search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
server: Create the initial thread as a separate request.
[wine.git] / dlls / advapi32 / tests / security.c
blob5046442c6d845f0ca67a1cd34942127179fe1f3f
1 /*
2 * Unit tests for security functions
3 *
4 * Copyright (c) 2004 Mike McCormack
5 * Copyright (c) 2011 Dmitry Timoshkov
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include <stdarg.h>
23 #include <stdio.h>
24
25 #include "ntstatus.h"
26 #define WIN32_NO_STATUS
27 #include "windef.h"
28 #include "winbase.h"
29 #include "winerror.h"
30 #include "winternl.h"
31 #include "aclapi.h"
32 #include "winnt.h"
33 #include "sddl.h"
34 #include "ntsecapi.h"
35 #include "lmcons.h"
36
37 #include "wine/test.h"
38
39 #ifndef PROCESS_QUERY_LIMITED_INFORMATION
40 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
41 #endif
42
43 /* PROCESS_ALL_ACCESS in Vista+ PSDKs is incompatible with older Windows versions */
44 #define PROCESS_ALL_ACCESS_NT4 (PROCESS_ALL_ACCESS & ~0xf000)
45 #define PROCESS_ALL_ACCESS_VISTA (PROCESS_ALL_ACCESS | 0xf000)
46
47 #ifndef EVENT_QUERY_STATE
48 #define EVENT_QUERY_STATE 0x0001
49 #endif
50
51 #ifndef SEMAPHORE_QUERY_STATE
52 #define SEMAPHORE_QUERY_STATE 0x0001
53 #endif
54
55 #ifndef THREAD_SET_LIMITED_INFORMATION
56 #define THREAD_SET_LIMITED_INFORMATION 0x0400
57 #define THREAD_QUERY_LIMITED_INFORMATION 0x0800
58 #endif
59
60 #define THREAD_ALL_ACCESS_NT4 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)
61 #define THREAD_ALL_ACCESS_VISTA (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)
62
63 #define expect_eq(expr, value, type, format) { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }
64
65 static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
66 static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
67 static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
68 static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
69 static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
70 static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
71 static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
72 POBJECTS_AND_NAME_A pObjName,
73 SE_OBJECT_TYPE ObjectType,
74 LPSTR ObjectTypeName,
75 LPSTR InheritedObjectTypeName,
76 LPSTR Name );
77 static VOID (WINAPI *pBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
78 POBJECTS_AND_SID pObjSid,
79 GUID* pObjectGuid,
80 GUID* pInheritedObjectGuid,
81 PSID pSid );
82 static LPSTR (WINAPI *pGetTrusteeNameA)( PTRUSTEEA pTrustee );
83 static BOOL (WINAPI *pMakeSelfRelativeSD)( PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, LPDWORD );
84 static BOOL (WINAPI *pConvertStringSidToSidA)( LPCSTR str, PSID pSid );
85 static BOOL (WINAPI *pCheckTokenMembership)(HANDLE, PSID, PBOOL);
86 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorA)(LPCSTR, DWORD,
87 PSECURITY_DESCRIPTOR*, PULONG );
88 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorW)(LPCWSTR, DWORD,
89 PSECURITY_DESCRIPTOR*, PULONG );
90 static BOOL (WINAPI *pConvertSecurityDescriptorToStringSecurityDescriptorA)(PSECURITY_DESCRIPTOR, DWORD,
91 SECURITY_INFORMATION, LPSTR *, PULONG );
92 static BOOL (WINAPI *pGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
93 PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
94 static BOOL (WINAPI *pSetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
95 PSECURITY_DESCRIPTOR);
96 static DWORD (WINAPI *pGetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
97 PSID*, PSID*, PACL*, PACL*,
98 PSECURITY_DESCRIPTOR*);
99 static DWORD (WINAPI *pSetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
100 PSID, PSID, PACL, PACL);
101 static PDWORD (WINAPI *pGetSidSubAuthority)(PSID, DWORD);
102 static PUCHAR (WINAPI *pGetSidSubAuthorityCount)(PSID);
103 static BOOL (WINAPI *pIsValidSid)(PSID);
104 static DWORD (WINAPI *pRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
105 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
106 static BOOL (WINAPI *pDuplicateTokenEx)(HANDLE,DWORD,LPSECURITY_ATTRIBUTES,
107 SECURITY_IMPERSONATION_LEVEL,TOKEN_TYPE,PHANDLE);
108
109 static NTSTATUS (WINAPI *pLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*);
110 static NTSTATUS (WINAPI *pLsaClose)(LSA_HANDLE);
111 static NTSTATUS (WINAPI *pLsaFreeMemory)(PVOID);
112 static NTSTATUS (WINAPI *pLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
113 static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
114 static DWORD (WINAPI *pSetEntriesInAclW)(ULONG, PEXPLICIT_ACCESSW, PACL, PACL*);
115 static DWORD (WINAPI *pSetEntriesInAclA)(ULONG, PEXPLICIT_ACCESSA, PACL, PACL*);
116 static BOOL (WINAPI *pSetSecurityDescriptorControl)(PSECURITY_DESCRIPTOR, SECURITY_DESCRIPTOR_CONTROL,
117 SECURITY_DESCRIPTOR_CONTROL);
118 static DWORD (WINAPI *pGetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
119 PSID*, PSID*, PACL*, PACL*, PSECURITY_DESCRIPTOR*);
120 static DWORD (WINAPI *pSetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
121 PSID, PSID, PACL, PACL);
122 static NTSTATUS (WINAPI *pNtAccessCheck)(PSECURITY_DESCRIPTOR, HANDLE, ACCESS_MASK, PGENERIC_MAPPING,
123 PPRIVILEGE_SET, PULONG, PULONG, NTSTATUS*);
124 static BOOL (WINAPI *pCreateRestrictedToken)(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
125 PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
126 static BOOL (WINAPI *pGetAclInformation)(PACL,LPVOID,DWORD,ACL_INFORMATION_CLASS);
127 static BOOL (WINAPI *pGetAce)(PACL,DWORD,LPVOID*);
128 static NTSTATUS (WINAPI *pNtSetSecurityObject)(HANDLE,SECURITY_INFORMATION,PSECURITY_DESCRIPTOR);
129 static NTSTATUS (WINAPI *pNtCreateFile)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG);
130 static BOOL (WINAPI *pRtlDosPathNameToNtPathName_U)(LPCWSTR,PUNICODE_STRING,PWSTR*,CURDIR*);
131 static NTSTATUS (WINAPI *pRtlAnsiStringToUnicodeString)(PUNICODE_STRING,PCANSI_STRING,BOOLEAN);
132 static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
133 static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
134 static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
135 static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
136 static DWORD (WINAPI *pGetExplicitEntriesFromAclW)(PACL,PULONG,PEXPLICIT_ACCESSW*);
137
138 static HMODULE hmod;
139 static int myARGC;
140 static char** myARGV;
141
142 struct strsid_entry
143 {
144 const char *str;
145 DWORD flags;
146 };
147 #define STRSID_OK 0
148 #define STRSID_OPT 1
149
150 #define SID_SLOTS 4
151 static char debugsid_str[SID_SLOTS][256];
152 static int debugsid_index = 0;
153 static const char* debugstr_sid(PSID sid)
154 {
155 LPSTR sidstr;
156 DWORD le = GetLastError();
157 char* res = debugsid_str[debugsid_index];
158 debugsid_index = (debugsid_index + 1) % SID_SLOTS;
159
160 if (!ConvertSidToStringSidA(sid, &sidstr))
161 sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
162 else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
163 {
164 memcpy(res, sidstr, sizeof(*debugsid_str) - 4);
165 strcpy(res + sizeof(*debugsid_str) - 4, "...");
166 LocalFree(sidstr);
167 }
168 else
169 {
170 strcpy(res, sidstr);
171 LocalFree(sidstr);
172 }
173 /* Restore the last error in case ConvertSidToStringSidA() modified it */
174 SetLastError(le);
175 return res;
176 }
177
178 struct sidRef
179 {
180 SID_IDENTIFIER_AUTHORITY auth;
181 const char *refStr;
182 };
183
184 static void init(void)
185 {
186 HMODULE hntdll;
187
188 hntdll = GetModuleHandleA("ntdll.dll");
189 pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
190 pNtAccessCheck = (void *)GetProcAddress( hntdll, "NtAccessCheck" );
191 pNtSetSecurityObject = (void *)GetProcAddress(hntdll, "NtSetSecurityObject");
192 pNtCreateFile = (void *)GetProcAddress(hntdll, "NtCreateFile");
193 pRtlDosPathNameToNtPathName_U = (void *)GetProcAddress(hntdll, "RtlDosPathNameToNtPathName_U");
194 pRtlAnsiStringToUnicodeString = (void *)GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
195 pRtlInitAnsiString = (void *)GetProcAddress(hntdll, "RtlInitAnsiString");
196 pRtlFreeUnicodeString = (void *)GetProcAddress(hntdll, "RtlFreeUnicodeString");
197
198 hmod = GetModuleHandleA("advapi32.dll");
199 pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
200 pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
201 pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
202 pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
203 pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
204 pConvertStringSecurityDescriptorToSecurityDescriptorA =
205 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
206 pConvertStringSecurityDescriptorToSecurityDescriptorW =
207 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorW" );
208 pConvertSecurityDescriptorToStringSecurityDescriptorA =
209 (void *)GetProcAddress(hmod, "ConvertSecurityDescriptorToStringSecurityDescriptorA" );
210 pGetFileSecurityA = (void *)GetProcAddress(hmod, "GetFileSecurityA" );
211 pSetFileSecurityA = (void *)GetProcAddress(hmod, "SetFileSecurityA" );
212 pCreateWellKnownSid = (void *)GetProcAddress( hmod, "CreateWellKnownSid" );
213 pGetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "GetNamedSecurityInfoA");
214 pSetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "SetNamedSecurityInfoA");
215 pGetSidSubAuthority = (void *)GetProcAddress(hmod, "GetSidSubAuthority");
216 pGetSidSubAuthorityCount = (void *)GetProcAddress(hmod, "GetSidSubAuthorityCount");
217 pIsValidSid = (void *)GetProcAddress(hmod, "IsValidSid");
218 pMakeSelfRelativeSD = (void *)GetProcAddress(hmod, "MakeSelfRelativeSD");
219 pSetEntriesInAclW = (void *)GetProcAddress(hmod, "SetEntriesInAclW");
220 pSetEntriesInAclA = (void *)GetProcAddress(hmod, "SetEntriesInAclA");
221 pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
222 pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
223 pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
224 pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
225 pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
226 pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
227 pGetAce = (void *)GetProcAddress(hmod, "GetAce");
228 pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
229 pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
230 pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
231 pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
232
233 myARGC = winetest_get_mainargs( &myARGV );
234 }
235
236 static SECURITY_DESCRIPTOR* test_get_security_descriptor(HANDLE handle, int line)
237 {
238 /* use HeapFree(GetProcessHeap(), 0, sd); when done */
239 DWORD ret, length, needed;
240 SECURITY_DESCRIPTOR *sd;
241
242 needed = 0xdeadbeef;
243 SetLastError(0xdeadbeef);
244 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
245 NULL, 0, &needed);
246 ok_(__FILE__, line)(!ret, "GetKernelObjectSecurity should fail\n");
247 ok_(__FILE__, line)(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
248 ok_(__FILE__, line)(needed != 0xdeadbeef, "GetKernelObjectSecurity should return required buffer length\n");
249
250 length = needed;
251 sd = HeapAlloc(GetProcessHeap(), 0, length);
252
253 needed = 0xdeadbeef;
254 SetLastError(0xdeadbeef);
255 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
256 sd, length, &needed);
257 ok_(__FILE__, line)(ret, "GetKernelObjectSecurity error %d\n", GetLastError());
258 ok_(__FILE__, line)(needed == length || needed == 0 /* file, pipe */, "GetKernelObjectSecurity should return %u instead of %u\n", length, needed);
259 return sd;
260 }
261
262 static void test_owner_equal(HANDLE Handle, PSID expected, int line)
263 {
264 BOOL res;
265 SECURITY_DESCRIPTOR *queriedSD = NULL;
266 PSID owner;
267 BOOL owner_defaulted;
268
269 queriedSD = test_get_security_descriptor( Handle, line );
270
271 res = GetSecurityDescriptorOwner(queriedSD, &owner, &owner_defaulted);
272 ok_(__FILE__, line)(res, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
273
274 ok_(__FILE__, line)(EqualSid(owner, expected), "Owner SIDs are not equal %s != %s\n",
275 debugstr_sid(owner), debugstr_sid(expected));
276 ok_(__FILE__, line)(!owner_defaulted, "Defaulted is true\n");
277
278 HeapFree(GetProcessHeap(), 0, queriedSD);
279 }
280
281 static void test_group_equal(HANDLE Handle, PSID expected, int line)
282 {
283 BOOL res;
284 SECURITY_DESCRIPTOR *queriedSD = NULL;
285 PSID group;
286 BOOL group_defaulted;
287
288 queriedSD = test_get_security_descriptor( Handle, line );
289
290 res = GetSecurityDescriptorGroup(queriedSD, &group, &group_defaulted);
291 ok_(__FILE__, line)(res, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
292
293 ok_(__FILE__, line)(EqualSid(group, expected), "Group SIDs are not equal %s != %s\n",
294 debugstr_sid(group), debugstr_sid(expected));
295 ok_(__FILE__, line)(!group_defaulted, "Defaulted is true\n");
296
297 HeapFree(GetProcessHeap(), 0, queriedSD);
298 }
299
300 static void test_sid(void)
301 {
302 struct sidRef refs[] = {
303 { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
304 { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1" },
305 { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1" },
306 { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1" },
307 { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1" },
308 { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1" },
309 };
310 struct strsid_entry strsid_table[] = {
311 {"AO", STRSID_OK}, {"RU", STRSID_OK}, {"AN", STRSID_OK}, {"AU", STRSID_OK},
312 {"BA", STRSID_OK}, {"BG", STRSID_OK}, {"BO", STRSID_OK}, {"BU", STRSID_OK},
313 {"CA", STRSID_OPT}, {"CG", STRSID_OK}, {"CO", STRSID_OK}, {"DA", STRSID_OPT},
314 {"DC", STRSID_OPT}, {"DD", STRSID_OPT}, {"DG", STRSID_OPT}, {"DU", STRSID_OPT},
315 {"EA", STRSID_OPT}, {"ED", STRSID_OK}, {"WD", STRSID_OK}, {"PA", STRSID_OPT},
316 {"IU", STRSID_OK}, {"LA", STRSID_OK}, {"LG", STRSID_OK}, {"LS", STRSID_OK},
317 {"SY", STRSID_OK}, {"NU", STRSID_OK}, {"NO", STRSID_OK}, {"NS", STRSID_OK},
318 {"PO", STRSID_OK}, {"PS", STRSID_OK}, {"PU", STRSID_OK}, {"RS", STRSID_OPT},
319 {"RD", STRSID_OK}, {"RE", STRSID_OK}, {"RC", STRSID_OK}, {"SA", STRSID_OPT},
320 {"SO", STRSID_OK}, {"SU", STRSID_OK}};
321
322 const char noSubAuthStr[] = "S-1-5";
323 unsigned int i;
324 PSID psid = NULL;
325 SID *pisid;
326 BOOL r;
327 LPSTR str = NULL;
328
329 if( !pConvertStringSidToSidA )
330 {
331 win_skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
332 return;
333 }
334
335 r = pConvertStringSidToSidA( NULL, NULL );
336 ok( !r, "expected failure with NULL parameters\n" );
337 if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
338 return;
339 ok( GetLastError() == ERROR_INVALID_PARAMETER,
340 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
341 GetLastError() );
342
343 r = pConvertStringSidToSidA( refs[0].refStr, NULL );
344 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
345 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
346 GetLastError() );
347
348 r = pConvertStringSidToSidA( NULL, &str );
349 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
350 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
351 GetLastError() );
352
353 r = pConvertStringSidToSidA( noSubAuthStr, &psid );
354 ok( !r,
355 "expected failure with no sub authorities\n" );
356 ok( GetLastError() == ERROR_INVALID_SID,
357 "expected GetLastError() is ERROR_INVALID_SID, got %d\n",
358 GetLastError() );
359
360 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid), "ConvertStringSidToSidA failed\n");
361 pisid = psid;
362 ok(pisid->SubAuthorityCount == 4, "Invalid sub authority count - expected 4, got %d\n", pisid->SubAuthorityCount);
363 ok(pisid->SubAuthority[0] == 21, "Invalid subauthority 0 - expected 21, got %d\n", pisid->SubAuthority[0]);
364 ok(pisid->SubAuthority[3] == 4576, "Invalid subauthority 0 - expected 4576, got %d\n", pisid->SubAuthority[3]);
365 LocalFree(str);
366 LocalFree(psid);
367
368 for( i = 0; i < ARRAY_SIZE(refs); i++ )
369 {
370 r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
371 &psid );
372 ok( r, "failed to allocate sid\n" );
373 r = ConvertSidToStringSidA( psid, &str );
374 ok( r, "failed to convert sid\n" );
375 if (r)
376 {
377 ok( !strcmp( str, refs[i].refStr ),
378 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
379 LocalFree( str );
380 }
381 if( psid )
382 FreeSid( psid );
383
384 r = pConvertStringSidToSidA( refs[i].refStr, &psid );
385 ok( r, "failed to parse sid string\n" );
386 pisid = psid;
387 ok( pisid &&
388 !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
389 sizeof(refs[i].auth) ),
390 "string sid %s didn't parse to expected value\n"
391 "(got 0x%04x%08x, expected 0x%04x%08x)\n",
392 refs[i].refStr,
393 MAKEWORD( pisid->IdentifierAuthority.Value[1],
394 pisid->IdentifierAuthority.Value[0] ),
395 MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
396 pisid->IdentifierAuthority.Value[4] ),
397 MAKEWORD( pisid->IdentifierAuthority.Value[3],
398 pisid->IdentifierAuthority.Value[2] ) ),
399 MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
400 MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
401 MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
402 if( psid )
403 LocalFree( psid );
404 }
405
406 /* string constant format not supported before XP */
407 r = pConvertStringSidToSidA(strsid_table[0].str, &psid);
408 if(!r)
409 {
410 win_skip("String constant format not supported\n");
411 return;
412 }
413 LocalFree(psid);
414
415 for(i = 0; i < ARRAY_SIZE(strsid_table); i++)
416 {
417 char *temp;
418
419 SetLastError(0xdeadbeef);
420 r = pConvertStringSidToSidA(strsid_table[i].str, &psid);
421
422 if (!(strsid_table[i].flags & STRSID_OPT))
423 {
424 ok(r, "%s: got %u\n", strsid_table[i].str, GetLastError());
425 }
426
427 if (r)
428 {
429 if ((winetest_debug > 1) && (ConvertSidToStringSidA(psid, &temp)))
430 {
431 trace(" %s: %s\n", strsid_table[i].str, temp);
432 LocalFree(temp);
433 }
434 LocalFree(psid);
435 }
436 else
437 {
438 if (GetLastError() != ERROR_INVALID_SID)
439 trace(" %s: couldn't be converted, returned %d\n", strsid_table[i].str, GetLastError());
440 else
441 trace(" %s: couldn't be converted\n", strsid_table[i].str);
442 }
443 }
444 }
445
446 static void test_trustee(void)
447 {
448 GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
449 GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
450 GUID ZeroGuid;
451 OBJECTS_AND_NAME_A oan;
452 OBJECTS_AND_SID oas;
453 TRUSTEEA trustee;
454 PSID psid;
455 char szObjectTypeName[] = "ObjectTypeName";
456 char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
457 char szTrusteeName[] = "szTrusteeName";
458 SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
459
460 memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
461
462 pBuildTrusteeWithSidA = (void *)GetProcAddress( hmod, "BuildTrusteeWithSidA" );
463 pBuildTrusteeWithNameA = (void *)GetProcAddress( hmod, "BuildTrusteeWithNameA" );
464 pBuildTrusteeWithObjectsAndNameA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
465 pBuildTrusteeWithObjectsAndSidA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
466 pGetTrusteeNameA = (void *)GetProcAddress (hmod, "GetTrusteeNameA" );
467 if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
468 !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
469 !pGetTrusteeNameA )
470 return;
471
472 if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
473 {
474 trace( "failed to init SID\n" );
475 return;
476 }
477
478 /* test BuildTrusteeWithSidA */
479 memset( &trustee, 0xff, sizeof trustee );
480 pBuildTrusteeWithSidA( &trustee, psid );
481
482 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
483 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
484 "MultipleTrusteeOperation wrong\n");
485 ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
486 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
487 ok( trustee.ptstrName == psid, "ptstrName wrong\n" );
488
489 /* test BuildTrusteeWithObjectsAndSidA (test 1) */
490 memset( &trustee, 0xff, sizeof trustee );
491 memset( &oas, 0xff, sizeof(oas) );
492 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
493 &InheritedObjectType, psid);
494
495 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
496 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
497 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
498 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
499 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
500
501 ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
502 ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
503 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
504 ok(oas.pSid == psid, "pSid wrong\n");
505
506 /* test GetTrusteeNameA */
507 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
508
509 /* test BuildTrusteeWithObjectsAndSidA (test 2) */
510 memset( &trustee, 0xff, sizeof trustee );
511 memset( &oas, 0xff, sizeof(oas) );
512 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
513 &InheritedObjectType, psid);
514
515 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
516 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
517 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
518 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
519 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
520
521 ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
522 ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
523 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
524 ok(oas.pSid == psid, "pSid wrong\n");
525
526 FreeSid( psid );
527
528 /* test BuildTrusteeWithNameA */
529 memset( &trustee, 0xff, sizeof trustee );
530 pBuildTrusteeWithNameA( &trustee, szTrusteeName );
531
532 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
533 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
534 "MultipleTrusteeOperation wrong\n");
535 ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
536 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
537 ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
538
539 /* test BuildTrusteeWithObjectsAndNameA (test 1) */
540 memset( &trustee, 0xff, sizeof trustee );
541 memset( &oan, 0xff, sizeof(oan) );
542 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
543 szInheritedObjectTypeName, szTrusteeName);
544
545 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
546 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
547 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
548 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
549 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
550
551 ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
552 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
553 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
554 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
555
556 /* test GetTrusteeNameA */
