6120
6121 char acl_buf[1024], ace_buf[256];
6122 ACCESS_ALLOWED_ACE *ace = (ACCESS_ALLOWED_ACE*)ace_buf;
6123 PACL acl = (PACL)acl_buf;
6124 BOOL ret;
6125
6126 memset(ace, 0, sizeof(ace_buf));
6127 ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
6128 ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+sizeof(SID);
6129 memcpy(&ace->SidStart, &sidWorld, sizeof(sidWorld));
6130
6131 ret = InitializeAcl(acl, sizeof(acl_buf), ACL_REVISION2);
6132 ok(ret, "InitializeAcl failed: %d\n", GetLastError());
6133
6134 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6135 ok(ret, "AddAce failed: %d\n", GetLastError());
6136 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6137 ok(ret, "AddAce failed: %d\n", GetLastError());
6138 ret = AddAce(acl, ACL_REVISION3, MAXDWORD, ace, ace->Header.AceSize);
6139 ok(ret, "AddAce failed: %d\n", GetLastError());
6140 ok(acl->AclRevision == ACL_REVISION3, "acl->AclRevision = %d\n", acl->AclRevision);
6141 ret = AddAce(acl, ACL_REVISION4, MAXDWORD, ace, ace->Header.AceSize);
6142 ok(ret, "AddAce failed: %d\n", GetLastError());
6143 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6144 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6145 ok(ret, "AddAce failed: %d\n", GetLastError());
6146 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6147 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6148 ok(ret, "AddAce failed: %d\n", GetLastError());
6149
6150 ret = AddAce(acl, MIN_ACL_REVISION-1, MAXDWORD, ace, ace->Header.AceSize);
6151 ok(ret, "AddAce failed: %d\n", GetLastError());
6152 /* next test succeededs but corrupts ACL */
6153 ret = AddAce(acl, MAX_ACL_REVISION+1, MAXDWORD, ace, ace->Header.AceSize);
6154 ok(ret, "AddAce failed: %d\n", GetLastError());
6155 ok(acl->AclRevision == MAX_ACL_REVISION+1, "acl->AclRevision = %d\n", acl->AclRevision);
6156 SetLastError(0xdeadbeef);
6157 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6158 ok(!ret, "AddAce succeeded\n");
6159 ok(GetLastError() == ERROR_INVALID_PARAMETER, "GetLastError() = %d\n", GetLastError());
6160 }
6161
6162 static void test_AddMandatoryAce(void)
6163 {
6164 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6165 {SECURITY_MANDATORY_LOW_RID}};
6166 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6167 SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6168 BOOL defaulted, present, ret, found;
6169 ACL_SIZE_INFORMATION acl_size_info;
6170 SYSTEM_MANDATORY_LABEL_ACE *ace;
6171 char buffer_acl[256];
6172 ACL *acl = (ACL *)&buffer_acl;
6173 SECURITY_ATTRIBUTES sa;
6174 DWORD index, size;
6175 HANDLE handle;
6176 ACL *sacl;
6177
6178 if (!pAddMandatoryAce)
6179 {
6180 win_skip("AddMandatoryAce not supported, skipping test\n");
6181 return;
6182 }
6183
6184 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6185 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6186
6187 sa.nLength = sizeof(sa);
6188 sa.lpSecurityDescriptor = sd;
6189 sa.bInheritHandle = FALSE;
6190
6191 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6192 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6193
6194 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6195 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6196 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6197
6198 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6199 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6200 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6201
6202 sacl = (void *)0xdeadbeef;
6203 present = TRUE;
6204 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6205 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6206 todo_wine ok(!present, "SACL is present\n");
6207 todo_wine ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
6208
6209 HeapFree(GetProcessHeap(), 0, sd2);
6210 CloseHandle(handle);
6211
6212 ret = InitializeAcl(acl, 256, ACL_REVISION);
6213 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6214
6215 SetLastError(0xdeadbeef);
6216 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
6217 ok(!ret, "AddMandatoryAce succeeded\n");
6218 ok(GetLastError() == ERROR_INVALID_PARAMETER,
6219 "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
6220
6221 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6222 ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
6223
6224 index = 0;
6225 found = FALSE;
6226 while (pGetAce(acl, index++, (void **)&ace))
6227 {
6228 if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
6229 ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
6230 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6231 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6232 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6233 found = TRUE;