557 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
558
559 /* test BuildTrusteeWithObjectsAndNameA (test 2) */
560 memset( &trustee, 0xff, sizeof trustee );
561 memset( &oan, 0xff, sizeof(oan) );
562 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
563 szInheritedObjectTypeName, szTrusteeName);
564
565 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
566 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
567 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
568 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
569 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
570
571 ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
572 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
573 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
574 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
575
576 /* test BuildTrusteeWithObjectsAndNameA (test 3) */
577 memset( &trustee, 0xff, sizeof trustee );
578 memset( &oan, 0xff, sizeof(oan) );
579 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
580 NULL, szTrusteeName);
581
582 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
583 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
584 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
585 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
586 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
587
588 ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
589 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
590 ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
591 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
592 }
593
594 /* If the first isn't defined, assume none is */
595 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
596 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2L
597 #define SE_CREATE_TOKEN_PRIVILEGE 2L
598 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3L
599 #define SE_LOCK_MEMORY_PRIVILEGE 4L
600 #define SE_INCREASE_QUOTA_PRIVILEGE 5L
601 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6L
602 #define SE_TCB_PRIVILEGE 7L
603 #define SE_SECURITY_PRIVILEGE 8L
604 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9L
605 #define SE_LOAD_DRIVER_PRIVILEGE 10L
606 #define SE_SYSTEM_PROFILE_PRIVILEGE 11L
607 #define SE_SYSTEMTIME_PRIVILEGE 12L
608 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
609 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14L
610 #define SE_CREATE_PAGEFILE_PRIVILEGE 15L
611 #define SE_CREATE_PERMANENT_PRIVILEGE 16L
612 #define SE_BACKUP_PRIVILEGE 17L
613 #define SE_RESTORE_PRIVILEGE 18L
614 #define SE_SHUTDOWN_PRIVILEGE 19L
615 #define SE_DEBUG_PRIVILEGE 20L
616 #define SE_AUDIT_PRIVILEGE 21L
617 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22L
618 #define SE_CHANGE_NOTIFY_PRIVILEGE 23L
619 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24L
620 #define SE_UNDOCK_PRIVILEGE 25L
621 #define SE_SYNC_AGENT_PRIVILEGE 26L
622 #define SE_ENABLE_DELEGATION_PRIVILEGE 27L
623 #define SE_MANAGE_VOLUME_PRIVILEGE 28L
624 #define SE_IMPERSONATE_PRIVILEGE 29L
625 #define SE_CREATE_GLOBAL_PRIVILEGE 30L
626 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
627 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
628
629 static void test_allocateLuid(void)
630 {
631 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
632 LUID luid1, luid2;
633 BOOL ret;
634
635 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
636 if (!pAllocateLocallyUniqueId) return;
637
638 ret = pAllocateLocallyUniqueId(&luid1);
639 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
640 return;
641
642 ok(ret,
643 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
644 ret = pAllocateLocallyUniqueId(&luid2);
645 ok( ret,
646 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
647 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
648 "AllocateLocallyUniqueId returned a well-known LUID\n");
649 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
650 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
651 ret = pAllocateLocallyUniqueId(NULL);
652 ok( !ret && GetLastError() == ERROR_NOACCESS,
653 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
654 GetLastError());
655 }
656
657 static void test_lookupPrivilegeName(void)
658 {
659 BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
660 char buf[MAX_PATH]; /* arbitrary, seems long enough */
661 DWORD cchName = sizeof(buf);
662 LUID luid = { 0, 0 };
663 LONG i;
664 BOOL ret;
665
666 /* check whether it's available first */
667 pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
668 if (!pLookupPrivilegeNameA) return;
669 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
670 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
671 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
672 return;
673
674 /* check with a short buffer */
675 cchName = 0;
676 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
677 ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
678 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
679 "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %d\n",
680 GetLastError());
681 ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
682 "LookupPrivilegeNameA returned an incorrect required length for\n"
683 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
684 lstrlenA("SeCreateTokenPrivilege") + 1);
685 /* check a known value and its returned length on success */
686 cchName = sizeof(buf);
687 ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
688 cchName == strlen("SeCreateTokenPrivilege"),
689 "LookupPrivilegeNameA returned an incorrect output length for\n"
690 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
691 (int)strlen("SeCreateTokenPrivilege"));
692 /* check known values */
693 for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i <= SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
694 {
695 luid.LowPart = i;
696 cchName = sizeof(buf);
697 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
698 ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
699 "LookupPrivilegeNameA(0.%d) failed: %d\n", i, GetLastError());
700 }
701 /* check a bogus LUID */
702 luid.LowPart = 0xdeadbeef;
703 cchName = sizeof(buf);
704 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
705 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
706 "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
707 GetLastError());
708 /* check on a bogus system */
709 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
710 cchName = sizeof(buf);
711 ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
712 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
713 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
714 "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
715 GetLastError());
716 }
717
718 struct NameToLUID
719 {
720 const char *name;
721 DWORD lowPart;
722 };
723
724 static void test_lookupPrivilegeValue(void)
725 {
726 static const struct NameToLUID privs[] = {
727 { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
728 { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
729 { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
730 { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
731 { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
732 { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
733 { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
734 { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
735 { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
736 { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
737 { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
738 { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
739 { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
740 { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
741 { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
742 { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
743 { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
744 { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
745 { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
746 { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
747 { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
748 { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILEGE },
749 { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
750 { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
751 { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
752 { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
753 { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
754 { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
755 { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
756 };
757 BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
758 unsigned int i;
759 LUID luid;
760 BOOL ret;
761
762 /* check whether it's available first */
763 pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
764 if (!pLookupPrivilegeValueA) return;
765 ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
766 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
767 return;
768
769 /* check a bogus system name */
770 ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
771 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
772 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
773 "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
774 GetLastError());
775 /* check a NULL string */
776 ret = pLookupPrivilegeValueA(NULL, 0, &luid);
777 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
778 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
779 GetLastError());
780 /* check a bogus privilege name */
781 ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
782 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
783 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
784 GetLastError());
785 /* check case insensitive */
786 ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
787 ok( ret,
788 "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %d\n",
789 GetLastError());
790 for (i = 0; i < ARRAY_SIZE(privs); i++)
791 {
792 /* Not all privileges are implemented on all Windows versions, so
793 * don't worry if the call fails
794 */
795 if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
796 {
797 ok(luid.LowPart == privs[i].lowPart,
798 "LookupPrivilegeValueA returned an invalid LUID for %s\n",
799 privs[i].name);
800 }
801 }
802 }
803
804 static void test_luid(void)
805 {
806 test_allocateLuid();
807 test_lookupPrivilegeName();
808 test_lookupPrivilegeValue();
809 }
810
811 static void test_FileSecurity(void)
812 {
813 char wintmpdir [MAX_PATH];
814 char path [MAX_PATH];
815 char file [MAX_PATH];
816 HANDLE fh, token;
817 DWORD sdSize, retSize, rc, granted, priv_set_len;
818 PRIVILEGE_SET priv_set;
819 BOOL status;
820 BYTE *sd;
821 GENERIC_MAPPING mapping = { FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, FILE_ALL_ACCESS };
822 const SECURITY_INFORMATION request = OWNER_SECURITY_INFORMATION
823 | GROUP_SECURITY_INFORMATION
824 | DACL_SECURITY_INFORMATION;
825
826 if (!pGetFileSecurityA) {
827 win_skip ("GetFileSecurity is not available\n");
828 return;
829 }
830
831 if (!pSetFileSecurityA) {
832 win_skip ("SetFileSecurity is not available\n");
833 return;
834 }
835
836 if (!GetTempPathA (sizeof (wintmpdir), wintmpdir)) {
837 win_skip ("GetTempPathA failed\n");
838 return;
839 }
840
841 /* Create a temporary directory and in it a temporary file */
842 strcat (strcpy (path, wintmpdir), "rary");
843 SetLastError(0xdeadbeef);
844 rc = CreateDirectoryA (path, NULL);
845 ok (rc || GetLastError() == ERROR_ALREADY_EXISTS, "CreateDirectoryA "
846 "failed for '%s' with %d\n", path, GetLastError());
847
848 strcat (strcpy (file, path), "\\ess");
849 SetLastError(0xdeadbeef);
850 fh = CreateFileA (file, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
851 ok (fh != INVALID_HANDLE_VALUE, "CreateFileA "
852 "failed for '%s' with %d\n", file, GetLastError());
853 CloseHandle (fh);
854
855 /* For the temporary file ... */
856
857 /* Get size needed */
858 retSize = 0;
859 SetLastError(0xdeadbeef);
860 rc = pGetFileSecurityA (file, request, NULL, 0, &retSize);
861 if (!rc && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)) {
862 win_skip("GetFileSecurityA is not implemented\n");
863 goto cleanup;
864 }
865 ok (!rc, "GetFileSecurityA "
866 "was expected to fail for '%s'\n", file);
867 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
868 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
869 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
870
871 sdSize = retSize;
872 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
873
874 /* Get security descriptor for real */
875 retSize = -1;
876 SetLastError(0xdeadbeef);
877 rc = pGetFileSecurityA (file, request, sd, sdSize, &retSize);
878 ok (rc, "GetFileSecurityA "
879 "was not expected to fail '%s': %d\n", file, GetLastError());
880 ok (retSize == sdSize ||
881 broken(retSize == 0), /* NT4 */
882 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
883
884 /* Use it to set security descriptor */
885 SetLastError(0xdeadbeef);
886 rc = pSetFileSecurityA (file, request, sd);
887 ok (rc, "SetFileSecurityA "
888 "was not expected to fail '%s': %d\n", file, GetLastError());
889
890 HeapFree (GetProcessHeap (), 0, sd);
891
892 /* Repeat for the temporary directory ... */
893
894 /* Get size needed */
895 retSize = 0;
896 SetLastError(0xdeadbeef);
897 rc = pGetFileSecurityA (path, request, NULL, 0, &retSize);
898 ok (!rc, "GetFileSecurityA "
899 "was expected to fail for '%s'\n", path);
900 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
901 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
902 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
903
904 sdSize = retSize;
905 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
906
907 /* Get security descriptor for real */
908 retSize = -1;
909 SetLastError(0xdeadbeef);
910 rc = pGetFileSecurityA (path, request, sd, sdSize, &retSize);
911 ok (rc, "GetFileSecurityA "
912 "was not expected to fail '%s': %d\n", path, GetLastError());
913 ok (retSize == sdSize ||
914 broken(retSize == 0), /* NT4 */
915 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
916
917 /* Use it to set security descriptor */
918 SetLastError(0xdeadbeef);
919 rc = pSetFileSecurityA (path, request, sd);
920 ok (rc, "SetFileSecurityA "
921 "was not expected to fail '%s': %d\n", path, GetLastError());
922 HeapFree (GetProcessHeap (), 0, sd);
923
924 /* Old test */
925 strcpy (wintmpdir, "\\Should not exist");
926 SetLastError(0xdeadbeef);
927 rc = pGetFileSecurityA (wintmpdir, OWNER_SECURITY_INFORMATION, NULL, 0, &sdSize);
928 ok (!rc, "GetFileSecurityA should fail for not existing directories/files\n");
929 ok (GetLastError() == ERROR_FILE_NOT_FOUND,
930 "last error ERROR_FILE_NOT_FOUND expected, got %d\n", GetLastError());
931
932 cleanup:
933 /* Remove temporary file and directory */
934 DeleteFileA(file);
935 RemoveDirectoryA(path);
936
937 /* Test file access permissions for a file with FILE_ATTRIBUTE_ARCHIVE */
938 SetLastError(0xdeadbeef);
939 rc = GetTempPathA(sizeof(wintmpdir), wintmpdir);
940 ok(rc, "GetTempPath error %d\n", GetLastError());
941
942 SetLastError(0xdeadbeef);
943 rc = GetTempFileNameA(wintmpdir, "tmp", 0, file);
944 ok(rc, "GetTempFileName error %d\n", GetLastError());
945
946 rc = GetFileAttributesA(file);
947 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
948 ok(rc == FILE_ATTRIBUTE_ARCHIVE, "expected FILE_ATTRIBUTE_ARCHIVE got %#x\n", rc);
949
950 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
951 NULL, 0, &sdSize);
952 ok(!rc, "GetFileSecurity should fail\n");
953 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
954 "expected ERROR_INSUFFICIENT_BUFFER got %d\n", GetLastError());
955 ok(sdSize > sizeof(SECURITY_DESCRIPTOR), "got sd size %d\n", sdSize);
956
957 sd = HeapAlloc(GetProcessHeap (), 0, sdSize);
958 retSize = 0xdeadbeef;
959 SetLastError(0xdeadbeef);
960 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
961 sd, sdSize, &retSize);
962 ok(rc, "GetFileSecurity error %d\n", GetLastError());
963 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
964
965 SetLastError(0xdeadbeef);
966 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
967 ok(!rc, "OpenThreadToken should fail\n");
968 ok(GetLastError() == ERROR_NO_TOKEN, "expected ERROR_NO_TOKEN, got %d\n", GetLastError());
969
970 SetLastError(0xdeadbeef);
971 rc = ImpersonateSelf(SecurityIdentification);
972 ok(rc, "ImpersonateSelf error %d\n", GetLastError());
973
974 SetLastError(0xdeadbeef);
975 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
976 ok(rc, "OpenThreadToken error %d\n", GetLastError());
977
978 SetLastError(0xdeadbeef);
979 rc = RevertToSelf();
980 ok(rc, "RevertToSelf error %d\n", GetLastError());
981
982 priv_set_len = sizeof(priv_set);
983 granted = 0xdeadbeef;
984 status = 0xdeadbeef;
985 SetLastError(0xdeadbeef);
986 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
987 ok(rc, "AccessCheck error %d\n", GetLastError());
988 ok(status == 1, "expected 1, got %d\n", status);
989 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
990
991 granted = 0xdeadbeef;
992 status = 0xdeadbeef;
993 SetLastError(0xdeadbeef);
994 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
995 ok(rc, "AccessCheck error %d\n", GetLastError());
996 ok(status == 1, "expected 1, got %d\n", status);
997 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
998
999 granted = 0xdeadbeef;
1000 status = 0xdeadbeef;
1001 SetLastError(0xdeadbeef);
1002 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1003 ok(rc, "AccessCheck error %d\n", GetLastError());
1004 ok(status == 1, "expected 1, got %d\n", status);
1005 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1006
1007 granted = 0xdeadbeef;
1008 status = 0xdeadbeef;
1009 SetLastError(0xdeadbeef);
1010 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1011 ok(rc, "AccessCheck error %d\n", GetLastError());
1012 ok(status == 1, "expected 1, got %d\n", status);
1013 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1014
1015 granted = 0xdeadbeef;
1016 status = 0xdeadbeef;
1017 SetLastError(0xdeadbeef);
1018 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1019 ok(rc, "AccessCheck error %d\n", GetLastError());
1020 ok(status == 1, "expected 1, got %d\n", status);
1021 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1022
1023 granted = 0xdeadbeef;
1024 status = 0xdeadbeef;
1025 SetLastError(0xdeadbeef);
1026 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1027 ok(rc, "AccessCheck error %d\n", GetLastError());
1028 ok(status == 1, "expected 1, got %d\n", status);
1029 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1030
1031 granted = 0xdeadbeef;
1032 status = 0xdeadbeef;
1033 SetLastError(0xdeadbeef);
1034 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1035 ok(rc, "AccessCheck error %d\n", GetLastError());
1036 ok(status == 1, "expected 1, got %d\n", status);
1037 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1038
1039 SetLastError(0xdeadbeef);
1040 rc = AccessCheck(sd, token, 0xffffffff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1041 ok(!rc, "AccessCheck should fail\n");
1042 ok(GetLastError() == ERROR_GENERIC_NOT_MAPPED, "expected ERROR_GENERIC_NOT_MAPPED, got %d\n", GetLastError());
1043
1044 /* Test file access permissions for a file with FILE_ATTRIBUTE_READONLY */
1045 SetLastError(0xdeadbeef);
1046 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1047 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1048 retSize = 0xdeadbeef;
1049 SetLastError(0xdeadbeef);
1050 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1051 ok(!rc, "WriteFile should fail\n");
1052 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1053 ok(retSize == 0, "expected 0, got %d\n", retSize);
1054 CloseHandle(fh);
1055
1056 rc = GetFileAttributesA(file);
1057 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1058 todo_wine
1059 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1060 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1061
1062 SetLastError(0xdeadbeef);
1063 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1064 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1065 SetLastError(0xdeadbeef);
1066 rc = DeleteFileA(file);
1067 ok(rc, "DeleteFile error %d\n", GetLastError());
1068
1069 SetLastError(0xdeadbeef);
1070 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1071 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1072 retSize = 0xdeadbeef;
1073 SetLastError(0xdeadbeef);
1074 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1075 ok(!rc, "WriteFile should fail\n");
1076 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1077 ok(retSize == 0, "expected 0, got %d\n", retSize);
1078 CloseHandle(fh);
1079
1080 rc = GetFileAttributesA(file);
1081 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1082 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1083 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1084
1085 retSize = 0xdeadbeef;
1086 SetLastError(0xdeadbeef);
1087 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
1088 sd, sdSize, &retSize);
1089 ok(rc, "GetFileSecurity error %d\n", GetLastError());
1090 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
1091
1092 priv_set_len = sizeof(priv_set);
1093 granted = 0xdeadbeef;
1094 status = 0xdeadbeef;
1095 SetLastError(0xdeadbeef);
1096 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1097 ok(rc, "AccessCheck error %d\n", GetLastError());
1098 ok(status == 1, "expected 1, got %d\n", status);
1099 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
1100
1101 granted = 0xdeadbeef;
1102 status = 0xdeadbeef;
1103 SetLastError(0xdeadbeef);
1104 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1105 ok(rc, "AccessCheck error %d\n", GetLastError());
1106 todo_wine {
1107 ok(status == 1, "expected 1, got %d\n", status);
1108 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
1109 }
1110 granted = 0xdeadbeef;
1111 status = 0xdeadbeef;
1112 SetLastError(0xdeadbeef);
1113 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1114 ok(rc, "AccessCheck error %d\n", GetLastError());
1115 ok(status == 1, "expected 1, got %d\n", status);
1116 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1117
1118 granted = 0xdeadbeef;
1119 status = 0xdeadbeef;
1120 SetLastError(0xdeadbeef);
1121 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1122 ok(rc, "AccessCheck error %d\n", GetLastError());
1123 todo_wine {
1124 ok(status == 1, "expected 1, got %d\n", status);
1125 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1126 }
1127 granted = 0xdeadbeef;
1128 status = 0xdeadbeef;
1129 SetLastError(0xdeadbeef);
1130 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1131 ok(rc, "AccessCheck error %d\n", GetLastError());
1132 todo_wine {
1133 ok(status == 1, "expected 1, got %d\n", status);
1134 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1135 }
1136 granted = 0xdeadbeef;
1137 status = 0xdeadbeef;
1138 SetLastError(0xdeadbeef);
1139 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1140 ok(rc, "AccessCheck error %d\n", GetLastError());
1141 todo_wine {
1142 ok(status == 1, "expected 1, got %d\n", status);
1143 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1144 }
1145 granted = 0xdeadbeef;
1146 status = 0xdeadbeef;
1147 SetLastError(0xdeadbeef);
1148 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1149 ok(rc, "AccessCheck error %d\n", GetLastError());
1150 todo_wine {
1151 ok(status == 1, "expected 1, got %d\n", status);
1152 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1153 }
1154 SetLastError(0xdeadbeef);
1155 rc = DeleteFileA(file);
1156 ok(!rc, "DeleteFile should fail\n");
1157 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1158 SetLastError(0xdeadbeef);
1159 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1160 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1161 SetLastError(0xdeadbeef);
1162 rc = DeleteFileA(file);
1163 ok(rc, "DeleteFile error %d\n", GetLastError());
1164
1165 CloseHandle(token);
1166 HeapFree(GetProcessHeap(), 0, sd);
1167 }
1168
1169 static void test_AccessCheck(void)
1170 {
1171 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
1172 PACL Acl = NULL;
1173 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
1174 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
1175 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
1176 GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
1177 ACCESS_MASK Access;
1178 BOOL AccessStatus;
1179 HANDLE Token;
1180 HANDLE ProcessToken;
1181 BOOL ret;
1182 DWORD PrivSetLen;
1183 PRIVILEGE_SET *PrivSet;
1184 BOOL res;
1185 HMODULE NtDllModule;
1186 BOOLEAN Enabled;
1187 DWORD err;
1188 NTSTATUS ntret, ntAccessStatus;
1189
1190 NtDllModule = GetModuleHandleA("ntdll.dll");
1191 if (!NtDllModule)
1192 {
1193 skip("not running on NT, skipping test\n");
1194 return;
1195 }
1196 pRtlAdjustPrivilege = (void *)GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
1197 if (!pRtlAdjustPrivilege)
1198 {
1199 win_skip("missing RtlAdjustPrivilege, skipping test\n");
1200 return;
1201 }
1202
1203 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
1204 res = InitializeAcl(Acl, 256, ACL_REVISION);
1205 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1206 {
1207 skip("ACLs not implemented - skipping tests\n");
1208 HeapFree(GetProcessHeap(), 0, Acl);
1209 return;
1210 }
1211 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
1212
1213 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1214 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1215
1216 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1217 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
1218 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1219
1220 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1221 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1222 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1223
1224 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
1225
1226 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
1227 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
1228
1229 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1230 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1231
1232 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1233 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
1234 PrivSet->PrivilegeCount = 16;
1235
1236 res = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &ProcessToken);
1237 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
1238
1239 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
1240
1241 res = DuplicateToken(ProcessToken, SecurityImpersonation, &Token);
1242 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1243
1244 /* SD without owner/group */
1245 SetLastError(0xdeadbeef);
1246 Access = AccessStatus = 0x1abe11ed;
1247 ret = AccessCheck(SecurityDescriptor, Token, KEY_QUERY_VALUE, &Mapping,
1248 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1249 err = GetLastError();
1250 ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
1251 "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
1252 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1253 "Access and/or AccessStatus were changed!\n");
1254
1255 /* Set owner and group */
1256 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
1257 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
1258 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
1259 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
1260
1261 /* Generic access mask */
1262 SetLastError(0xdeadbeef);
1263 Access = AccessStatus = 0x1abe11ed;
1264 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1265 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1266 err = GetLastError();
1267 ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
1268 "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
1269 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1270 "Access and/or AccessStatus were changed!\n");
1271
1272 /* Generic access mask - no privilegeset buffer */
1273 SetLastError(0xdeadbeef);
1274 Access = AccessStatus = 0x1abe11ed;
1275 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1276 NULL, &PrivSetLen, &Access, &AccessStatus);
1277 err = GetLastError();
1278 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1279 "with ERROR_NOACCESS, instead of %d\n", err);
1280 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1281 "Access and/or AccessStatus were changed!\n");
1282
1283 /* Generic access mask - no returnlength */
1284 SetLastError(0xdeadbeef);
1285 Access = AccessStatus = 0x1abe11ed;
1286 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1287 PrivSet, NULL, &Access, &AccessStatus);
1288 err = GetLastError();
1289 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1290 "with ERROR_NOACCESS, instead of %d\n", err);
1291 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1292 "Access and/or AccessStatus were changed!\n");
1293
1294 /* Generic access mask - no privilegeset buffer, no returnlength */
1295 SetLastError(0xdeadbeef);
1296 Access = AccessStatus = 0x1abe11ed;
1297 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1298 NULL, NULL, &Access, &AccessStatus);
1299 err = GetLastError();
1300 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1301 "with ERROR_NOACCESS, instead of %d\n", err);
1302 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1303 "Access and/or AccessStatus were changed!\n");
1304
1305 /* sd with no dacl present */
1306 Access = AccessStatus = 0x1abe11ed;
1307 ret = SetSecurityDescriptorDacl(SecurityDescriptor, FALSE, NULL, FALSE);
1308 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1309 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1310 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1311 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1312 ok(AccessStatus && (Access == KEY_READ),
1313 "AccessCheck failed to grant access with error %d\n",
1314 GetLastError());
1315
1316 /* sd with no dacl present - no privilegeset buffer */
1317 SetLastError(0xdeadbeef);
1318 Access = AccessStatus = 0x1abe11ed;
1319 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1320 NULL, &PrivSetLen, &Access, &AccessStatus);
1321 err = GetLastError();
1322 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1323 "with ERROR_NOACCESS, instead of %d\n", err);
1324 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1325 "Access and/or AccessStatus were changed!\n");
1326
1327 if(pNtAccessCheck)
1328 {
1329 /* Generic access mask - no privilegeset buffer */
1330 SetLastError(0xdeadbeef);
1331 Access = ntAccessStatus = 0x1abe11ed;
1332 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1333 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1334 err = GetLastError();
1335 ok(ntret == STATUS_ACCESS_VIOLATION,
1336 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1337 ok(err == 0xdeadbeef,
1338 "NtAccessCheck shouldn't set last error, got %d\n", err);
1339 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1340 "Access and/or AccessStatus were changed!\n");
1341
1342 /* Generic access mask - no returnlength */
1343 SetLastError(0xdeadbeef);
1344 Access = ntAccessStatus = 0x1abe11ed;
1345 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1346 PrivSet, NULL, &Access, &ntAccessStatus);
1347 err = GetLastError();
1348 ok(ntret == STATUS_ACCESS_VIOLATION,
1349 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1350 ok(err == 0xdeadbeef,
1351 "NtAccessCheck shouldn't set last error, got %d\n", err);
1352 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1353 "Access and/or AccessStatus were changed!\n");
1354
1355 /* Generic access mask - no privilegeset buffer, no returnlength */
1356 SetLastError(0xdeadbeef);
1357 Access = ntAccessStatus = 0x1abe11ed;
1358 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1359 NULL, NULL, &Access, &ntAccessStatus);
1360 err = GetLastError();
1361 ok(ntret == STATUS_ACCESS_VIOLATION,
1362 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1363 ok(err == 0xdeadbeef,
1364 "NtAccessCheck shouldn't set last error, got %d\n", err);
1365 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1366 "Access and/or AccessStatus were changed!\n");
1367 }
1368 else
1369 win_skip("NtAccessCheck unavailable. Skipping.\n");
1370
1371 /* sd with NULL dacl */
1372 Access = AccessStatus = 0x1abe11ed;
1373 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, NULL, FALSE);
1374 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1375 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1376 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1377 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1378 ok(AccessStatus && (Access == KEY_READ),
1379 "AccessCheck failed to grant access with error %d\n",
1380 GetLastError());
1381 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1382 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1383 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1384 ok(AccessStatus && (Access == KEY_ALL_ACCESS),
1385 "AccessCheck failed to grant access with error %d\n",
1386 GetLastError());
1387
1388 /* sd with blank dacl */
1389 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1390 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1391 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1392 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1393 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1394 err = GetLastError();
1395 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1396 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1397 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1398
1399 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
1400 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
1401
1402 res = AddAccessDeniedAce(Acl, ACL_REVISION, KEY_SET_VALUE, AdminSid);
1403 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
1404
1405 /* sd with dacl */
1406 Access = AccessStatus = 0x1abe11ed;
1407 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1408 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1409 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1410 ok(AccessStatus && (Access == KEY_READ),
1411 "AccessCheck failed to grant access with error %d\n",
1412 GetLastError());
1413
1414 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1415 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1416 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1417 ok(AccessStatus,
1418 "AccessCheck failed to grant any access with error %d\n",
1419 GetLastError());
1420 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
1421
1422 /* Null PrivSet with null PrivSetLen pointer */
1423 SetLastError(0xdeadbeef);
1424 Access = AccessStatus = 0x1abe11ed;
1425 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1426 NULL, NULL, &Access, &AccessStatus);
1427 err = GetLastError();
1428 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1429 "failed with ERROR_NOACCESS, instead of %d\n", err);
1430 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1431 "Access and/or AccessStatus were changed!\n");
1432
1433 /* Null PrivSet with zero PrivSetLen */
1434 SetLastError(0xdeadbeef);
1435 Access = AccessStatus = 0x1abe11ed;
1436 PrivSetLen = 0;
1437 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1438 0, &PrivSetLen, &Access, &AccessStatus);
1439 err = GetLastError();
1440 todo_wine
1441 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1442 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1443 todo_wine
1444 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1445 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1446 "Access and/or AccessStatus were changed!\n");
1447
1448 /* Null PrivSet with insufficient PrivSetLen */
1449 SetLastError(0xdeadbeef);
1450 Access = AccessStatus = 0x1abe11ed;
1451 PrivSetLen = 1;
1452 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1453 0, &PrivSetLen, &Access, &AccessStatus);
1454 err = GetLastError();
1455 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1456 "failed with ERROR_NOACCESS, instead of %d\n", err);
1457 ok(PrivSetLen == 1, "PrivSetLen returns %d\n", PrivSetLen);
1458 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1459 "Access and/or AccessStatus were changed!\n");
1460
1461 /* Null PrivSet with insufficient PrivSetLen */
1462 SetLastError(0xdeadbeef);
1463 Access = AccessStatus = 0x1abe11ed;
1464 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1465 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1466 0, &PrivSetLen, &Access, &AccessStatus);
1467 err = GetLastError();
1468 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1469 "failed with ERROR_NOACCESS, instead of %d\n", err);
1470 ok(PrivSetLen == sizeof(PRIVILEGE_SET) - 1, "PrivSetLen returns %d\n", PrivSetLen);
1471 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1472 "Access and/or AccessStatus were changed!\n");
1473
1474 /* Null PrivSet with minimal sufficient PrivSetLen */
1475 SetLastError(0xdeadbeef);
1476 Access = AccessStatus = 0x1abe11ed;
1477 PrivSetLen = sizeof(PRIVILEGE_SET);
1478 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1479 0, &PrivSetLen, &Access, &AccessStatus);
1480 err = GetLastError();
1481 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1482 "failed with ERROR_NOACCESS, instead of %d\n", err);
1483 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1484 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1485 "Access and/or AccessStatus were changed!\n");
1486
1487 /* Valid PrivSet with zero PrivSetLen */
1488 SetLastError(0xdeadbeef);
1489 Access = AccessStatus = 0x1abe11ed;
1490 PrivSetLen = 0;
1491 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1492 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1493 err = GetLastError();
1494 todo_wine
1495 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1496 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1497 todo_wine
1498 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1499 todo_wine
1500 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1501 "Access and/or AccessStatus were changed!\n");
1502
1503 /* Valid PrivSet with insufficient PrivSetLen */
1504 SetLastError(0xdeadbeef);
1505 Access = AccessStatus = 0x1abe11ed;
1506 PrivSetLen = 1;
1507 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1508 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1509 err = GetLastError();
1510 todo_wine
1511 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1512 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1513 todo_wine
1514 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1515 todo_wine
1516 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1517 "Access and/or AccessStatus were changed!\n");
1518
1519 /* Valid PrivSet with insufficient PrivSetLen */
1520 SetLastError(0xdeadbeef);
1521 Access = AccessStatus = 0x1abe11ed;
1522 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1523 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1524 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1525 err = GetLastError();
1526 todo_wine
1527 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1528 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1529 todo_wine
1530 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1531 todo_wine
1532 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1533 "Access and/or AccessStatus were changed!\n");
1534
1535 /* Valid PrivSet with minimal sufficient PrivSetLen */
1536 SetLastError(0xdeadbeef);
1537 Access = AccessStatus = 0x1abe11ed;
1538 PrivSetLen = sizeof(PRIVILEGE_SET);
1539 memset(PrivSet, 0xcc, PrivSetLen);
1540 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1541 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1542 err = GetLastError();
1543 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1544 todo_wine
1545 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1546 ok(AccessStatus && (Access == KEY_READ),
1547 "AccessCheck failed to grant access with error %d\n", GetLastError());
1548 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1549 PrivSet->PrivilegeCount);
1550
1551 /* Valid PrivSet with sufficient PrivSetLen */
1552 SetLastError(0xdeadbeef);
1553 Access = AccessStatus = 0x1abe11ed;
1554 PrivSetLen = sizeof(PRIVILEGE_SET) + 1;
1555 memset(PrivSet, 0xcc, PrivSetLen);
1556 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1557 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1558 err = GetLastError();
1559 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1560 todo_wine
1561 ok(PrivSetLen == sizeof(PRIVILEGE_SET) + 1, "PrivSetLen returns %d\n", PrivSetLen);
1562 ok(AccessStatus && (Access == KEY_READ),
1563 "AccessCheck failed to grant access with error %d\n", GetLastError());
1564 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1565 PrivSet->PrivilegeCount);
1566
1567 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1568
1569 /* Null PrivSet with valid PrivSetLen */
1570 SetLastError(0xdeadbeef);
1571 Access = AccessStatus = 0x1abe11ed;
1572 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1573 0, &PrivSetLen, &Access, &AccessStatus);
1574 err = GetLastError();
1575 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1576 "failed with ERROR_NOACCESS, instead of %d\n", err);
1577 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1578 "Access and/or AccessStatus were changed!\n");
1579
1580 /* Access denied by SD */
1581 SetLastError(0xdeadbeef);
1582 Access = AccessStatus = 0x1abe11ed;
1583 ret = AccessCheck(SecurityDescriptor, Token, KEY_WRITE, &Mapping,
1584 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1585 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1586 err = GetLastError();
1587 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1588 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1589 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1590
1591 SetLastError(0xdeadbeef);
1592 PrivSet->PrivilegeCount = 16;
1593 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1594 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1595 ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
1596 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1597 GetLastError());
1598
1599 ret = ImpersonateLoggedOnUser(Token);
1600 ok(ret, "ImpersonateLoggedOnUser failed with error %d\n", GetLastError());
1601 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
1602 if (!ret)
1603 {
1604 /* Valid PrivSet with zero PrivSetLen */
1605 SetLastError(0xdeadbeef);
1606 Access = AccessStatus = 0x1abe11ed;
1607 PrivSetLen = 0;
1608 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1609 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1610 err = GetLastError();
1611 todo_wine
1612 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1613 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1614 todo_wine
1615 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1616 todo_wine
1617 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1618 "Access and/or AccessStatus were changed!\n");
1619
1620 /* Valid PrivSet with insufficient PrivSetLen */
1621 SetLastError(0xdeadbeef);
1622 Access = AccessStatus = 0x1abe11ed;
1623 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1624 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1625 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1626 err = GetLastError();
1627 todo_wine
1628 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1629 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1630 todo_wine
1631 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1632 todo_wine
1633 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1634 "Access and/or AccessStatus were changed!\n");
1635
1636 /* Valid PrivSet with minimal sufficient PrivSetLen */
1637 SetLastError(0xdeadbeef);
1638 Access = AccessStatus = 0x1abe11ed;
1639 PrivSetLen = sizeof(PRIVILEGE_SET);
1640 memset(PrivSet, 0xcc, PrivSetLen);
1641 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1642 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1643 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1644 "AccessCheck should have succeeded, error %d\n",
1645 GetLastError());
1646 ok(Access == ACCESS_SYSTEM_SECURITY,
1647 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1648 Access);
1649 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1650 PrivSet->PrivilegeCount);
1651
1652 /* Valid PrivSet with large PrivSetLen */
1653 SetLastError(0xdeadbeef);
1654 Access = AccessStatus = 0x1abe11ed;
1655 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1656 memset(PrivSet, 0xcc, PrivSetLen);
1657 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1658 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1659 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1660 "AccessCheck should have succeeded, error %d\n",
1661 GetLastError());
1662 ok(Access == ACCESS_SYSTEM_SECURITY,
1663 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1664 Access);
1665 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1666 PrivSet->PrivilegeCount);
1667 }
1668 else
1669 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
1670 ret);
1671 ret = RevertToSelf();
1672 ok(ret, "RevertToSelf failed with error %d\n", GetLastError());
1673
1674 /* test INHERIT_ONLY_ACE */
1675 ret = InitializeAcl(Acl, 256, ACL_REVISION);
1676 ok(ret, "InitializeAcl failed with error %d\n", GetLastError());
1677
1678 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1679 * the next ones.