6234 }
6235 ok(found, "Could not find mandatory label ace\n");
6236
6237 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6238 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6239
6240 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6241 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6242
6243 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6244 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6245 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6246
6247 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6248 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6249 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6250
6251 sacl = (void *)0xdeadbeef;
6252 present = FALSE;
6253 defaulted = TRUE;
6254 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6255 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6256 ok(present, "SACL not present\n");
6257 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6258 ok(!defaulted, "SACL defaulted\n");
6259 ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
6260 ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
6261 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6262
6263 ret = pGetAce(sacl, 0, (void **)&ace);
6264 ok(ret, "GetAce failed with error %u\n", GetLastError());
6265 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6266 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6267 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6268 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6269
6270 HeapFree(GetProcessHeap(), 0, sd2);
6271 CloseHandle(handle);
6272 }
6273
6274 static void test_system_security_access(void)
6275 {
6276 static const WCHAR testkeyW[] =
6277 {'S','O','F','T','W','A','R','E','\\','W','i','n','e','\\','S','A','C','L','t','e','s','t',0};
6278 LONG res;
6279 HKEY hkey;
6280 PSECURITY_DESCRIPTOR sd;
6281 ACL *sacl;
6282 DWORD err, len = 128;
6283 TOKEN_PRIVILEGES priv, *priv_prev;
6284 HANDLE token;
6285 LUID luid;
6286 BOOL ret;
6287
6288 if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token )) return;
6289 if (!LookupPrivilegeValueA( NULL, SE_SECURITY_NAME, &luid ))
6290 {
6291 CloseHandle( token );
6292 return;
6293 }
6294
6295 /* ACCESS_SYSTEM_SECURITY requires special privilege */
6296 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6297 if (res == ERROR_ACCESS_DENIED)
6298 {
6299 skip( "unprivileged user\n" );
6300 CloseHandle( token );
6301 return;
6302 }
6303 todo_wine ok( res == ERROR_PRIVILEGE_NOT_HELD, "got %d\n", res );
6304
6305 priv.PrivilegeCount = 1;
6306 priv.Privileges[0].Luid = luid;
6307 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6308
6309 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6310 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6311 ok( ret, "got %u\n", GetLastError());
6312
6313 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6314 if (res == ERROR_PRIVILEGE_NOT_HELD)
6315 {
6316 win_skip( "privilege not held\n" );
6317 HeapFree( GetProcessHeap(), 0, priv_prev );
6318 CloseHandle( token );
6319 return;
6320 }
6321 ok( !res, "got %d\n", res );
6322
6323 /* restore privileges */
6324 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6325 ok( ret, "got %u\n", GetLastError() );
6326 HeapFree( GetProcessHeap(), 0, priv_prev );
6327
6328 /* privilege is checked on access */
6329 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6330 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD, "got %u\n", err );
6331
6332 priv.PrivilegeCount = 1;
6333 priv.Privileges[0].Luid = luid;
6334 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6335
6336 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6337 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6338 ok( ret, "got %u\n", GetLastError());
6339
6340 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6341 ok( err == ERROR_SUCCESS, "got %u\n", err );
6342 RegCloseKey( hkey );
6343 LocalFree( sd );
6344
6345 /* handle created without ACCESS_SYSTEM_SECURITY, privilege held */
6346 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6347 ok( res == ERROR_SUCCESS, "got %d\n", res );
6348
6349 sd = NULL;
6350 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6351 todo_wine ok( err == ERROR_SUCCESS, "got %u\n", err );
6352 RegCloseKey( hkey );
6353 LocalFree( sd );
6354
6355 /* restore privileges */
6356 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6357 ok( ret, "got %u\n", GetLastError() );
6358 HeapFree( GetProcessHeap(), 0, priv_prev );
6359
6360 /* handle created without ACCESS_SYSTEM_SECURITY, privilege not held */
6361 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6362 ok( res == ERROR_SUCCESS, "got %d\n", res );
6363