1680 */
1681 if (pAddAccessAllowedAceEx)
1682 {
1683 ret = pAddAccessAllowedAceEx(Acl, ACL_REVISION, INHERIT_ONLY_ACE, KEY_READ, EveryoneSid);
1684 ok(ret, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
1685 }
1686 else
1687 win_skip("AddAccessAllowedAceEx is not available\n");
1688
1689 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1690 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1691 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1692 err = GetLastError();
1693 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1694 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1695 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1696
1697 CloseHandle(Token);
1698
1699 res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
1700 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1701
1702 SetLastError(0xdeadbeef);
1703 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1704 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1705 err = GetLastError();
1706 ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
1707 "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
1708
1709 CloseHandle(Token);
1710
1711 SetLastError(0xdeadbeef);
1712 ret = AccessCheck(SecurityDescriptor, ProcessToken, KEY_READ, &Mapping,
1713 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1714 err = GetLastError();
1715 ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
1716 "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
1717
1718 CloseHandle(ProcessToken);
1719
1720 if (EveryoneSid)
1721 FreeSid(EveryoneSid);
1722 if (AdminSid)
1723 FreeSid(AdminSid);
1724 if (UsersSid)
1725 FreeSid(UsersSid);
1726 HeapFree(GetProcessHeap(), 0, Acl);
1727 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
1728 HeapFree(GetProcessHeap(), 0, PrivSet);
1729 }
1730
1731 /* test GetTokenInformation for the various attributes */
1732 static void test_token_attr(void)
1733 {
1734 HANDLE Token, ImpersonationToken;
1735 DWORD Size, Size2;
1736 TOKEN_PRIVILEGES *Privileges;
1737 TOKEN_GROUPS *Groups;
1738 TOKEN_USER *User;
1739 TOKEN_DEFAULT_DACL *Dacl;
1740 BOOL ret;
1741 DWORD i, GLE;
1742 LPSTR SidString;
1743 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
1744 ACL *acl;
1745
1746 /* cygwin-like use case */
1747 SetLastError(0xdeadbeef);
1748 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Token);
1749 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
1750 {
1751 win_skip("OpenProcessToken is not implemented\n");
1752 return;
1753 }
1754 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1755 if (ret)
1756 {
1757 DWORD buf[256]; /* GetTokenInformation wants a dword-aligned buffer */
1758 Size = sizeof(buf);
1759 ret = GetTokenInformation(Token, TokenUser,(void*)buf, Size, &Size);
1760 ok(ret, "GetTokenInformation failed with error %d\n", GetLastError());
1761 Size = sizeof(ImpersonationLevel);
1762 ret = GetTokenInformation(Token, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1763 GLE = GetLastError();
1764 ok(!ret && (GLE == ERROR_INVALID_PARAMETER), "GetTokenInformation(TokenImpersonationLevel) on primary token should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GLE);
1765 CloseHandle(Token);
1766 }
1767
1768 SetLastError(0xdeadbeef);
1769 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &Token);
1770 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1771
1772 /* groups */
1773 /* insufficient buffer length */
1774 SetLastError(0xdeadbeef);
1775 Size2 = 0;
1776 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size2);
1777 ok(Size2 > 1, "got %d\n", Size2);
1778 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1779 "%d with error %d\n", ret, GetLastError());
1780 Size2 -= 1;
1781 Groups = HeapAlloc(GetProcessHeap(), 0, Size2);
1782 memset(Groups, 0xcc, Size2);
1783 Size = 0;
1784 ret = GetTokenInformation(Token, TokenGroups, Groups, Size2, &Size);
1785 ok(Size > 1, "got %d\n", Size);
1786 ok((!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER) || broken(ret) /* wow64 */,
1787 "%d with error %d\n", ret, GetLastError());
1788 if(!ret)
1789 ok(*((BYTE*)Groups) == 0xcc, "buffer altered\n");
1790
1791 HeapFree(GetProcessHeap(), 0, Groups);
1792
1793 SetLastError(0xdeadbeef);
1794 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
1795 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1796 "GetTokenInformation(TokenGroups) %s with error %d\n",
1797 ret ? "succeeded" : "failed", GetLastError());
1798 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1799 SetLastError(0xdeadbeef);
1800 ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
1801 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
1802 ok(GetLastError() == 0xdeadbeef,
1803 "GetTokenInformation shouldn't have set last error to %d\n",
1804 GetLastError());
1805 trace("TokenGroups:\n");
1806 for (i = 0; i < Groups->GroupCount; i++)
1807 {
1808 DWORD NameLength = 255;
1809 CHAR Name[255];
1810 DWORD DomainLength = 255;
1811 CHAR Domain[255];
1812 SID_NAME_USE SidNameUse;
1813 Name[0] = '\0';
1814 Domain[0] = '\0';
1815 ret = LookupAccountSidA(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
1816 if (ret)
1817 {
1818 ConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
1819 trace("%s, %s\\%s use: %d attr: 0x%08x\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
1820 LocalFree(SidString);
1821 }
1822 else trace("attr: 0x%08x LookupAccountSid failed with error %d\n", Groups->Groups[i].Attributes, GetLastError());
1823 }
1824 HeapFree(GetProcessHeap(), 0, Groups);
1825
1826 /* user */
1827 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
1828 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1829 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1830 User = HeapAlloc(GetProcessHeap(), 0, Size);
1831 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
1832 ok(ret,
1833 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1834
1835 ConvertSidToStringSidA(User->User.Sid, &SidString);
1836 trace("TokenUser: %s attr: 0x%08x\n", SidString, User->User.Attributes);
1837 LocalFree(SidString);
1838 HeapFree(GetProcessHeap(), 0, User);
1839
1840 /* logon */
1841 ret = GetTokenInformation(Token, TokenLogonSid, NULL, 0, &Size);
1842 if (!ret && (GetLastError() == ERROR_INVALID_PARAMETER))
1843 todo_wine win_skip("TokenLogonSid not supported. Skipping tests\n");
1844 else
1845 {
1846 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1847 "GetTokenInformation(TokenLogonSid) failed with error %d\n", GetLastError());
1848 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1849 ret = GetTokenInformation(Token, TokenLogonSid, Groups, Size, &Size);
1850 ok(ret,
1851 "GetTokenInformation(TokenLogonSid) failed with error %d\n", GetLastError());
1852 if (ret)
1853 {
1854 ok(Groups->GroupCount == 1, "got %d\n", Groups->GroupCount);
1855 if(Groups->GroupCount == 1)
1856 {
1857 ConvertSidToStringSidA(Groups->Groups[0].Sid, &SidString);
1858 trace("TokenLogon: %s\n", SidString);
1859 LocalFree(SidString);
1860
1861 /* S-1-5-5-0-XXXXXX */
1862 ret = IsWellKnownSid(Groups->Groups[0].Sid, WinLogonIdsSid);
1863 ok(ret, "Unknown SID\n");
1864 }
1865 }
1866
1867 HeapFree(GetProcessHeap(), 0, Groups);
1868 }
1869
1870 /* privileges */
1871 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
1872 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1873 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1874 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
1875 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
1876 ok(ret,
1877 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1878 trace("TokenPrivileges:\n");
1879 for (i = 0; i < Privileges->PrivilegeCount; i++)
1880 {
1881 CHAR Name[256];
1882 DWORD NameLen = ARRAY_SIZE(Name);
1883 LookupPrivilegeNameA(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
1884 trace("\t%s, 0x%x\n", Name, Privileges->Privileges[i].Attributes);
1885 }
1886 HeapFree(GetProcessHeap(), 0, Privileges);
1887
1888 ret = DuplicateToken(Token, SecurityAnonymous, &ImpersonationToken);
1889 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
1890
1891 Size = sizeof(ImpersonationLevel);
1892 ret = GetTokenInformation(ImpersonationToken, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1893 ok(ret, "GetTokenInformation(TokenImpersonationLevel) failed with error %d\n", GetLastError());
1894 ok(ImpersonationLevel == SecurityAnonymous, "ImpersonationLevel should have been SecurityAnonymous instead of %d\n", ImpersonationLevel);
1895
1896 CloseHandle(ImpersonationToken);
1897
1898 /* default dacl */
1899 ret = GetTokenInformation(Token, TokenDefaultDacl, NULL, 0, &Size);
1900 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1901 "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1902
1903 Dacl = HeapAlloc(GetProcessHeap(), 0, Size);
1904 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size);
1905 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1906
1907 SetLastError(0xdeadbeef);
1908 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, 0);
1909 GLE = GetLastError();
1910 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1911 ok(GLE == ERROR_BAD_LENGTH, "expected ERROR_BAD_LENGTH got %u\n", GLE);
1912
1913 SetLastError(0xdeadbeef);
1914 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, Size);
1915 GLE = GetLastError();
1916 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1917 ok(GLE == ERROR_NOACCESS, "expected ERROR_NOACCESS got %u\n", GLE);
1918
1919 acl = Dacl->DefaultDacl;
1920 Dacl->DefaultDacl = NULL;
1921
1922 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1923 ok(ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1924
1925 Size2 = 0;
1926 Dacl->DefaultDacl = (ACL *)0xdeadbeef;
1927 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1928 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1929 ok(Dacl->DefaultDacl == NULL, "expected NULL, got %p\n", Dacl->DefaultDacl);
1930 ok(Size2 == sizeof(TOKEN_DEFAULT_DACL) || broken(Size2 == 2*sizeof(TOKEN_DEFAULT_DACL)), /* WoW64 */
1931 "got %u expected sizeof(TOKEN_DEFAULT_DACL)\n", Size2);
1932
1933 Dacl->DefaultDacl = acl;
1934 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1935 ok(ret, "SetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1936
1937 if (Size2 == sizeof(TOKEN_DEFAULT_DACL)) {
1938 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1939 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1940 } else
1941 win_skip("TOKEN_DEFAULT_DACL size too small on WoW64\n");
1942
1943 HeapFree(GetProcessHeap(), 0, Dacl);
1944 CloseHandle(Token);
1945 }
1946
1947 static void test_GetTokenInformation(void)
1948 {
1949 DWORD is_app_container, size;
1950 HANDLE token;
1951 BOOL ret;
1952
1953 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
1954 ok(ret, "OpenProcessToken failed: %u\n", GetLastError());
1955
1956 size = 0;
1957 is_app_container = 0xdeadbeef;
1958 ret = GetTokenInformation(token, TokenIsAppContainer, &is_app_container,
1959 sizeof(is_app_container), &size);
1960 ok(ret || broken(GetLastError() == ERROR_INVALID_PARAMETER ||
1961 GetLastError() == ERROR_INVALID_FUNCTION), /* pre-win8 */
1962 "GetTokenInformation failed: %u\n", GetLastError());
1963 if(ret) {
1964 ok(size == sizeof(is_app_container), "size = %u\n", size);
1965 ok(!is_app_container, "is_app_container = %x\n", is_app_container);
1966 }
1967
1968 CloseHandle(token);
1969 }
1970
1971 typedef union _MAX_SID
1972 {
1973 SID sid;
1974 char max[SECURITY_MAX_SID_SIZE];
1975 } MAX_SID;
1976
1977 static void test_sid_str(PSID * sid)
1978 {
1979 char *str_sid;
1980 BOOL ret = ConvertSidToStringSidA(sid, &str_sid);
1981 ok(ret, "ConvertSidToStringSidA() failed: %d\n", GetLastError());
1982 if (ret)
1983 {
1984 char account[MAX_PATH], domain[MAX_PATH];
1985 SID_NAME_USE use;
1986 DWORD acc_size = MAX_PATH;
1987 DWORD dom_size = MAX_PATH;
1988 ret = LookupAccountSidA (NULL, sid, account, &acc_size, domain, &dom_size, &use);
1989 ok(ret || GetLastError() == ERROR_NONE_MAPPED,
1990 "LookupAccountSid(%s) failed: %d\n", str_sid, GetLastError());
1991 if (ret)
1992 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
1993 else if (GetLastError() == ERROR_NONE_MAPPED)
1994 trace(" %s couldn't be mapped\n", str_sid);
1995 LocalFree(str_sid);
1996 }
1997 }
1998
1999 static const struct well_known_sid_value
2000 {
2001 BOOL without_domain;
2002 const char *sid_string;
2003 } well_known_sid_values[] = {
2004 /* 0 */ {TRUE, "S-1-0-0"}, {TRUE, "S-1-1-0"}, {TRUE, "S-1-2-0"}, {TRUE, "S-1-3-0"},
2005 /* 4 */ {TRUE, "S-1-3-1"}, {TRUE, "S-1-3-2"}, {TRUE, "S-1-3-3"}, {TRUE, "S-1-5"},
2006 /* 8 */ {FALSE, "S-1-5-1"}, {TRUE, "S-1-5-2"}, {TRUE, "S-1-5-3"}, {TRUE, "S-1-5-4"},
2007 /* 12 */ {TRUE, "S-1-5-6"}, {TRUE, "S-1-5-7"}, {TRUE, "S-1-5-8"}, {TRUE, "S-1-5-9"},
2008 /* 16 */ {TRUE, "S-1-5-10"}, {TRUE, "S-1-5-11"}, {TRUE, "S-1-5-12"}, {TRUE, "S-1-5-13"},
2009 /* 20 */ {TRUE, "S-1-5-14"}, {FALSE, NULL}, {TRUE, "S-1-5-18"}, {TRUE, "S-1-5-19"},
2010 /* 24 */ {TRUE, "S-1-5-20"}, {TRUE, "S-1-5-32"},
2011 /* 26 */ {FALSE, "S-1-5-32-544"}, {TRUE, "S-1-5-32-545"}, {TRUE, "S-1-5-32-546"},
2012 /* 29 */ {TRUE, "S-1-5-32-547"}, {TRUE, "S-1-5-32-548"}, {TRUE, "S-1-5-32-549"},
2013 /* 32 */ {TRUE, "S-1-5-32-550"}, {TRUE, "S-1-5-32-551"}, {TRUE, "S-1-5-32-552"},
2014 /* 35 */ {TRUE, "S-1-5-32-554"}, {TRUE, "S-1-5-32-555"}, {TRUE, "S-1-5-32-556"},
2015 /* 38 */ {FALSE, "S-1-5-21-12-23-34-45-56-500"}, {FALSE, "S-1-5-21-12-23-34-45-56-501"},
2016 /* 40 */ {FALSE, "S-1-5-21-12-23-34-45-56-502"}, {FALSE, "S-1-5-21-12-23-34-45-56-512"},
2017 /* 42 */ {FALSE, "S-1-5-21-12-23-34-45-56-513"}, {FALSE, "S-1-5-21-12-23-34-45-56-514"},
2018 /* 44 */ {FALSE, "S-1-5-21-12-23-34-45-56-515"}, {FALSE, "S-1-5-21-12-23-34-45-56-516"},
2019 /* 46 */ {FALSE, "S-1-5-21-12-23-34-45-56-517"}, {FALSE, "S-1-5-21-12-23-34-45-56-518"},
2020 /* 48 */ {FALSE, "S-1-5-21-12-23-34-45-56-519"}, {FALSE, "S-1-5-21-12-23-34-45-56-520"},
2021 /* 50 */ {FALSE, "S-1-5-21-12-23-34-45-56-553"},
2022 /* Added in Windows Server 2003 */
2023 /* 51 */ {TRUE, "S-1-5-64-10"}, {TRUE, "S-1-5-64-21"}, {TRUE, "S-1-5-64-14"},
2024 /* 54 */ {TRUE, "S-1-5-15"}, {TRUE, "S-1-5-1000"}, {FALSE, "S-1-5-32-557"},
2025 /* 57 */ {TRUE, "S-1-5-32-558"}, {TRUE, "S-1-5-32-559"}, {TRUE, "S-1-5-32-560"},
2026 /* 60 */ {TRUE, "S-1-5-32-561"}, {TRUE, "S-1-5-32-562"},
2027 /* Added in Windows Vista: */
2028 /* 62 */ {TRUE, "S-1-5-32-568"},
2029 /* 63 */ {TRUE, "S-1-5-17"}, {FALSE, "S-1-5-32-569"}, {TRUE, "S-1-16-0"},
2030 /* 66 */ {TRUE, "S-1-16-4096"}, {TRUE, "S-1-16-8192"}, {TRUE, "S-1-16-12288"},
2031 /* 69 */ {TRUE, "S-1-16-16384"}, {TRUE, "S-1-5-33"}, {TRUE, "S-1-3-4"},
2032 /* 72 */ {FALSE, "S-1-5-21-12-23-34-45-56-571"}, {FALSE, "S-1-5-21-12-23-34-45-56-572"},
2033 /* 74 */ {TRUE, "S-1-5-22"}, {FALSE, "S-1-5-21-12-23-34-45-56-521"}, {TRUE, "S-1-5-32-573"},
2034 /* 77 */ {FALSE, "S-1-5-21-12-23-34-45-56-498"}, {TRUE, "S-1-5-32-574"}, {TRUE, "S-1-16-8448"},
2035 /* 80 */ {FALSE, NULL}, {TRUE, "S-1-2-1"}, {TRUE, "S-1-5-65-1"}, {FALSE, NULL},
2036 /* 84 */ {TRUE, "S-1-15-2-1"},
2037 };
2038
2039 static void test_CreateWellKnownSid(void)
2040 {
2041 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2042 PSID domainsid, sid;
2043 DWORD size, error;
2044 BOOL ret;
2045 unsigned int i;
2046
2047 if (!pCreateWellKnownSid)
2048 {
2049 win_skip("CreateWellKnownSid not available\n");
2050 return;
2051 }
2052
2053 size = 0;
2054 SetLastError(0xdeadbeef);
2055 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2056 error = GetLastError();
2057 ok(!ret, "CreateWellKnownSid succeeded\n");
2058 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2059 ok(size, "expected size > 0\n");
2060
2061 SetLastError(0xdeadbeef);
2062 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2063 error = GetLastError();
2064 ok(!ret, "CreateWellKnownSid succeeded\n");
2065 ok(error == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %u\n", error);
2066
2067 sid = HeapAlloc(GetProcessHeap(), 0, size);
2068 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, sid, &size);
2069 ok(ret, "CreateWellKnownSid failed %u\n", GetLastError());
2070 HeapFree(GetProcessHeap(), 0, sid);
2071
2072 /* a domain sid usually have three subauthorities but we test that CreateWellKnownSid doesn't check it */
2073 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2074
2075 for (i = 0; i < ARRAY_SIZE(well_known_sid_values); i++)
2076 {
2077 const struct well_known_sid_value *value = &well_known_sid_values[i];
2078 char sid_buffer[SECURITY_MAX_SID_SIZE];
2079 LPSTR str;
2080 DWORD cb;
2081
2082 if (value->sid_string == NULL)
2083 continue;
2084
2085 /* some SIDs aren't implemented by all Windows versions - detect it */
2086 cb = sizeof(sid_buffer);
2087 if (!pCreateWellKnownSid(i, NULL, sid_buffer, &cb))
2088 {
2089 skip("Well known SID %u not implemented\n", i);
2090 continue;
2091 }
2092
2093 cb = sizeof(sid_buffer);
2094 ok(pCreateWellKnownSid(i, value->without_domain ? NULL : domainsid, sid_buffer, &cb), "Couldn't create well known sid %u\n", i);
2095 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2096 ok(IsValidSid(sid_buffer), "The sid is not valid\n");
2097 ok(ConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
2098 ok(strcmp(str, value->sid_string) == 0, "%d: SID mismatch - expected %s, got %s\n", i,
2099 value->sid_string, str);
2100 LocalFree(str);
2101
2102 if (value->without_domain)
2103 {
2104 char buf2[SECURITY_MAX_SID_SIZE];
2105 cb = sizeof(buf2);
2106 ok(pCreateWellKnownSid(i, domainsid, buf2, &cb), "Couldn't create well known sid %u with optional domain\n", i);
2107 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2108 ok(memcmp(buf2, sid_buffer, cb) == 0, "SID create with domain is different than without (%u)\n", i);
2109 }
2110 }
2111
2112 FreeSid(domainsid);
2113 }
2114
2115 static void test_LookupAccountSid(void)
2116 {
2117 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
2118 CHAR accountA[MAX_PATH], domainA[MAX_PATH], usernameA[MAX_PATH];
2119 DWORD acc_sizeA, dom_sizeA, user_sizeA;
2120 DWORD real_acc_sizeA, real_dom_sizeA;
2121 WCHAR accountW[MAX_PATH], domainW[MAX_PATH];
2122 DWORD acc_sizeW, dom_sizeW;
2123 DWORD real_acc_sizeW, real_dom_sizeW;
2124 PSID pUsersSid = NULL;
2125 SID_NAME_USE use;
2126 BOOL ret;
2127 DWORD error, size, cbti = 0;
2128 MAX_SID max_sid;
2129 CHAR *str_sidA;
2130 int i;
2131 HANDLE hToken;
2132 PTOKEN_USER ptiUser = NULL;
2133
2134 /* native windows crashes if account size, domain size, or name use is NULL */
2135
2136 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
2137 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
2138 ok(ret || (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED),
2139 "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2140
2141 /* not running on NT so give up */
2142 if (!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2143 return;
2144
2145 real_acc_sizeA = MAX_PATH;
2146 real_dom_sizeA = MAX_PATH;
2147 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2148 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2149
2150 /* try NULL account */
2151 acc_sizeA = MAX_PATH;
2152 dom_sizeA = MAX_PATH;
2153 ret = LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2154 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2155
2156 /* try NULL domain */
2157 acc_sizeA = MAX_PATH;
2158 dom_sizeA = MAX_PATH;
2159 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2160 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2161
2162 /* try a small account buffer */
2163 acc_sizeA = 1;
2164 dom_sizeA = MAX_PATH;
2165 accountA[0] = 0;
2166 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2167 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2168 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2169 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2170
2171 /* try a 0 sized account buffer */
2172 acc_sizeA = 0;
2173 dom_sizeA = MAX_PATH;
2174 accountA[0] = 0;
2175 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2176 /* this can fail or succeed depending on OS version but the size will always be returned */
2177 ok(acc_sizeA == real_acc_sizeA + 1,
2178 "LookupAccountSidA() Expected acc_size = %u, got %u\n",
2179 real_acc_sizeA + 1, acc_sizeA);
2180
2181 /* try a 0 sized account buffer */
2182 acc_sizeA = 0;
2183 dom_sizeA = MAX_PATH;
2184 LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2185 /* this can fail or succeed depending on OS version but the size will always be returned */
2186 ok(acc_sizeA == real_acc_sizeA + 1,
2187 "LookupAccountSid() Expected acc_size = %u, got %u\n",
2188 real_acc_sizeA + 1, acc_sizeA);
2189
2190 /* try a small domain buffer */
2191 dom_sizeA = 1;
2192 acc_sizeA = MAX_PATH;
2193 accountA[0] = 0;
2194 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2195 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2196 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2197 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2198
2199 /* try a 0 sized domain buffer */
2200 dom_sizeA = 0;
2201 acc_sizeA = MAX_PATH;
2202 accountA[0] = 0;
2203 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2204 /* this can fail or succeed depending on OS version but the size will always be returned */
2205 ok(dom_sizeA == real_dom_sizeA + 1,
2206 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2207 real_dom_sizeA + 1, dom_sizeA);
2208
2209 /* try a 0 sized domain buffer */
2210 dom_sizeA = 0;
2211 acc_sizeA = MAX_PATH;
2212 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2213 /* this can fail or succeed depending on OS version but the size will always be returned */
2214 ok(dom_sizeA == real_dom_sizeA + 1,
2215 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2216 real_dom_sizeA + 1, dom_sizeA);
2217
2218 real_acc_sizeW = MAX_PATH;
2219 real_dom_sizeW = MAX_PATH;
2220 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &real_acc_sizeW, domainW, &real_dom_sizeW, &use);
2221 ok(ret, "LookupAccountSidW() Expected TRUE, got FALSE\n");
2222
2223 /* try an invalid system name */
2224 real_acc_sizeA = MAX_PATH;
2225 real_dom_sizeA = MAX_PATH;
2226 ret = LookupAccountSidA("deepthought", pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2227 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2228 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2229 "LookupAccountSidA() Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %u\n", GetLastError());
2230
2231 /* native windows crashes if domainW or accountW is NULL */
2232
2233 /* try a small account buffer */
2234 acc_sizeW = 1;
2235 dom_sizeW = MAX_PATH;
2236 accountW[0] = 0;
2237 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2238 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2239 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2240 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2241
2242 /* try a 0 sized account buffer */
2243 acc_sizeW = 0;
2244 dom_sizeW = MAX_PATH;
2245 accountW[0] = 0;
2246 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2247 /* this can fail or succeed depending on OS version but the size will always be returned */
2248 ok(acc_sizeW == real_acc_sizeW + 1,
2249 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2250 real_acc_sizeW + 1, acc_sizeW);
2251
2252 /* try a 0 sized account buffer */
2253 acc_sizeW = 0;
2254 dom_sizeW = MAX_PATH;
2255 LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, domainW, &dom_sizeW, &use);
2256 /* this can fail or succeed depending on OS version but the size will always be returned */
2257 ok(acc_sizeW == real_acc_sizeW + 1,
2258 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2259 real_acc_sizeW + 1, acc_sizeW);
2260
2261 /* try a small domain buffer */
2262 dom_sizeW = 1;
2263 acc_sizeW = MAX_PATH;
2264 accountW[0] = 0;
2265 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2266 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2267 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2268 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2269
2270 /* try a 0 sized domain buffer */
2271 dom_sizeW = 0;
2272 acc_sizeW = MAX_PATH;
2273 accountW[0] = 0;
2274 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2275 /* this can fail or succeed depending on OS version but the size will always be returned */
2276 ok(dom_sizeW == real_dom_sizeW + 1,
2277 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2278 real_dom_sizeW + 1, dom_sizeW);
2279
2280 /* try a 0 sized domain buffer */
2281 dom_sizeW = 0;
2282 acc_sizeW = MAX_PATH;
2283 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, NULL, &dom_sizeW, &use);
2284 /* this can fail or succeed depending on OS version but the size will always be returned */
2285 ok(dom_sizeW == real_dom_sizeW + 1,
2286 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2287 real_dom_sizeW + 1, dom_sizeW);
2288
2289 acc_sizeW = dom_sizeW = use = 0;
2290 SetLastError(0xdeadbeef);
2291 ret = LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, NULL, &dom_sizeW, &use);
2292 error = GetLastError();
2293 ok(!ret, "LookupAccountSidW failed %u\n", GetLastError());
2294 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2295 ok(acc_sizeW, "expected non-zero account size\n");
2296 ok(dom_sizeW, "expected non-zero domain size\n");
2297 ok(!use, "expected zero use %u\n", use);
2298
2299 FreeSid(pUsersSid);
2300
2301 /* Test LookupAccountSid with Sid retrieved from token information.
2302 This assumes this process is running under the account of the current user.*/
2303 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_DUPLICATE, &hToken);
2304 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
2305 ret = GetTokenInformation(hToken, TokenUser, NULL, 0, &cbti);
2306 ok(!ret, "GetTokenInformation failed with error %d\n", GetLastError());
2307 ptiUser = HeapAlloc(GetProcessHeap(), 0, cbti);
2308 if (GetTokenInformation(hToken, TokenUser, ptiUser, cbti, &cbti))
2309 {
2310 acc_sizeA = dom_sizeA = MAX_PATH;
2311 ret = LookupAccountSidA(NULL, ptiUser->User.Sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2312 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2313 user_sizeA = MAX_PATH;
2314 ret = GetUserNameA(usernameA , &user_sizeA);
2315 ok(ret, "GetUserNameA() Expected TRUE, got FALSE\n");
2316 ok(lstrcmpA(usernameA, accountA) == 0, "LookupAccountSidA() Expected account name: %s got: %s\n", usernameA, accountA );
2317 }
2318 HeapFree(GetProcessHeap(), 0, ptiUser);
2319
2320 if (pCreateWellKnownSid)
2321 {
2322 trace("Well Known SIDs:\n");
2323 for (i = 0; i <= 60; i++)
2324 {
2325 size = SECURITY_MAX_SID_SIZE;
2326 if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
2327 {
2328 if (ConvertSidToStringSidA(&max_sid.sid, &str_sidA))
2329 {
2330 acc_sizeA = MAX_PATH;
2331 dom_sizeA = MAX_PATH;
2332 if (LookupAccountSidA(NULL, &max_sid.sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use))
2333 trace(" %d: %s %s\\%s %d\n", i, str_sidA, domainA, accountA, use);
2334 LocalFree(str_sidA);
2335 }
2336 }
2337 else
2338 {
2339 if (GetLastError() != ERROR_INVALID_PARAMETER)
2340 trace(" CreateWellKnownSid(%d) failed: %d\n", i, GetLastError());
2341 else
2342 trace(" %d: not supported\n", i);
2343 }
2344 }
2345
2346 pLsaQueryInformationPolicy = (void *)GetProcAddress( hmod, "LsaQueryInformationPolicy");
2347 pLsaOpenPolicy = (void *)GetProcAddress( hmod, "LsaOpenPolicy");
2348 pLsaFreeMemory = (void *)GetProcAddress( hmod, "LsaFreeMemory");
2349 pLsaClose = (void *)GetProcAddress( hmod, "LsaClose");
2350
2351 if (pLsaQueryInformationPolicy && pLsaOpenPolicy && pLsaFreeMemory && pLsaClose)
2352 {
2353 NTSTATUS status;
2354 LSA_HANDLE handle;
2355 LSA_OBJECT_ATTRIBUTES object_attributes;
2356
2357 ZeroMemory(&object_attributes, sizeof(object_attributes));
2358 object_attributes.Length = sizeof(object_attributes);
2359
2360 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
2361 ok(status == STATUS_SUCCESS || status == STATUS_ACCESS_DENIED,
2362 "LsaOpenPolicy(POLICY_ALL_ACCESS) returned 0x%08x\n", status);
2363
2364 /* try a more restricted access mask if necessary */
2365 if (status == STATUS_ACCESS_DENIED) {
2366 trace("LsaOpenPolicy(POLICY_ALL_ACCESS) failed, trying POLICY_VIEW_LOCAL_INFORMATION\n");
2367 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_VIEW_LOCAL_INFORMATION, &handle);
2368 ok(status == STATUS_SUCCESS, "LsaOpenPolicy(POLICY_VIEW_LOCAL_INFORMATION) returned 0x%08x\n", status);
2369 }
2370
2371 if (status == STATUS_SUCCESS)
2372 {
2373 PPOLICY_ACCOUNT_DOMAIN_INFO info;
2374 status = pLsaQueryInformationPolicy(handle, PolicyAccountDomainInformation, (PVOID*)&info);
2375 ok(status == STATUS_SUCCESS, "LsaQueryInformationPolicy() failed, returned 0x%08x\n", status);
2376 if (status == STATUS_SUCCESS)
2377 {
2378 ok(info->DomainSid!=0, "LsaQueryInformationPolicy(PolicyAccountDomainInformation) missing SID\n");
2379 if (info->DomainSid)
2380 {
2381 int count = *GetSidSubAuthorityCount(info->DomainSid);
2382 CopySid(GetSidLengthRequired(count), &max_sid, info->DomainSid);
2383 test_sid_str((PSID)&max_sid.sid);
2384 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_ADMIN;
2385 max_sid.sid.SubAuthorityCount = count + 1;
2386 test_sid_str((PSID)&max_sid.sid);
2387 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_GUEST;
2388 test_sid_str((PSID)&max_sid.sid);
2389 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ADMINS;
2390 test_sid_str((PSID)&max_sid.sid);
2391 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_USERS;
2392 test_sid_str((PSID)&max_sid.sid);
2393 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_GUESTS;
2394 test_sid_str((PSID)&max_sid.sid);
2395 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_COMPUTERS;
2396 test_sid_str((PSID)&max_sid.sid);
2397 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CONTROLLERS;
2398 test_sid_str((PSID)&max_sid.sid);
2399 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CERT_ADMINS;
2400 test_sid_str((PSID)&max_sid.sid);
2401 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_SCHEMA_ADMINS;
2402 test_sid_str((PSID)&max_sid.sid);
2403 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS;
2404 test_sid_str((PSID)&max_sid.sid);
2405 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_POLICY_ADMINS;
2406 test_sid_str((PSID)&max_sid.sid);
2407 max_sid.sid.SubAuthority[count] = DOMAIN_ALIAS_RID_RAS_SERVERS;
2408 test_sid_str((PSID)&max_sid.sid);
2409 max_sid.sid.SubAuthority[count] = 1000; /* first user account */
2410 test_sid_str((PSID)&max_sid.sid);
2411 }
2412
2413 pLsaFreeMemory((LPVOID)info);
2414 }
2415
2416 status = pLsaClose(handle);
2417 ok(status == STATUS_SUCCESS, "LsaClose() failed, returned 0x%08x\n", status);
2418 }
2419 }
2420 }
2421 }
2422
2423 static BOOL get_sid_info(PSID psid, LPSTR *user, LPSTR *dom)
2424 {
2425 static CHAR account[UNLEN + 1];
2426 static CHAR domain[UNLEN + 1];
2427 DWORD size, dom_size;
2428 SID_NAME_USE use;
2429
2430 *user = account;
2431 *dom = domain;
2432
2433 size = dom_size = UNLEN + 1;
2434 account[0] = '\0';
2435 domain[0] = '\0';
2436 SetLastError(0xdeadbeef);
2437 return LookupAccountSidA(NULL, psid, account, &size, domain, &dom_size, &use);
2438 }
2439
2440 static void check_wellknown_name(const char* name, WELL_KNOWN_SID_TYPE result)
2441 {
2442 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2443 PSID domainsid = NULL;
2444 char wk_sid[SECURITY_MAX_SID_SIZE];
2445 DWORD cb;
2446
2447 DWORD sid_size, domain_size;
2448 SID_NAME_USE sid_use;
2449 LPSTR domain, account, sid_domain, wk_domain, wk_account;
2450 PSID psid;
2451 BOOL ret ,ret2;
2452
2453 sid_size = 0;
2454 domain_size = 0;
2455 ret = LookupAccountNameA(NULL, name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2456 ok(!ret, " %s Should have failed to lookup account name\n", name);
2457 psid = HeapAlloc(GetProcessHeap(),0,sid_size);
2458 domain = HeapAlloc(GetProcessHeap(),0,domain_size);
2459 ret = LookupAccountNameA(NULL, name, psid, &sid_size, domain, &domain_size, &sid_use);
2460
2461 if (!result)
2462 {
2463 ok(!ret, " %s Should have failed to lookup account name\n",name);
2464 goto cleanup;
2465 }
2466
2467 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2468 cb = sizeof(wk_sid);
2469 if (!pCreateWellKnownSid(result, domainsid, wk_sid, &cb))
2470 {
2471 win_skip("SID %i is not available on the system\n",result);
2472 goto cleanup;
2473 }
2474
2475 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2476 if (!ret2 && GetLastError() == ERROR_NONE_MAPPED)
2477 {
2478 win_skip("CreateWellKnownSid() succeeded but the account '%s' is not present (W2K)\n", name);
2479 goto cleanup;
2480 }
2481
2482 get_sid_info(psid, &account, &sid_domain);
2483
2484 ok(ret, "Failed to lookup account name %s\n",name);
2485 ok(sid_size != 0, "sid_size was zero\n");
2486
2487 ok(EqualSid(psid,wk_sid),"%s Sid %s fails to match well known sid %s!\n",
2488 name, debugstr_sid(psid), debugstr_sid(wk_sid));
2489
2490 ok(!lstrcmpA(account, wk_account), "Expected %s , got %s\n", account, wk_account);
2491 ok(!lstrcmpA(domain, wk_domain), "Expected %s, got %s\n", wk_domain, domain);
2492 ok(sid_use == SidTypeWellKnownGroup , "Expected Use (5), got %d\n", sid_use);
2493
2494 cleanup:
2495 FreeSid(domainsid);
2496 HeapFree(GetProcessHeap(),0,psid);
2497 HeapFree(GetProcessHeap(),0,domain);
2498 }
2499
2500 static void test_LookupAccountName(void)
2501 {
2502 DWORD sid_size, domain_size, user_size;
2503 DWORD sid_save, domain_save;
2504 CHAR user_name[UNLEN + 1];
2505 CHAR computer_name[UNLEN + 1];
2506 SID_NAME_USE sid_use;
2507 LPSTR domain, account, sid_dom;
2508 PSID psid;
2509 BOOL ret;
2510
2511 /* native crashes if (assuming all other parameters correct):
2512 * - peUse is NULL
2513 * - Sid is NULL and cbSid is > 0
2514 * - cbSid or cchReferencedDomainName are NULL
2515 * - ReferencedDomainName is NULL and cchReferencedDomainName is the correct size
2516 */
2517
2518 user_size = UNLEN + 1;
2519 SetLastError(0xdeadbeef);
2520 ret = GetUserNameA(user_name, &user_size);
2521 ok(ret, "Failed to get user name : %d\n", GetLastError());
2522
2523 /* get sizes */
2524 sid_size = 0;
2525 domain_size = 0;
2526 sid_use = 0xcafebabe;
2527 SetLastError(0xdeadbeef);
2528 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2529 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2530 {
2531 win_skip("LookupAccountNameA is not implemented\n");
2532 return;
2533 }
2534 ok(!ret, "Expected 0, got %d\n", ret);
2535 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2536 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2537 ok(sid_size != 0, "Expected non-zero sid size\n");
2538 ok(domain_size != 0, "Expected non-zero domain size\n");
2539 ok(sid_use == (SID_NAME_USE)0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2540
2541 sid_save = sid_size;
2542 domain_save = domain_size;
2543
2544 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2545 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2546
2547 /* try valid account name */
2548 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, domain, &domain_size, &sid_use);
2549 get_sid_info(psid, &account, &sid_dom);
2550 ok(ret, "Failed to lookup account name\n");
2551 ok(sid_size == GetLengthSid(psid), "Expected %d, got %d\n", GetLengthSid(psid), sid_size);
2552 ok(!lstrcmpA(account, user_name), "Expected %s, got %s\n", user_name, account);
2553 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2554 ok(domain_size == domain_save - 1, "Expected %d, got %d\n", domain_save - 1, domain_size);
2555 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2556 ok(sid_use == SidTypeUser, "Expected SidTypeUser (%d), got %d\n", SidTypeUser, sid_use);
2557 domain_size = domain_save;
2558 sid_size = sid_save;
2559
2560 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2561 {
2562 skip("Non-English locale (test with hardcoded 'Everyone')\n");
2563 }
2564 else
2565 {
2566 ret = LookupAccountNameA(NULL, "Everyone", psid, &sid_size, domain, &domain_size, &sid_use);
2567 get_sid_info(psid, &account, &sid_dom);
2568 ok(ret, "Failed to lookup account name\n");
2569 ok(sid_size != 0, "sid_size was zero\n");
2570 ok(!lstrcmpA(account, "Everyone"), "Expected Everyone, got %s\n", account);
2571 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2572 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2573 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2574 ok(sid_use == SidTypeWellKnownGroup, "Expected SidTypeWellKnownGroup (%d), got %d\n", SidTypeWellKnownGroup, sid_use);
2575 domain_size = domain_save;
2576 }
2577
2578 /* NULL Sid with zero sid size */
2579 SetLastError(0xdeadbeef);
2580 sid_size = 0;
2581 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2582 ok(!ret, "Expected 0, got %d\n", ret);
2583 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2584 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2585 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2586 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2587
2588 /* try cchReferencedDomainName - 1 */
2589 SetLastError(0xdeadbeef);
2590 domain_size--;
2591 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2592 ok(!ret, "Expected 0, got %d\n", ret);
2593 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2594 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2595 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2596 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2597
2598 /* NULL ReferencedDomainName with zero domain name size */
2599 SetLastError(0xdeadbeef);
2600 domain_size = 0;
2601 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, NULL, &domain_size, &sid_use);
2602 ok(!ret, "Expected 0, got %d\n", ret);
2603 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2604 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2605 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2606 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2607
2608 HeapFree(GetProcessHeap(), 0, psid);
2609 HeapFree(GetProcessHeap(), 0, domain);
2610
2611 /* get sizes for NULL account name */
2612 sid_size = 0;
2613 domain_size = 0;
2614 sid_use = 0xcafebabe;
2615 SetLastError(0xdeadbeef);
2616 ret = LookupAccountNameA(NULL, NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2617 if (!ret && GetLastError() == ERROR_NONE_MAPPED)
2618 win_skip("NULL account name doesn't work on NT4\n");
2619 else
2620 {
2621 ok(!ret, "Expected 0, got %d\n", ret);
2622 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2623 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2624 ok(sid_size != 0, "Expected non-zero sid size\n");
2625 ok(domain_size != 0, "Expected non-zero domain size\n");
2626 ok(sid_use == (SID_NAME_USE)0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2627
2628 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2629 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2630
2631 /* try NULL account name */
2632 ret = LookupAccountNameA(NULL, NULL, psid, &sid_size, domain, &domain_size, &sid_use);
2633 get_sid_info(psid, &account, &sid_dom);
2634 ok(ret, "Failed to lookup account name\n");
2635 /* Using a fixed string will not work on different locales */
2636 ok(!lstrcmpiA(account, domain),
2637 "Got %s for account and %s for domain, these should be the same\n", account, domain);
2638 ok(sid_use == SidTypeDomain, "Expected SidTypeDomain (%d), got %d\n", SidTypeDomain, sid_use);
2639
2640 HeapFree(GetProcessHeap(), 0, psid);
2641 HeapFree(GetProcessHeap(), 0, domain);
2642 }
2643
2644 /* try an invalid account name */
2645 SetLastError(0xdeadbeef);
2646 sid_size = 0;
2647 domain_size = 0;
2648 ret = LookupAccountNameA(NULL, "oogabooga", NULL, &sid_size, NULL, &domain_size, &sid_use);
2649 ok(!ret, "Expected 0, got %d\n", ret);
2650 ok(GetLastError() == ERROR_NONE_MAPPED ||
2651 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE),
2652 "Expected ERROR_NONE_MAPPED, got %d\n", GetLastError());
2653 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2654 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2655
2656 /* try an invalid system name */
2657 SetLastError(0xdeadbeef);
2658 sid_size = 0;
2659 domain_size = 0;
2660 ret = LookupAccountNameA("deepthought", NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2661 ok(!ret, "Expected 0, got %d\n", ret);
2662 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2663 "Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %d\n", GetLastError());
2664 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2665 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2666
2667 /* try with the computer name as the account name */
2668 domain_size = sizeof(computer_name);
2669 GetComputerNameA(computer_name, &domain_size);
2670 sid_size = 0;
2671 domain_size = 0;
2672 ret = LookupAccountNameA(NULL, computer_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2673 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER ||
2674 GetLastError() == ERROR_NONE_MAPPED /* in a domain */ ||
2675 broken(GetLastError() == ERROR_TRUSTED_DOMAIN_FAILURE) ||
2676 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE)),
2677 "LookupAccountNameA failed: %d\n", GetLastError());
2678 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
2679 {
2680 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2681 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2682 ret = LookupAccountNameA(NULL, computer_name, psid, &sid_size, domain, &domain_size, &sid_use);
2683 ok(ret, "LookupAccountNameA failed: %d\n", GetLastError());
2684 ok(sid_use == SidTypeDomain ||
2685 (sid_use == SidTypeUser && ! strcmp(computer_name, user_name)), "expected SidTypeDomain for %s, got %d\n", computer_name, sid_use);
2686 HeapFree(GetProcessHeap(), 0, domain);
2687 HeapFree(GetProcessHeap(), 0, psid);
2688 }
2689
2690 /* Well Known names */
2691 if (!pCreateWellKnownSid)
2692 {
2693 win_skip("CreateWellKnownSid not available\n");
2694 return;
2695 }
2696
2697 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2698 {
2699 skip("Non-English locale (skipping well known name creation tests)\n");
2700 return;
2701 }
2702
2703 check_wellknown_name("LocalService", WinLocalServiceSid);
2704 check_wellknown_name("Local Service", WinLocalServiceSid);
2705 /* 2 spaces */
2706 check_wellknown_name("Local Service", 0);
2707 check_wellknown_name("NetworkService", WinNetworkServiceSid);
2708 check_wellknown_name("Network Service", WinNetworkServiceSid);
2709
2710 /* example of some names where the spaces are not optional */
2711 check_wellknown_name("Terminal Server User", WinTerminalServerSid);
2712 check_wellknown_name("TerminalServer User", 0);
2713 check_wellknown_name("TerminalServerUser", 0);
2714 check_wellknown_name("Terminal ServerUser", 0);
2715
2716 check_wellknown_name("enterprise domain controllers",WinEnterpriseControllersSid);
2717 check_wellknown_name("enterprisedomain controllers", 0);
2718 check_wellknown_name("enterprise domaincontrollers", 0);
2719 check_wellknown_name("enterprisedomaincontrollers", 0);
2720
2721 /* case insensitivity */
2722 check_wellknown_name("lOCAlServICE", WinLocalServiceSid);
2723
2724 /* fully qualified account names */
2725 check_wellknown_name("NT AUTHORITY\\LocalService", WinLocalServiceSid);
2726 check_wellknown_name("nt authority\\Network Service", WinNetworkServiceSid);
2727 check_wellknown_name("nt authority test\\Network Service", 0);
2728 check_wellknown_name("Dummy\\Network Service", 0);
2729 check_wellknown_name("ntauthority\\Network Service", 0);
2730 }
2731
2732 static void test_security_descriptor(void)
2733 {
2734 SECURITY_DESCRIPTOR sd, *sd_rel, *sd_rel2, *sd_abs;
2735 char buf[8192];
2736 DWORD size, size_dacl, size_sacl, size_owner, size_group;
2737 BOOL isDefault, isPresent, ret;
2738 PACL pacl, dacl, sacl;
2739 PSID psid, owner, group;
2740
2741 SetLastError(0xdeadbeef);
2742 ret = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
2743 if (ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2744 {
2745 win_skip("InitializeSecurityDescriptor is not implemented\n");
2746 return;
2747 }
2748
2749 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2750 expect_eq(psid, NULL, PSID, "%p");
2751 expect_eq(isDefault, FALSE, BOOL, "%d");
2752 sd.Control |= SE_DACL_PRESENT | SE_SACL_PRESENT;
2753
2754 SetLastError(0xdeadbeef);
2755 size = 5;
2756 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), FALSE, BOOL, "%d");
2757 expect_eq(GetLastError(), ERROR_INSUFFICIENT_BUFFER, DWORD, "%u");
2758 ok(size > 5, "Size not increased\n");
2759 if (size <= 8192)
2760 {
2761 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), TRUE, BOOL, "%d");
2762 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2763 expect_eq(psid, NULL, PSID, "%p");
2764 expect_eq(isDefault, FALSE, BOOL, "%d");
2765 ok(GetSecurityDescriptorGroup(&sd, &psid, &isDefault), "GetSecurityDescriptorGroup failed\n");
2766 expect_eq(psid, NULL, PSID, "%p");
2767 expect_eq(isDefault, FALSE, BOOL, "%d");
2768 ok(GetSecurityDescriptorDacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorDacl failed\n");
2769 expect_eq(isPresent, TRUE, BOOL, "%d");
2770 expect_eq(psid, NULL, PSID, "%p");
2771 expect_eq(isDefault, FALSE, BOOL, "%d");
2772 ok(GetSecurityDescriptorSacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorSacl failed\n");
2773 expect_eq(isPresent, TRUE, BOOL, "%d");
2774 expect_eq(psid, NULL, PSID, "%p");
2775 expect_eq(isDefault, FALSE, BOOL, "%d");
2776 }
2777
2778 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
2779 "O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
2780 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)"
2781 "(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, (void **)&sd_rel, NULL);
2782 ok(ret, "got %u\n", GetLastError());
2783
2784 size = 0;
2785 ret = MakeSelfRelativeSD(sd_rel, NULL, &size);
2786 todo_wine ok(!ret && GetLastError() == ERROR_BAD_DESCRIPTOR_FORMAT, "got %u\n", GetLastError());
2787
2788 /* convert to absolute form */
2789 size = size_dacl = size_sacl = size_owner = size_group = 0;
2790 ret = MakeAbsoluteSD(sd_rel, NULL, &size, NULL, &size_dacl, NULL, &size_sacl, NULL, &size_owner, NULL,
2791 &size_group);
2792 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %u\n", GetLastError());
2793
2794 sd_abs = HeapAlloc(GetProcessHeap(), 0, size + size_dacl + size_sacl + size_owner + size_group);
2795 dacl = (PACL)(sd_abs + 1);
2796 sacl = (PACL)((char *)dacl + size_dacl);
2797 owner = (PSID)((char *)sacl + size_sacl);
2798 group = (PSID)((char *)owner + size_owner);
2799 ret = MakeAbsoluteSD(sd_rel, sd_abs, &size, dacl, &size_dacl, sacl, &size_sacl, owner, &size_owner,
2800 group, &size_group);
2801 ok(ret, "got %u\n", GetLastError());
2802
2803 size = 0;
2804 ret = MakeSelfRelativeSD(sd_abs, NULL, &size);
2805 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %u\n", GetLastError());
2806 ok(size == 184, "got %u\n", size);
2807
2808 size += 4;
2809 sd_rel2 = HeapAlloc(GetProcessHeap(), 0, size);
2810 ret = MakeSelfRelativeSD(sd_abs, sd_rel2, &size);
2811 ok(ret, "got %u\n", GetLastError());
2812 ok(size == 188, "got %u\n", size);
2813
2814 HeapFree(GetProcessHeap(), 0, sd_abs);
2815 HeapFree(GetProcessHeap(), 0, sd_rel2);
2816 LocalFree(sd_rel);
2817 }
2818
2819 #define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,0,__LINE__)
2820 #define TEST_GRANTED_ACCESS2(a,b,c) test_granted_access(a,b,c,__LINE__)
2821 static void test_granted_access(HANDLE handle, ACCESS_MASK access,
2822 ACCESS_MASK alt, int line)
2823 {
2824 OBJECT_BASIC_INFORMATION obj_info;
2825 NTSTATUS status;
2826
2827 if (!pNtQueryObject)
2828 {
2829 skip_(__FILE__, line)("Not NT platform - skipping tests\n");
2830 return;
2831 }
2832
2833 status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
2834 sizeof(obj_info), NULL );
2835 ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
2836 if (alt)
2837 ok_(__FILE__, line)(obj_info.GrantedAccess == access ||
2838 obj_info.GrantedAccess == alt, "Granted access should be 0x%08x "