6364 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6365 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD, "got %u\n", err );
6366 RegCloseKey( hkey );
6367
6368 res = RegDeleteKeyW( HKEY_LOCAL_MACHINE, testkeyW );
6369 ok( !res, "got %d\n", res );
6370 CloseHandle( token );
6371 }
6372
6373 static void test_GetWindowsAccountDomainSid(void)
6374 {
6375 char *user, buffer1[SECURITY_MAX_SID_SIZE], buffer2[SECURITY_MAX_SID_SIZE];
6376 SID_IDENTIFIER_AUTHORITY domain_ident = { SECURITY_NT_AUTHORITY };
6377 PSID domain_sid = (PSID *)&buffer1;
6378 PSID domain_sid2 = (PSID *)&buffer2;
6379 DWORD sid_size;
6380 PSID user_sid;
6381 HANDLE token;
6382 BOOL bret = TRUE;
6383 int i;
6384
6385 if (!pGetWindowsAccountDomainSid)
6386 {
6387 win_skip("GetWindowsAccountDomainSid not available\n");
6388 return;
6389 }
6390
6391 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
6392 {
6393 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
6394 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
6395 }
6396 if (!bret)
6397 {
6398 win_skip("Failed to get current user token\n");
6399 return;
6400 }
6401
6402 bret = GetTokenInformation(token, TokenUser, NULL, 0, &sid_size);
6403 ok(!bret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6404 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6405 user = HeapAlloc(GetProcessHeap(), 0, sid_size);
6406 bret = GetTokenInformation(token, TokenUser, user, sid_size, &sid_size);
6407 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6408 CloseHandle(token);
6409 user_sid = ((TOKEN_USER *)user)->User.Sid;
6410
6411 SetLastError(0xdeadbeef);
6412 bret = pGetWindowsAccountDomainSid(0, 0, 0);
6413 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6414 ok(GetLastError() == ERROR_INVALID_SID, "expected ERROR_INVALID_SID, got %d\n", GetLastError());
6415
6416 SetLastError(0xdeadbeef);
6417 bret = pGetWindowsAccountDomainSid(user_sid, 0, 0);
6418 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6419 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6420
6421 sid_size = SECURITY_MAX_SID_SIZE;
6422 SetLastError(0xdeadbeef);
6423 bret = pGetWindowsAccountDomainSid(user_sid, 0, &sid_size);
6424 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6425 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6426 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6427
6428 SetLastError(0xdeadbeef);
6429 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, 0);
6430 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6431 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6432
6433 sid_size = 1;
6434 SetLastError(0xdeadbeef);
6435 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6436 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6437 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6438 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6439
6440 sid_size = SECURITY_MAX_SID_SIZE;
6441 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6442 ok(bret, "GetWindowsAccountDomainSid failed with error %d\n", GetLastError());
6443 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6444 InitializeSid(domain_sid2, &domain_ident, 4);
6445 for (i = 0; i < 4; i++)
6446 *GetSidSubAuthority(domain_sid2, i) = *GetSidSubAuthority(user_sid, i);
6447 ok(EqualSid(domain_sid, domain_sid2), "unexpected domain sid %s != %s\n",
6448 debugstr_sid(domain_sid), debugstr_sid(domain_sid2));
6449
6450 HeapFree(GetProcessHeap(), 0, user);
6451 }
6452
6453 static void test_GetSidIdentifierAuthority(void)
6454 {
6455 char buffer[SECURITY_MAX_SID_SIZE];
6456 PSID authority_sid = (PSID *)buffer;
6457 PSID_IDENTIFIER_AUTHORITY id;
6458 BOOL ret;
6459
6460 if (!pGetSidIdentifierAuthority)
6461 {
6462 win_skip("GetSidIdentifierAuthority not available\n");
6463 return;
6464 }
6465
6466 memset(buffer, 0xcc, sizeof(buffer));
6467 ret = IsValidSid(authority_sid);
6468 ok(!ret, "expected FALSE, got %u\n", ret);
6469
6470 SetLastError(0xdeadbeef);
6471 id = GetSidIdentifierAuthority(authority_sid);
6472 ok(id != NULL, "got NULL pointer as identifier authority\n");
6473 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6474
6475 SetLastError(0xdeadbeef);
6476 id = GetSidIdentifierAuthority(NULL);
6477 ok(id != NULL, "got NULL pointer as identifier authority\n");
6478 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6479 }
6480
6481 static void test_pseudo_tokens(void)
6482 {
6483 TOKEN_STATISTICS statistics1, statistics2;
6484 HANDLE token;
6485 DWORD retlen;
6486 BOOL ret;
6487
6488 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6489 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6490 memset(&statistics1, 0x11, sizeof(statistics1));