2839 "or 0x%08x, instead of 0x%08x\n", access, alt, obj_info.GrantedAccess);
2840 else
2841 ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Granted access should "
2842 "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
2843 }
2844
2845 #define CHECK_SET_SECURITY(o,i,e) \
2846 do{ \
2847 BOOL res_; \
2848 DWORD err; \
2849 SetLastError( 0xdeadbeef ); \
2850 res_ = SetKernelObjectSecurity( o, i, SecurityDescriptor ); \
2851 err = GetLastError(); \
2852 if (e == ERROR_SUCCESS) \
2853 ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
2854 else \
2855 ok(!res_ && err == e, "SetKernelObjectSecurity should have failed " \
2856 "with %s, instead of %d\n", #e, err); \
2857 }while(0)
2858
2859 static void test_process_security(void)
2860 {
2861 BOOL res;
2862 PTOKEN_OWNER owner;
2863 PTOKEN_PRIMARY_GROUP group;
2864 PSID AdminSid = NULL, UsersSid = NULL;
2865 PACL Acl = NULL, ThreadAcl = NULL;
2866 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL, *ThreadSecurityDescriptor = NULL;
2867 char buffer[MAX_PATH];
2868 PROCESS_INFORMATION info;
2869 STARTUPINFOA startup;
2870 SECURITY_ATTRIBUTES psa, tsa;
2871 HANDLE token, event;
2872 DWORD size;
2873 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
2874 PSID EveryoneSid = NULL;
2875
2876 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
2877 res = InitializeAcl(Acl, 256, ACL_REVISION);
2878 if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2879 {
2880 win_skip("ACLs not implemented - skipping tests\n");
2881 HeapFree(GetProcessHeap(), 0, Acl);
2882 return;
2883 }
2884 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
2885
2886 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
2887 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2888
2889 /* get owner from the token we might be running as a user not admin */
2890 res = OpenProcessToken( GetCurrentProcess(), MAXIMUM_ALLOWED, &token );
2891 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
2892 if (!res)
2893 {
2894 HeapFree(GetProcessHeap(), 0, Acl);
2895 return;
2896 }
2897
2898 res = GetTokenInformation( token, TokenOwner, NULL, 0, &size );
2899 ok(!res, "Expected failure, got %d\n", res);
2900 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2901 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2902
2903 owner = HeapAlloc(GetProcessHeap(), 0, size);
2904 res = GetTokenInformation( token, TokenOwner, owner, size, &size );
2905 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2906 AdminSid = ((TOKEN_OWNER*)owner)->Owner;
2907
2908 res = GetTokenInformation( token, TokenPrimaryGroup, NULL, 0, &size );
2909 ok(!res, "Expected failure, got %d\n", res);
2910 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2911 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2912
2913 group = HeapAlloc(GetProcessHeap(), 0, size);
2914 res = GetTokenInformation( token, TokenPrimaryGroup, group, size, &size );
2915 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2916 UsersSid = ((TOKEN_PRIMARY_GROUP*)group)->PrimaryGroup;
2917
2918 CloseHandle( token );
2919 if (!res)
2920 {
2921 HeapFree(GetProcessHeap(), 0, group);
2922 HeapFree(GetProcessHeap(), 0, owner);
2923 HeapFree(GetProcessHeap(), 0, Acl);
2924 return;
2925 }
2926
2927 res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
2928 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
2929 res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
2930 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
2931
2932 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
2933 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
2934 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
2935
2936 event = CreateEventA( NULL, TRUE, TRUE, "test_event" );
2937 ok(event != NULL, "CreateEvent %d\n", GetLastError());
2938
2939 SecurityDescriptor->Revision = 0;
2940 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_UNKNOWN_REVISION );
2941 SecurityDescriptor->Revision = SECURITY_DESCRIPTOR_REVISION;
2942
2943 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2944 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2945 CHECK_SET_SECURITY( event, SACL_SECURITY_INFORMATION, ERROR_ACCESS_DENIED );
2946 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2947 /* NULL DACL is valid and means that everyone has access */
2948 SecurityDescriptor->Control |= SE_DACL_PRESENT;
2949 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2950
2951 /* Set owner and group and dacl */
2952 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
2953 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
2954 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_SUCCESS );
2955 test_owner_equal( event, AdminSid, __LINE__ );
2956
2957 res = SetSecurityDescriptorGroup(SecurityDescriptor, EveryoneSid, FALSE);
2958 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2959 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2960 test_group_equal( event, EveryoneSid, __LINE__ );
2961
2962 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2963 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2964 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2965 /* setting a dacl should not change the owner or group */
2966 test_owner_equal( event, AdminSid, __LINE__ );
2967 test_group_equal( event, EveryoneSid, __LINE__ );
2968
2969 /* Test again with a different SID in case the previous SID also happens to
2970 * be the one that is incorrectly replacing the group. */
2971 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, FALSE);
2972 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2973 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2974 test_group_equal( event, UsersSid, __LINE__ );
2975
2976 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2977 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2978 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2979 test_group_equal( event, UsersSid, __LINE__ );
2980
2981 sprintf(buffer, "%s tests/security.c test", myARGV[0]);
2982 memset(&startup, 0, sizeof(startup));
2983 startup.cb = sizeof(startup);
2984 startup.dwFlags = STARTF_USESHOWWINDOW;
2985 startup.wShowWindow = SW_SHOWNORMAL;
2986
2987 psa.nLength = sizeof(psa);
2988 psa.lpSecurityDescriptor = SecurityDescriptor;
2989 psa.bInheritHandle = TRUE;
2990
2991 ThreadSecurityDescriptor = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
2992 res = InitializeSecurityDescriptor( ThreadSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION );
2993 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
2994
2995 ThreadAcl = HeapAlloc( GetProcessHeap(), 0, 256 );
2996 res = InitializeAcl( ThreadAcl, 256, ACL_REVISION );
2997 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
2998 res = AddAccessDeniedAce( ThreadAcl, ACL_REVISION, THREAD_SET_THREAD_TOKEN, AdminSid );
2999 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError() );
3000 res = AddAccessAllowedAce( ThreadAcl, ACL_REVISION, THREAD_ALL_ACCESS, AdminSid );
3001 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3002
3003 res = SetSecurityDescriptorOwner( ThreadSecurityDescriptor, AdminSid, FALSE );
3004 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3005 res = SetSecurityDescriptorGroup( ThreadSecurityDescriptor, UsersSid, FALSE );
3006 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
3007 res = SetSecurityDescriptorDacl( ThreadSecurityDescriptor, TRUE, ThreadAcl, FALSE );
3008 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
3009
3010 tsa.nLength = sizeof(tsa);
3011 tsa.lpSecurityDescriptor = ThreadSecurityDescriptor;
3012 tsa.bInheritHandle = TRUE;
3013
3014 /* Doesn't matter what ACL say we should get full access for ourselves */
3015 res = CreateProcessA( NULL, buffer, &psa, &tsa, FALSE, 0, NULL, NULL, &startup, &info );
3016 ok(res, "CreateProcess with err:%d\n", GetLastError());
3017 TEST_GRANTED_ACCESS2( info.hProcess, PROCESS_ALL_ACCESS_NT4,
3018 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
3019 TEST_GRANTED_ACCESS2( info.hThread, THREAD_ALL_ACCESS_NT4,
3020 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
3021 winetest_wait_child_process( info.hProcess );
3022
3023 FreeSid(EveryoneSid);
3024 CloseHandle( info.hProcess );
3025 CloseHandle( info.hThread );
3026 CloseHandle( event );
3027 HeapFree(GetProcessHeap(), 0, group);
3028 HeapFree(GetProcessHeap(), 0, owner);
3029 HeapFree(GetProcessHeap(), 0, Acl);
3030 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
3031 HeapFree(GetProcessHeap(), 0, ThreadAcl);
3032 HeapFree(GetProcessHeap(), 0, ThreadSecurityDescriptor);
3033 }
3034
3035 static void test_process_security_child(void)
3036 {
3037 HANDLE handle, handle1;
3038 BOOL ret;
3039 DWORD err;
3040
3041 handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
3042 ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
3043 TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
3044
3045 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3046 &handle1, 0, TRUE, DUPLICATE_SAME_ACCESS );
3047 ok(ret, "duplicating handle err:%d\n", GetLastError());
3048 TEST_GRANTED_ACCESS( handle1, PROCESS_TERMINATE );
3049
3050 CloseHandle( handle1 );
3051
3052 SetLastError( 0xdeadbeef );
3053 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3054 &handle1, PROCESS_ALL_ACCESS, TRUE, 0 );
3055 err = GetLastError();
3056 todo_wine
3057 ok(!ret && err == ERROR_ACCESS_DENIED, "duplicating handle should have failed "
3058 "with STATUS_ACCESS_DENIED, instead of err:%d\n", err);
3059
3060 CloseHandle( handle );
3061
3062 /* These two should fail - they are denied by ACL */
3063 handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
3064 todo_wine
3065 ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
3066 handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
3067 todo_wine
3068 ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
3069
3070 /* Documented privilege elevation */
3071 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
3072 &handle, 0, TRUE, DUPLICATE_SAME_ACCESS );
3073 ok(ret, "duplicating handle err:%d\n", GetLastError());
3074 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
3075 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
3076
3077 CloseHandle( handle );
3078
3079 /* Same only explicitly asking for all access rights */
3080 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
3081 &handle, PROCESS_ALL_ACCESS, TRUE, 0 );
3082 ok(ret, "duplicating handle err:%d\n", GetLastError());
3083 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
3084 PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION );
3085 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
3086 &handle1, PROCESS_VM_READ, TRUE, 0 );
3087 ok(ret, "duplicating handle err:%d\n", GetLastError());
3088 TEST_GRANTED_ACCESS( handle1, PROCESS_VM_READ );
3089 CloseHandle( handle1 );
3090 CloseHandle( handle );
3091
3092 /* Test thread security */
3093 handle = OpenThread( THREAD_TERMINATE, FALSE, GetCurrentThreadId() );
3094 ok(handle != NULL, "OpenThread(THREAD_TERMINATE) with err:%d\n", GetLastError());
3095 TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
3096 CloseHandle( handle );
3097
3098 handle = OpenThread( THREAD_SET_THREAD_TOKEN, FALSE, GetCurrentThreadId() );
3099 ok(handle == NULL, "OpenThread(THREAD_SET_THREAD_TOKEN) should have failed\n");
3100 }
3101
3102 static void test_impersonation_level(void)
3103 {
3104 HANDLE Token, ProcessToken;
3105 HANDLE Token2;
3106 DWORD Size;
3107 TOKEN_PRIVILEGES *Privileges;
3108 TOKEN_USER *User;
3109 PRIVILEGE_SET *PrivilegeSet;
3110 BOOL AccessGranted;
3111 BOOL ret;
3112 HKEY hkey;
3113 DWORD error;
3114
3115 if( !pDuplicateTokenEx ) {
3116 win_skip("DuplicateTokenEx is not available\n");
3117 return;
3118 }
3119 SetLastError(0xdeadbeef);
3120 ret = ImpersonateSelf(SecurityAnonymous);
3121 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3122 {
3123 win_skip("ImpersonateSelf is not implemented\n");
3124 return;
3125 }
3126 ok(ret, "ImpersonateSelf(SecurityAnonymous) failed with error %d\n", GetLastError());
3127 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3128 ok(!ret, "OpenThreadToken should have failed\n");
3129 error = GetLastError();
3130 ok(error == ERROR_CANT_OPEN_ANONYMOUS, "OpenThreadToken on anonymous token should have returned ERROR_CANT_OPEN_ANONYMOUS instead of %d\n", error);
3131 /* can't perform access check when opening object against an anonymous impersonation token */
3132 todo_wine {
3133 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3134 ok(error == ERROR_INVALID_HANDLE || error == ERROR_CANT_OPEN_ANONYMOUS || error == ERROR_BAD_IMPERSONATION_LEVEL,
3135 "RegOpenKeyEx failed with %d\n", error);
3136 }
3137 RevertToSelf();
3138
3139 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &ProcessToken);
3140 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
3141
3142 ret = pDuplicateTokenEx(ProcessToken,
3143 TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL,
3144 SecurityAnonymous, TokenImpersonation, &Token);
3145 ok(ret, "DuplicateTokenEx failed with error %d\n", GetLastError());
3146 /* can't increase the impersonation level */
3147 ret = DuplicateToken(Token, SecurityIdentification, &Token2);
3148 error = GetLastError();
3149 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL,
3150 "Duplicating a token and increasing the impersonation level should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3151 /* we can query anything from an anonymous token, including the user */
3152 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
3153 error = GetLastError();
3154 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenUser) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3155 User = HeapAlloc(GetProcessHeap(), 0, Size);
3156 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
3157 ok(ret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3158 HeapFree(GetProcessHeap(), 0, User);
3159
3160 /* PrivilegeCheck fails with SecurityAnonymous level */
3161 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
3162 error = GetLastError();
3163 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenPrivileges) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3164 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
3165 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
3166 ok(ret, "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
3167
3168 PrivilegeSet = HeapAlloc(GetProcessHeap(), 0, FIELD_OFFSET(PRIVILEGE_SET, Privilege[Privileges->PrivilegeCount]));
3169 PrivilegeSet->PrivilegeCount = Privileges->PrivilegeCount;
3170 memcpy(PrivilegeSet->Privilege, Privileges->Privileges, PrivilegeSet->PrivilegeCount * sizeof(PrivilegeSet->Privilege[0]));
3171 PrivilegeSet->Control = PRIVILEGE_SET_ALL_NECESSARY;
3172 HeapFree(GetProcessHeap(), 0, Privileges);
3173
3174 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3175 error = GetLastError();
3176 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL, "PrivilegeCheck for SecurityAnonymous token should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3177
3178 CloseHandle(Token);
3179
3180 ret = ImpersonateSelf(SecurityIdentification);
3181 ok(ret, "ImpersonateSelf(SecurityIdentification) failed with error %d\n", GetLastError());
3182 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3183 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3184
3185 /* can't perform access check when opening object against an identification impersonation token */
3186 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3187 todo_wine {
3188 ok(error == ERROR_INVALID_HANDLE || error == ERROR_BAD_IMPERSONATION_LEVEL || error == ERROR_ACCESS_DENIED,
3189 "RegOpenKeyEx should have failed with ERROR_INVALID_HANDLE, ERROR_BAD_IMPERSONATION_LEVEL or ERROR_ACCESS_DENIED instead of %d\n", error);
3190 }
3191 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3192 ok(ret, "PrivilegeCheck for SecurityIdentification failed with error %d\n", GetLastError());
3193 CloseHandle(Token);
3194 RevertToSelf();
3195
3196 ret = ImpersonateSelf(SecurityImpersonation);
3197 ok(ret, "ImpersonateSelf(SecurityImpersonation) failed with error %d\n", GetLastError());
3198 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3199 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3200 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3201 ok(error == ERROR_SUCCESS, "RegOpenKeyEx should have succeeded instead of failing with %d\n", error);
3202 RegCloseKey(hkey);
3203 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3204 ok(ret, "PrivilegeCheck for SecurityImpersonation failed with error %d\n", GetLastError());
3205 RevertToSelf();
3206
3207 CloseHandle(Token);
3208 CloseHandle(ProcessToken);
3209
3210 HeapFree(GetProcessHeap(), 0, PrivilegeSet);
3211 }
3212
3213 static void test_SetEntriesInAclW(void)
3214 {
3215 DWORD res;
3216 PSID EveryoneSid = NULL, UsersSid = NULL;
3217 PACL OldAcl = NULL, NewAcl;
3218 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3219 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3220 EXPLICIT_ACCESSW ExplicitAccess;
3221 static const WCHAR wszEveryone[] = {'E','v','e','r','y','o','n','e',0};
3222 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3223
3224 if (!pSetEntriesInAclW)
3225 {
3226 win_skip("SetEntriesInAclW is not available\n");
3227 return;
3228 }
3229
3230 NewAcl = (PACL)0xdeadbeef;
3231 res = pSetEntriesInAclW(0, NULL, NULL, &NewAcl);
3232 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3233 {
3234 win_skip("SetEntriesInAclW is not implemented\n");
3235 return;
3236 }
3237 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3238 ok(NewAcl == NULL ||
3239 broken(NewAcl != NULL), /* NT4 */
3240 "NewAcl=%p, expected NULL\n", NewAcl);
3241 LocalFree(NewAcl);
3242
3243 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3244 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3245 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3246 {
3247 win_skip("ACLs not implemented - skipping tests\n");
3248 HeapFree(GetProcessHeap(), 0, OldAcl);
3249 return;
3250 }
3251 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3252
3253 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3254 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3255
3256 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3257 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3258 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3259
3260 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3261 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3262
3263 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3264 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3265 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3266 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3267 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3268 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3269 ExplicitAccess.Trustee.MultipleTrusteeOperation = 0xDEADBEEF;
3270 ExplicitAccess.Trustee.pMultipleTrustee = (PVOID)0xDEADBEEF;
3271 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3272 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3273 ok(NewAcl != NULL, "returned acl was NULL\n");
3274 LocalFree(NewAcl);
3275
3276 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3277 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3278 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3279 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3280 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3281 ok(NewAcl != NULL, "returned acl was NULL\n");
3282 LocalFree(NewAcl);
3283
3284 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3285 {
3286 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3287 }
3288 else
3289 {
3290 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3291 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszEveryone;
3292 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3293 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3294 ok(NewAcl != NULL, "returned acl was NULL\n");
3295 LocalFree(NewAcl);
3296
3297 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3298 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3299 ok(res == ERROR_INVALID_PARAMETER ||
3300 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3301 "SetEntriesInAclW failed: %u\n", res);
3302 ok(NewAcl == NULL ||
3303 broken(NewAcl != NULL), /* NT4 */
3304 "returned acl wasn't NULL: %p\n", NewAcl);
3305
3306 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3307 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3308 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3309 ok(res == ERROR_INVALID_PARAMETER ||
3310 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3311 "SetEntriesInAclW failed: %u\n", res);
3312 ok(NewAcl == NULL ||
3313 broken(NewAcl != NULL), /* NT4 */
3314 "returned acl wasn't NULL: %p\n", NewAcl);
3315
3316 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3317 ExplicitAccess.grfAccessMode = SET_ACCESS;
3318 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3319 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3320 ok(NewAcl != NULL, "returned acl was NULL\n");
3321 LocalFree(NewAcl);
3322 }
3323
3324 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3325 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
3326 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3327 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3328 ok(NewAcl != NULL, "returned acl was NULL\n");
3329 LocalFree(NewAcl);
3330
3331 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3332 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3333 ExplicitAccess.Trustee.ptstrName = UsersSid;
3334 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3335 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3336 ok(NewAcl != NULL, "returned acl was NULL\n");
3337 LocalFree(NewAcl);
3338
3339 FreeSid(UsersSid);
3340 FreeSid(EveryoneSid);
3341 HeapFree(GetProcessHeap(), 0, OldAcl);
3342 }
3343
3344 static void test_SetEntriesInAclA(void)
3345 {
3346 DWORD res;
3347 PSID EveryoneSid = NULL, UsersSid = NULL;
3348 PACL OldAcl = NULL, NewAcl;
3349 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3350 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3351 EXPLICIT_ACCESSA ExplicitAccess;
3352 static const CHAR szEveryone[] = {'E','v','e','r','y','o','n','e',0};
3353 static const CHAR szCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3354
3355 if (!pSetEntriesInAclA)
3356 {
3357 win_skip("SetEntriesInAclA is not available\n");
3358 return;
3359 }
3360
3361 NewAcl = (PACL)0xdeadbeef;
3362 res = pSetEntriesInAclA(0, NULL, NULL, &NewAcl);