6491 ret = GetTokenInformation(token, TokenStatistics, &statistics1, sizeof(statistics1), &retlen);
6492 ok(ret, "GetTokenInformation failed with %u\n", GetLastError());
6493 CloseHandle(token);
6494
6495 /* test GetCurrentProcessToken() */
6496 SetLastError(0xdeadbeef);
6497 memset(&statistics2, 0x22, sizeof(statistics2));
6498 ret = GetTokenInformation(GetCurrentProcessToken(), TokenStatistics,
6499 &statistics2, sizeof(statistics2), &retlen);
6500 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6501 "GetTokenInformation failed with %u\n", GetLastError());
6502 if (ret)
6503 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6504 else
6505 win_skip("CurrentProcessToken not supported, skipping test\n");
6506
6507 /* test GetCurrentThreadEffectiveToken() */
6508 SetLastError(0xdeadbeef);
6509 memset(&statistics2, 0x22, sizeof(statistics2));
6510 ret = GetTokenInformation(GetCurrentThreadEffectiveToken(), TokenStatistics,
6511 &statistics2, sizeof(statistics2), &retlen);
6512 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6513 "GetTokenInformation failed with %u\n", GetLastError());
6514 if (ret)
6515 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6516 else
6517 win_skip("CurrentThreadEffectiveToken not supported, skipping test\n");
6518
6519 SetLastError(0xdeadbeef);
6520 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
6521 ok(!ret, "OpenThreadToken should have failed\n");
6522 ok(GetLastError() == ERROR_NO_TOKEN, "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6523
6524 /* test GetCurrentThreadToken() */
6525 SetLastError(0xdeadbeef);
6526 ret = GetTokenInformation(GetCurrentThreadToken(), TokenStatistics,
6527 &statistics2, sizeof(statistics2), &retlen);
6528 todo_wine ok(GetLastError() == ERROR_NO_TOKEN || broken(GetLastError() == ERROR_INVALID_HANDLE),
6529 "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6530 }
6531
6532 static void test_maximum_allowed(void)
6533 {
6534 HANDLE (WINAPI *pCreateEventExA)(SECURITY_ATTRIBUTES *, LPCSTR, DWORD, DWORD);
6535 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH], buffer_acl[256];
6536 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6537 SECURITY_ATTRIBUTES sa;
6538 ACL *acl = (ACL *)&buffer_acl;
6539 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
6540 ACCESS_MASK mask;
6541 HANDLE handle;
6542 BOOL ret;
6543
6544 pCreateEventExA = (void *)GetProcAddress(hkernel32, "CreateEventExA");
6545 if (!pCreateEventExA)
6546 {
6547 win_skip("CreateEventExA is not available\n");
6548 return;
6549 }
6550
6551 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6552 ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
6553 ret = InitializeAcl(acl, 256, ACL_REVISION);
6554 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6555 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6556 ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
6557
6558 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6559 sa.lpSecurityDescriptor = sd;
6560 sa.bInheritHandle = FALSE;
6561
6562 handle = pCreateEventExA(&sa, NULL, 0, MAXIMUM_ALLOWED | 0x4);
6563 ok(handle != NULL, "CreateEventExA failed with error %u\n", GetLastError());
6564 mask = get_obj_access(handle);
6565 ok(mask == EVENT_ALL_ACCESS, "Expected %x, got %x\n", EVENT_ALL_ACCESS, mask);
6566 CloseHandle(handle);
6567 }
6568
6569 START_TEST(security)
6570 {
6571 init();
6572 if (!hmod) return;
6573
6574 if (myARGC >= 3)
6575 {
6576 test_process_security_child();
6577 return;
6578 }
6579 test_kernel_objects_security();
6580 test_sid();
6581 test_trustee();
6582 test_luid();
6583 test_CreateWellKnownSid();
6584 test_FileSecurity();
6585 test_AccessCheck();
6586 test_token_attr();
6587 test_GetTokenInformation();
6588 test_LookupAccountSid();
6589 test_LookupAccountName();
6590 test_security_descriptor();
6591 test_process_security();
6592 test_impersonation_level();
6593 test_SetEntriesInAclW();
6594 test_SetEntriesInAclA();
6595 test_CreateDirectoryA();
6596 test_GetNamedSecurityInfoA();
6597 test_ConvertStringSecurityDescriptor();
6598 test_ConvertSecurityDescriptorToString();
6599 test_PrivateObjectSecurity();
6600 test_acls();
6601 test_GetWindowsAccountDomainSid();
6602 test_GetSecurityInfo();
6603 test_GetSidSubAuthority();
6604 test_CheckTokenMembership();
6605 test_EqualSid();
6606 test_GetUserNameA();
6607 test_GetUserNameW();
6608 test_CreateRestrictedToken();
6609 test_TokenIntegrityLevel();
6610 test_default_dacl_owner_sid();
6611 test_AdjustTokenPrivileges();
6612 test_AddAce();
6613 test_AddMandatoryAce();
6614 test_system_security_access();
6615 test_GetSidIdentifierAuthority();
6616 test_pseudo_tokens();
6617 test_maximum_allowed();
6618 }
Windows API implementation