3363 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3364 {
3365 win_skip("SetEntriesInAclA is not implemented\n");
3366 return;
3367 }
3368 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3369 ok(NewAcl == NULL ||
3370 broken(NewAcl != NULL), /* NT4 */
3371 "NewAcl=%p, expected NULL\n", NewAcl);
3372 LocalFree(NewAcl);
3373
3374 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3375 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3376 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3377 {
3378 win_skip("ACLs not implemented - skipping tests\n");
3379 HeapFree(GetProcessHeap(), 0, OldAcl);
3380 return;
3381 }
3382 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3383
3384 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3385 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3386
3387 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3388 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3389 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3390
3391 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3392 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3393
3394 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3395 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3396 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3397 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3398 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3399 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3400 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3401 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3402 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3403 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3404 ok(NewAcl != NULL, "returned acl was NULL\n");
3405 LocalFree(NewAcl);
3406
3407 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3408 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3409 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3410 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3411 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3412 ok(NewAcl != NULL, "returned acl was NULL\n");
3413 LocalFree(NewAcl);
3414
3415 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3416 {
3417 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3418 }
3419 else
3420 {
3421 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3422 ExplicitAccess.Trustee.ptstrName = (LPSTR)szEveryone;
3423 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3424 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3425 ok(NewAcl != NULL, "returned acl was NULL\n");
3426 LocalFree(NewAcl);
3427
3428 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3429 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3430 ok(res == ERROR_INVALID_PARAMETER ||
3431 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3432 "SetEntriesInAclA failed: %u\n", res);
3433 ok(NewAcl == NULL ||
3434 broken(NewAcl != NULL), /* NT4 */
3435 "returned acl wasn't NULL: %p\n", NewAcl);
3436
3437 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3438 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3439 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3440 ok(res == ERROR_INVALID_PARAMETER ||
3441 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3442 "SetEntriesInAclA failed: %u\n", res);
3443 ok(NewAcl == NULL ||
3444 broken(NewAcl != NULL), /* NT4 */
3445 "returned acl wasn't NULL: %p\n", NewAcl);
3446
3447 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3448 ExplicitAccess.grfAccessMode = SET_ACCESS;
3449 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3450 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3451 ok(NewAcl != NULL, "returned acl was NULL\n");
3452 LocalFree(NewAcl);
3453 }
3454
3455 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3456 ExplicitAccess.Trustee.ptstrName = (LPSTR)szCurrentUser;
3457 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3458 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3459 ok(NewAcl != NULL, "returned acl was NULL\n");
3460 LocalFree(NewAcl);
3461
3462 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3463 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3464 ExplicitAccess.Trustee.ptstrName = UsersSid;
3465 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3466 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3467 ok(NewAcl != NULL, "returned acl was NULL\n");
3468 LocalFree(NewAcl);
3469
3470 FreeSid(UsersSid);
3471 FreeSid(EveryoneSid);
3472 HeapFree(GetProcessHeap(), 0, OldAcl);
3473 }
3474
3475 /* helper function for test_CreateDirectoryA */
3476 static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
3477 {
3478 UNICODE_STRING strW;
3479 ANSI_STRING str;
3480 NTSTATUS status;
3481 BOOLEAN ret;
3482
3483 pRtlInitAnsiString(&str, name);
3484
3485 status = pRtlAnsiStringToUnicodeString(&strW, &str, TRUE);
3486 ok(!status, "RtlAnsiStringToUnicodeString failed with %08x\n", status);
3487
3488 ret = pRtlDosPathNameToNtPathName_U(strW.Buffer, nameW, NULL, NULL);
3489 ok(ret, "RtlDosPathNameToNtPathName_U failed\n");
3490
3491 pRtlFreeUnicodeString(&strW);
3492 }
3493
3494 static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask,
3495 BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
3496 {
3497 ACL_SIZE_INFORMATION acl_size;
3498 ACCESS_ALLOWED_ACE *ace;
3499 BOOL bret;
3500
3501 bret = pGetAclInformation(dacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3502 ok_(__FILE__, line)(bret, "GetAclInformation failed\n");
3503
3504 todo_wine_if (todo_count)
3505 ok_(__FILE__, line)(acl_size.AceCount == 2,
3506 "GetAclInformation returned unexpected entry count (%d != 2)\n",
3507 acl_size.AceCount);
3508
3509 if (acl_size.AceCount > 0)
3510 {
3511 bret = pGetAce(dacl, 0, (VOID **)&ace);
3512 ok_(__FILE__, line)(bret, "Failed to get Current User ACE\n");
3513
3514 bret = EqualSid(&ace->SidStart, user_sid);
3515 todo_wine_if (todo_sid)
3516 ok_(__FILE__, line)(bret, "Current User ACE (%s) != Current User SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3517
3518 todo_wine_if (todo_flags)
3519 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3520 "Current User ACE has unexpected flags (0x%x != 0x%x)\n",
3521 ((ACE_HEADER *)ace)->AceFlags, flags);
3522
3523 ok_(__FILE__, line)(ace->Mask == mask,
3524 "Current User ACE has unexpected mask (0x%x != 0x%x)\n",
3525 ace->Mask, mask);
3526 }
3527 if (acl_size.AceCount > 1)
3528 {
3529 bret = pGetAce(dacl, 1, (VOID **)&ace);
3530 ok_(__FILE__, line)(bret, "Failed to get Administators Group ACE\n");
3531
3532 bret = EqualSid(&ace->SidStart, admin_sid);
3533 todo_wine_if (todo_sid)
3534 ok_(__FILE__, line)(bret, "Administators Group ACE (%s) != Administators Group SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3535
3536 todo_wine_if (todo_flags)
3537 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3538 "Administators Group ACE has unexpected flags (0x%x != 0x%x)\n",
3539 ((ACE_HEADER *)ace)->AceFlags, flags);
3540
3541 ok_(__FILE__, line)(ace->Mask == mask,
3542 "Administators Group ACE has unexpected mask (0x%x != 0x%x)\n",
3543 ace->Mask, mask);
3544 }
3545 }
3546
3547 static void test_CreateDirectoryA(void)
3548 {
3549 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3550 DWORD sid_size = sizeof(admin_ptr), user_size;
3551 PSID admin_sid = (PSID) admin_ptr, user_sid;
3552 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
3553 PSECURITY_DESCRIPTOR pSD = &sd;
3554 ACL_SIZE_INFORMATION acl_size;
3555 UNICODE_STRING tmpfileW;
3556 SECURITY_ATTRIBUTES sa;
3557 OBJECT_ATTRIBUTES attr;
3558 char tmpfile[MAX_PATH];
3559 char tmpdir[MAX_PATH];
3560 HANDLE token, hTemp;
3561 IO_STATUS_BLOCK io;
3562 struct _SID *owner;
3563 BOOL bret = TRUE;
3564 NTSTATUS status;
3565 DWORD error;
3566 PACL pDacl;
3567
3568 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3569 {
3570 win_skip("Required functions are not available\n");
3571 return;
3572 }
3573
3574 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3575 {
3576 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3577 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3578 }
3579 if (!bret)
3580 {
3581 win_skip("Failed to get current user token\n");
3582 return;
3583 }
3584 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3585 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3586 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3587 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3588 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3589 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3590 CloseHandle( token );
3591 user_sid = ((TOKEN_USER *)user)->User.Sid;
3592
3593 sa.nLength = sizeof(sa);
3594 sa.lpSecurityDescriptor = pSD;
3595 sa.bInheritHandle = TRUE;
3596 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3597 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3598 pDacl = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 100);
3599 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3600 ok(bret, "Failed to initialize ACL.\n");
3601 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3602 GENERIC_ALL, user_sid);
3603 ok(bret, "Failed to add Current User to ACL.\n");
3604 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3605 GENERIC_ALL, admin_sid);
3606 ok(bret, "Failed to add Administrator Group to ACL.\n");
3607 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3608 ok(bret, "Failed to add ACL to security descriptor.\n");
3609
3610 GetTempPathA(MAX_PATH, tmpdir);
3611 lstrcatA(tmpdir, "Please Remove Me");
3612 bret = CreateDirectoryA(tmpdir, &sa);
3613 ok(bret == TRUE, "CreateDirectoryA(%s) failed err=%d\n", tmpdir, GetLastError());
3614 HeapFree(GetProcessHeap(), 0, pDacl);
3615
3616 SetLastError(0xdeadbeef);
3617 error = pGetNamedSecurityInfoA(tmpdir, SE_FILE_OBJECT,
3618 OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, (PSID*)&owner,
3619 NULL, &pDacl, NULL, &pSD);
3620 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3621 {
3622 win_skip("GetNamedSecurityInfoA is not implemented\n");
3623 goto done;
3624 }
3625 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3626 test_inherited_dacl(pDacl, admin_sid, user_sid, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3627 0x1f01ff, FALSE, TRUE, FALSE, __LINE__);
3628 LocalFree(pSD);
3629
3630 /* Test inheritance of ACLs in CreateFile without security descriptor */
3631 strcpy(tmpfile, tmpdir);
3632 lstrcatA(tmpfile, "/tmpfile");
3633
3634 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, NULL,
3635 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3636 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3637
3638 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3639 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3640 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3641 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3642 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3643 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3644 LocalFree(pSD);
3645 CloseHandle(hTemp);
3646
3647 /* Test inheritance of ACLs in CreateFile with security descriptor -
3648 * When a security descriptor is set, then inheritance doesn't take effect */
3649 pSD = &sd;
3650 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3651 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3652 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3653 ok(bret, "Failed to initialize ACL\n");
3654 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3655 ok(bret, "Failed to add ACL to security descriptor\n");
3656
3657 strcpy(tmpfile, tmpdir);
3658 lstrcatA(tmpfile, "/tmpfile");
3659
3660 sa.nLength = sizeof(sa);
3661 sa.lpSecurityDescriptor = pSD;
3662 sa.bInheritHandle = TRUE;
3663 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, &sa,
3664 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3665 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3666 HeapFree(GetProcessHeap(), 0, pDacl);
3667
3668 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3669 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3670 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3671 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3672 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3673 ok(bret, "GetAclInformation failed\n");
3674 todo_wine
3675 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3676 acl_size.AceCount);
3677 LocalFree(pSD);
3678
3679 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3680 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3681 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3682 todo_wine
3683 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3684 if (error == ERROR_SUCCESS)
3685 {
3686 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3687 ok(bret, "GetAclInformation failed\n");
3688 todo_wine
3689 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3690 acl_size.AceCount);
3691 LocalFree(pSD);
3692 }
3693 CloseHandle(hTemp);
3694
3695 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3696 strcpy(tmpfile, tmpdir);
3697 lstrcatA(tmpfile, "/tmpfile");
3698 get_nt_pathW(tmpfile, &tmpfileW);
3699
3700 attr.Length = sizeof(attr);
3701 attr.RootDirectory = 0;
3702 attr.ObjectName = &tmpfileW;
3703 attr.Attributes = OBJ_CASE_INSENSITIVE;
3704 attr.SecurityDescriptor = NULL;
3705 attr.SecurityQualityOfService = NULL;
3706
3707 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3708 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3709 ok(!status, "NtCreateFile failed with %08x\n", status);
3710 pRtlFreeUnicodeString(&tmpfileW);
3711
3712 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3713 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3714 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3715 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3716 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3717 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3718 LocalFree(pSD);
3719 CloseHandle(hTemp);
3720
3721 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3722 * When a security descriptor is set, then inheritance doesn't take effect */
3723 pSD = &sd;
3724 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3725 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3726 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3727 ok(bret, "Failed to initialize ACL\n");
3728 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3729 ok(bret, "Failed to add ACL to security descriptor\n");
3730
3731 strcpy(tmpfile, tmpdir);
3732 lstrcatA(tmpfile, "/tmpfile");
3733 get_nt_pathW(tmpfile, &tmpfileW);
3734
3735 attr.Length = sizeof(attr);
3736 attr.RootDirectory = 0;
3737 attr.ObjectName = &tmpfileW;
3738 attr.Attributes = OBJ_CASE_INSENSITIVE;
3739 attr.SecurityDescriptor = pSD;
3740 attr.SecurityQualityOfService = NULL;
3741
3742 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3743 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3744 ok(!status, "NtCreateFile failed with %08x\n", status);
3745 pRtlFreeUnicodeString(&tmpfileW);
3746 HeapFree(GetProcessHeap(), 0, pDacl);
3747
3748 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3749 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3750 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3751 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3752 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3753 ok(bret, "GetAclInformation failed\n");
3754 todo_wine
3755 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3756 acl_size.AceCount);
3757 LocalFree(pSD);
3758
3759 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3760 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3761 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3762 todo_wine
3763 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3764 if (error == ERROR_SUCCESS)
3765 {
3766 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3767 ok(bret, "GetAclInformation failed\n");
3768 todo_wine
3769 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3770 acl_size.AceCount);
3771 LocalFree(pSD);
3772 }
3773 CloseHandle(hTemp);
3774
3775 done:
3776 HeapFree(GetProcessHeap(), 0, user);
3777 bret = RemoveDirectoryA(tmpdir);
3778 ok(bret == TRUE, "RemoveDirectoryA should always succeed\n");
3779 }
3780
3781 static void test_GetNamedSecurityInfoA(void)
3782 {
3783 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3784 char system_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3785 char users_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3786 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3787 PSID admin_sid = (PSID) admin_ptr, users_sid = (PSID) users_ptr;
3788 PSID system_sid = (PSID) system_ptr, user_sid, localsys_sid;
3789 DWORD sid_size = sizeof(admin_ptr), user_size;
3790 char invalid_path[] = "/an invalid file path";
3791 int users_ace_id = -1, admins_ace_id = -1, i;
3792 char software_key[] = "MACHINE\\Software";
3793 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH+sizeof(void*)];
3794 SECURITY_DESCRIPTOR_CONTROL control;
3795 ACL_SIZE_INFORMATION acl_size;
3796 CHAR windows_dir[MAX_PATH];
3797 PSECURITY_DESCRIPTOR pSD;
3798 ACCESS_ALLOWED_ACE *ace;
3799 BOOL bret = TRUE, isNT4;
3800 char tmpfile[MAX_PATH];
3801 DWORD error, revision;
3802 BOOL owner_defaulted;
3803 BOOL group_defaulted;
3804 BOOL dacl_defaulted;
3805 HANDLE token, hTemp, h;
3806 PSID owner, group;
3807 BOOL dacl_present;
3808 PACL pDacl;
3809 BYTE flags;
3810 NTSTATUS status;
3811
3812 if (!pSetNamedSecurityInfoA || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3813 {
3814 win_skip("Required functions are not available\n");
3815 return;
3816 }
3817
3818 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3819 {
3820 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3821 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3822 }
3823 if (!bret)
3824 {
3825 win_skip("Failed to get current user token\n");
3826 return;
3827 }
3828 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3829 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3830 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3831 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3832 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3833 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3834 CloseHandle( token );
3835 user_sid = ((TOKEN_USER *)user)->User.Sid;
3836
3837 bret = GetWindowsDirectoryA(windows_dir, MAX_PATH);
3838 ok(bret, "GetWindowsDirectory failed with error %d\n", GetLastError());
3839
3840 SetLastError(0xdeadbeef);
3841 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,
3842 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
3843 NULL, NULL, NULL, NULL, &pSD);
3844 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3845 {
3846 win_skip("GetNamedSecurityInfoA is not implemented\n");
3847 HeapFree(GetProcessHeap(), 0, user);
3848 return;
3849 }
3850 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3851
3852 bret = GetSecurityDescriptorControl(pSD, &control, &revision);
3853 ok(bret, "GetSecurityDescriptorControl failed with error %d\n", GetLastError());
3854 ok((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == (SE_SELF_RELATIVE|SE_DACL_PRESENT) ||
3855 broken((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT), /* NT4 */
3856 "control (0x%x) doesn't have (SE_SELF_RELATIVE|SE_DACL_PRESENT) flags set\n", control);
3857 ok(revision == SECURITY_DESCRIPTOR_REVISION1, "revision was %d instead of 1\n", revision);
3858
3859 isNT4 = (control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT;
3860
3861 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3862 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3863 ok(owner != NULL, "owner should not be NULL\n");
3864
3865 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
3866 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
3867 ok(group != NULL, "group should not be NULL\n");
3868 LocalFree(pSD);
3869
3870
3871 /* NULL descriptor tests */
3872 if(isNT4)
3873 {
3874 win_skip("NT4 does not support GetNamedSecutityInfo with a NULL descriptor\n");
3875 HeapFree(GetProcessHeap(), 0, user);
3876 return;
3877 }
3878
3879 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3880 NULL, NULL, NULL, NULL, NULL);
3881 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3882
3883 pDacl = NULL;
3884 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3885 NULL, NULL, &pDacl, NULL, &pSD);
3886 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3887 ok(pDacl != NULL, "DACL should not be NULL\n");
3888 LocalFree(pSD);
3889
3890 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,
3891 NULL, NULL, &pDacl, NULL, NULL);
3892 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3893
3894 /* Test behavior of SetNamedSecurityInfo with an invalid path */
3895 SetLastError(0xdeadbeef);
3896 error = pSetNamedSecurityInfoA(invalid_path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3897 NULL, NULL, NULL);
3898 ok(error == ERROR_FILE_NOT_FOUND, "Unexpected error returned: 0x%x\n", error);
3899 ok(GetLastError() == 0xdeadbeef, "Expected last error to remain unchanged.\n");
3900
3901 /* Create security descriptor information and test that it comes back the same */
3902 pSD = &sd;
3903 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3904 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3905 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3906 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3907 ok(bret, "Failed to initialize ACL.\n");
3908 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3909 ok(bret, "Failed to add Current User to ACL.\n");
3910 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
3911 ok(bret, "Failed to add Administrator Group to ACL.\n");
3912 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3913 ok(bret, "Failed to add ACL to security descriptor.\n");
3914 GetTempFileNameA(".", "foo", 0, tmpfile);
3915 hTemp = CreateFileA(tmpfile, WRITE_DAC|GENERIC_WRITE, FILE_SHARE_DELETE|FILE_SHARE_READ,
3916 NULL, OPEN_EXISTING, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3917 SetLastError(0xdeadbeef);
3918 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3919 NULL, pDacl, NULL);
3920 HeapFree(GetProcessHeap(), 0, pDacl);
3921 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3922 {
3923 win_skip("SetNamedSecurityInfoA is not implemented\n");
3924 HeapFree(GetProcessHeap(), 0, user);
3925 CloseHandle(hTemp);
3926 return;
3927 }
3928 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3929 SetLastError(0xdeadbeef);
3930 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3931 NULL, NULL, &pDacl, NULL, &pSD);
3932 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3933 {
3934 win_skip("GetNamedSecurityInfoA is not implemented\n");
3935 HeapFree(GetProcessHeap(), 0, user);
3936 CloseHandle(hTemp);
3937 return;
3938 }
3939 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3940
3941 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3942 ok(bret, "GetAclInformation failed\n");
3943 if (acl_size.AceCount > 0)
3944 {
3945 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3946 ok(bret, "Failed to get Current User ACE.\n");
3947 bret = EqualSid(&ace->SidStart, user_sid);
3948 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
3949 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3950 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3951 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3952 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
3953 ace->Mask);
3954 }
3955 if (acl_size.AceCount > 1)
3956 {
3957 bret = pGetAce(pDacl, 1, (VOID **)&ace);
3958 ok(bret, "Failed to get Administators Group ACE.\n");
3959 bret = EqualSid(&ace->SidStart, admin_sid);
3960 todo_wine ok(bret || broken(!bret) /* win2k */,
3961 "Administators Group ACE (%s) != Administators Group SID (%s).\n",
3962 debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3963 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3964 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3965 ok(ace->Mask == 0x1f01ff || broken(ace->Mask == GENERIC_ALL) /* win2k */,
3966 "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n", ace->Mask);
3967 }
3968 LocalFree(pSD);
3969
3970 /* show that setting empty DACL is not removing all file permissions */
3971 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3972 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3973 ok(bret, "Failed to initialize ACL.\n");
3974 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3975 NULL, NULL, pDacl, NULL);
3976 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3977 HeapFree(GetProcessHeap(), 0, pDacl);
3978
3979 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3980 NULL, NULL, &pDacl, NULL, &pSD);
3981 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3982
3983 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3984 ok(bret, "GetAclInformation failed\n");
3985 if (acl_size.AceCount > 0)
3986 {
3987 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3988 ok(bret, "Failed to get ACE.\n");
3989 todo_wine ok(((ACE_HEADER *)ace)->AceFlags & INHERITED_ACE,
3990 "ACE has unexpected flags: 0x%x\n", ((ACE_HEADER *)ace)->AceFlags);
3991 }
3992 LocalFree(pSD);
3993
3994 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3995 NULL, OPEN_EXISTING, 0, NULL);
3996 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3997 CloseHandle(h);
3998
3999 /* test setting NULL DACL */
4000 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
4001 DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL);
4002 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
4003
4004 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4005 NULL, NULL, &pDacl, NULL, &pSD);
4006 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4007 todo_wine ok(!pDacl, "pDacl != NULL\n");
4008 LocalFree(pSD);
4009
4010 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4011 NULL, OPEN_EXISTING, 0, NULL);
4012 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4013 CloseHandle(h);
4014
4015 /* NtSetSecurityObject doesn't inherit DACL entries */
4016 pSD = sd+sizeof(void*)-((ULONG_PTR)sd)%sizeof(void*);
4017 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
4018 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
4019 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
4020 ok(bret, "Failed to initialize ACL.\n");
4021 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4022 ok(bret, "Failed to add ACL to security descriptor.\n");
4023 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4024 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4025
4026 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4027 NULL, OPEN_EXISTING, 0, NULL);
4028 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4029 CloseHandle(h);
4030
4031 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ, SE_DACL_AUTO_INHERIT_REQ);
4032 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4033 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4034
4035 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4036 NULL, OPEN_EXISTING, 0, NULL);
4037 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4038 CloseHandle(h);
4039
4040 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED,
4041 SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED);
4042 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4043 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4044
4045 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4046 NULL, OPEN_EXISTING, 0, NULL);
4047 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4048 CloseHandle(h);
4049
4050 /* test if DACL is properly mapped to permission */
4051 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
4052 ok(bret, "Failed to initialize ACL.\n");
4053 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4054 ok(bret, "Failed to add Current User to ACL.\n");
4055 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4056 ok(bret, "Failed to add Current User to ACL.\n");
4057 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4058 ok(bret, "Failed to add ACL to security descriptor.\n");
4059 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4060 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4061
4062 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4063 NULL, OPEN_EXISTING, 0, NULL);
4064 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4065 CloseHandle(h);
4066
4067 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
4068 ok(bret, "Failed to initialize ACL.\n");
4069 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4070 ok(bret, "Failed to add Current User to ACL.\n");
4071 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4072 ok(bret, "Failed to add Current User to ACL.\n");
4073 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4074 ok(bret, "Failed to add ACL to security descriptor.\n");
4075 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
4076 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
4077
4078 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
4079 NULL, OPEN_EXISTING, 0, NULL);
4080 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
4081 HeapFree(GetProcessHeap(), 0, pDacl);
4082 HeapFree(GetProcessHeap(), 0, user);
4083 CloseHandle(hTemp);
4084
4085 /* Test querying the ownership of a built-in registry key */
4086 sid_size = sizeof(system_ptr);
4087 pCreateWellKnownSid(WinLocalSystemSid, NULL, system_sid, &sid_size);
4088 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY,
4089 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
4090 NULL, NULL, NULL, NULL, &pSD);
4091 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4092
4093 bret = AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &localsys_sid);
4094 ok(bret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4095
4096 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
4097 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
4098 ok(owner != NULL, "owner should not be NULL\n");
4099 ok(EqualSid(owner, admin_sid) || EqualSid(owner, localsys_sid),
4100 "MACHINE\\Software owner SID (%s) != Administrators SID (%s) or Local System Sid (%s).\n",
4101 debugstr_sid(owner), debugstr_sid(admin_sid), debugstr_sid(localsys_sid));
4102
4103 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
4104 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
4105 ok(group != NULL, "group should not be NULL\n");
4106 ok(EqualSid(group, admin_sid) || broken(EqualSid(group, system_sid)) /* before Win7 */
4107 || broken(((SID*)group)->SubAuthority[0] == SECURITY_NT_NON_UNIQUE) /* Vista */,
4108 "MACHINE\\Software group SID (%s) != Local System SID (%s or %s)\n",
4109 debugstr_sid(group), debugstr_sid(admin_sid), debugstr_sid(system_sid));
4110 LocalFree(pSD);
4111
4112 /* Test querying the DACL of a built-in registry key */
4113 sid_size = sizeof(users_ptr);
4114 pCreateWellKnownSid(WinBuiltinUsersSid, NULL, users_sid, &sid_size);
4115 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
4116 NULL, NULL, NULL, NULL, &pSD);
4117 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4118
4119 bret = GetSecurityDescriptorDacl(pSD, &dacl_present, &pDacl, &dacl_defaulted);
4120 ok(bret, "GetSecurityDescriptorDacl failed with error %d\n", GetLastError());
4121 ok(dacl_present, "DACL should be present\n");
4122 ok(pDacl && IsValidAcl(pDacl), "GetSecurityDescriptorDacl returned invalid DACL.\n");
4123 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4124 ok(bret, "GetAclInformation failed\n");
4125 ok(acl_size.AceCount != 0, "GetAclInformation returned no ACLs\n");
4126 for (i=0; i<acl_size.AceCount; i++)
4127 {
4128 bret = pGetAce(pDacl, i, (VOID **)&ace);
4129 ok(bret, "Failed to get ACE %d.\n", i);
4130 bret = EqualSid(&ace->SidStart, users_sid);
4131 if (bret) users_ace_id = i;
4132 bret = EqualSid(&ace->SidStart, admin_sid);
4133 if (bret) admins_ace_id = i;
4134 }
4135 ok(users_ace_id != -1 || broken(users_ace_id == -1) /* win2k */,
4136 "Builtin Users ACE not found.\n");
4137 if (users_ace_id != -1)
4138 {
4139 bret = pGetAce(pDacl, users_ace_id, (VOID **)&ace);
4140 ok(bret, "Failed to get Builtin Users ACE.\n");
4141 flags = ((ACE_HEADER *)ace)->AceFlags;
4142 ok(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)
4143 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4144 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4145 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4146 "Builtin Users ACE has unexpected flags (0x%x != 0x%x)\n", flags,
4147 INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE);
4148 ok(ace->Mask == GENERIC_READ
4149 || broken(ace->Mask == KEY_READ), /* win 10 */
4150 "Builtin Users ACE has unexpected mask (0x%x != 0x%x)\n",
4151 ace->Mask, GENERIC_READ);
4152 }
4153 ok(admins_ace_id != -1, "Builtin Admins ACE not found.\n");
4154 if (admins_ace_id != -1)
4155 {
4156 bret = pGetAce(pDacl, admins_ace_id, (VOID **)&ace);
4157 ok(bret, "Failed to get Builtin Admins ACE.\n");
4158 flags = ((ACE_HEADER *)ace)->AceFlags;
4159 ok(flags == 0x0
4160 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4161 || broken(flags == (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) /* win7 */
4162 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)) /* win8+ */
4163 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4164 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4165 "Builtin Admins ACE has unexpected flags (0x%x != 0x0)\n", flags);
4166 ok(ace->Mask == KEY_ALL_ACCESS || broken(ace->Mask == GENERIC_ALL) /* w2k8 */,
4167 "Builtin Admins ACE has unexpected mask (0x%x != 0x%x)\n", ace->Mask, KEY_ALL_ACCESS);
4168 }
4169
4170 FreeSid(localsys_sid);
4171 LocalFree(pSD);
4172 }
4173
4174 static void test_ConvertStringSecurityDescriptor(void)
4175 {
4176 BOOL ret;
4177 PSECURITY_DESCRIPTOR pSD;
4178 static const WCHAR Blank[] = { 0 };
4179 unsigned int i;
4180 ULONG size;
4181 ACL *acl;
4182 static const struct
4183 {
4184 const char *sidstring;
4185 DWORD revision;
4186 BOOL ret;
4187 DWORD GLE;
4188 DWORD altGLE;
4189 } cssd[] =
4190 {
4191 { "D:(A;;GA;;;WD)", 0xdeadbeef, FALSE, ERROR_UNKNOWN_REVISION },
4192 /* test ACE string type */
4193 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4194 { "D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4195 { "ERROR:(D;;GA;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_PARAMETER },
4196 /* test ACE string with spaces */
4197 { " D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4198 { "D: (D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4199 { "D:( D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4200 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4201 { "D:(D; ;GA;;;WD)", SDDL_REVISION_1, TRUE },
4202 { "D:(D;; GA;;;WD)", SDDL_REVISION_1, TRUE },
4203 { "D:(D;;GA ;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4204 { "D:(D;;GA; ;;WD)", SDDL_REVISION_1, TRUE },
4205 { "D:(D;;GA;; ;WD)", SDDL_REVISION_1, TRUE },
4206 { "D:(D;;GA;;; WD)", SDDL_REVISION_1, TRUE },
4207 { "D:(D;;GA;;;WD )", SDDL_REVISION_1, TRUE },
4208 /* test ACE string access rights */
4209 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4210 { "D:(A;;GRGWGX;;;WD)", SDDL_REVISION_1, TRUE },
4211 { "D:(A;;RCSDWDWO;;;WD)", SDDL_REVISION_1, TRUE },
4212 { "D:(A;;RPWPCCDCLCSWLODTCR;;;WD)", SDDL_REVISION_1, TRUE },
4213 { "D:(A;;FAFRFWFX;;;WD)", SDDL_REVISION_1, TRUE },
4214 { "D:(A;;KAKRKWKX;;;WD)", SDDL_REVISION_1, TRUE },
4215 { "D:(A;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4216 { "S:(AU;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4217 /* test ACE string access right error case */
4218 { "D:(A;;ROB;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4219 /* test behaviour with empty strings */
4220 { "", SDDL_REVISION_1, TRUE },
4221 /* test ACE string SID */
4222 { "D:(D;;GA;;;S-1-0-0)", SDDL_REVISION_1, TRUE },
4223 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4224 };
4225
4226 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4227 {
4228 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4229 return;
4230 }
4231
4232 for (i = 0; i < ARRAY_SIZE(cssd); i++)
4233 {
4234 DWORD GLE;
4235
4236 SetLastError(0xdeadbeef);
4237 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4238 cssd[i].sidstring, cssd[i].revision, &pSD, NULL);
4239 GLE = GetLastError();
4240 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4241 if (!cssd[i].ret)
4242 ok(GLE == cssd[i].GLE ||
4243 (cssd[i].altGLE && GLE == cssd[i].altGLE),
4244 "(%02u) Unexpected last error %d\n", i, GLE);
4245 if (ret)
4246 LocalFree(pSD);
4247 }
4248
4249 /* test behaviour with NULL parameters */
4250 SetLastError(0xdeadbeef);
4251 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4252 NULL, 0xdeadbeef, &pSD, NULL);
4253 todo_wine
4254 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4255 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4256 GetLastError());
4257
4258 SetLastError(0xdeadbeef);
4259 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4260 NULL, 0xdeadbeef, &pSD, NULL);
4261 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4262 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4263 GetLastError());
4264
4265 SetLastError(0xdeadbeef);
4266 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4267 "D:(A;;ROB;;;WD)", 0xdeadbeef, NULL, NULL);
4268 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4269 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4270 GetLastError());
4271
4272 SetLastError(0xdeadbeef);
4273 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4274 "D:(A;;ROB;;;WD)", SDDL_REVISION_1, NULL, NULL);
4275 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4276 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4277 GetLastError());
4278
4279 /* test behaviour with empty strings */
4280 SetLastError(0xdeadbeef);
4281 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4282 Blank, SDDL_REVISION_1, &pSD, NULL);
4283 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4284 LocalFree(pSD);
4285
4286 SetLastError(0xdeadbeef);
4287 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4288 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4289 ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
4290 "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
4291 if (ret) LocalFree(pSD);
4292
4293 /* empty DACL */
4294 size = 0;
4295 SetLastError(0xdeadbeef);
4296 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("D:", SDDL_REVISION_1, &pSD, &size);
4297 ok(ret, "unexpected error %u\n", GetLastError());
4298 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4299 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4300 ok(acl->AclRevision == ACL_REVISION, "got %u\n", acl->AclRevision);
4301 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4302 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4303 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4304 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4305 LocalFree(pSD);
4306
4307 /* empty SACL */
4308 size = 0;
4309 SetLastError(0xdeadbeef);
4310 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("S:", SDDL_REVISION_1, &pSD, &size);
4311 ok(ret, "unexpected error %u\n", GetLastError());
4312 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4313 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4314 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4315 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4316 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4317 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4318 LocalFree(pSD);
4319 }
4320
4321 static void test_ConvertSecurityDescriptorToString(void)
4322 {
4323 SECURITY_DESCRIPTOR desc;
4324 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4325 LPSTR string;
4326 DWORD size;
4327 PSID psid, psid2;
4328 PACL pacl;
4329 char sid_buf[256];
4330 char acl_buf[8192];
4331 ULONG len;
4332
4333 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4334 {
4335 win_skip("ConvertSecurityDescriptorToStringSecurityDescriptor is not available\n");
4336 return;
4337 }
4338 if (!pCreateWellKnownSid)
4339 {
4340 win_skip("CreateWellKnownSid is not available\n");
4341 return;
4342 }
4343
4344 /* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4345 * don't replicate this feature so we only test len >= strlen+1. */
4346 #define CHECK_RESULT_AND_FREE(exp_str) \
4347 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4348 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4349 LocalFree(string);
4350
4351 #define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4352 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4353 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4354 LocalFree(string);
4355
4356 InitializeSecurityDescriptor(&desc, SECURITY_DESCRIPTOR_REVISION);
4357 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4358 CHECK_RESULT_AND_FREE("");
4359
4360 size = 4096;
4361 pCreateWellKnownSid(WinLocalSid, NULL, sid_buf, &size);
4362 SetSecurityDescriptorOwner(&desc, sid_buf, FALSE);
4363 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4364 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4365
4366 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4367 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4368 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4369
4370 size = sizeof(sid_buf);
4371 pCreateWellKnownSid(WinLocalSystemSid, NULL, sid_buf, &size);
4372 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4373 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4374 CHECK_RESULT_AND_FREE("O:SY");
4375
4376 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4377 SetSecurityDescriptorGroup(&desc, psid, TRUE);
4378 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4379 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576");
4380
4381 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4382 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4383
4384 pacl = (PACL)acl_buf;
4385 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4386 SetSecurityDescriptorDacl(&desc, TRUE, pacl, TRUE);
4387 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4388 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4389
4390 SetSecurityDescriptorDacl(&desc, TRUE, pacl, FALSE);
4391 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4392 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4393
4394 pConvertStringSidToSidA("S-1-5-6", &psid2);
4395 pAddAccessAllowedAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, 0xf0000000, psid2);
4396 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4397 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)");
4398
4399 pAddAccessAllowedAceEx(pacl, ACL_REVISION, INHERIT_ONLY_ACE|INHERITED_ACE, 0x00000003, psid2);
4400 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4401 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4402
4403 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4404 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4405 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4406
4407
4408 pacl = (PACL)acl_buf;
4409 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4410 SetSecurityDescriptorSacl(&desc, TRUE, pacl, FALSE);
4411 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4412 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:");
4413
4414 /* fails in win2k */
4415 SetSecurityDescriptorDacl(&desc, TRUE, NULL, FALSE);
4416 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4417 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4418 {
4419 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4420 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4421 }
4422
4423 /* fails in win2k */
4424 pAddAuditAccessAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, FILE_GENERIC_READ|FILE_GENERIC_WRITE, psid2, TRUE, FALSE);
4425 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4426 {
4427 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4428 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4429 }
4430
4431 LocalFree(psid2);
4432 LocalFree(psid);
4433 }
4434
4435 static void test_SetSecurityDescriptorControl (PSECURITY_DESCRIPTOR sec)
4436 {
4437 SECURITY_DESCRIPTOR_CONTROL ref;
4438 SECURITY_DESCRIPTOR_CONTROL test;
4439
4440 SECURITY_DESCRIPTOR_CONTROL const mutable
4441 = SE_DACL_AUTO_INHERIT_REQ | SE_SACL_AUTO_INHERIT_REQ
4442 | SE_DACL_AUTO_INHERITED | SE_SACL_AUTO_INHERITED
4443 | SE_DACL_PROTECTED | SE_SACL_PROTECTED
4444 | 0x00000040 | 0x00000080 /* not defined in winnt.h */
4445 ;
4446 SECURITY_DESCRIPTOR_CONTROL const immutable
4447 = SE_OWNER_DEFAULTED | SE_GROUP_DEFAULTED
4448 | SE_DACL_PRESENT | SE_DACL_DEFAULTED
4449 | SE_SACL_PRESENT | SE_SACL_DEFAULTED
4450 | SE_RM_CONTROL_VALID | SE_SELF_RELATIVE
4451 ;
4452
4453 int bit;
4454 DWORD dwRevision;
4455 LPCSTR fmt = "Expected error %s, got %u\n";
4456
4457 GetSecurityDescriptorControl (sec, &ref, &dwRevision);
4458
4459 /* The mutable bits are mutable regardless of the truth of
4460 SE_DACL_PRESENT and/or SE_SACL_PRESENT */
4461
4462 /* Check call barfs if any bit-of-interest is immutable */
4463 for (bit = 0; bit < 16; ++bit)
4464 {
4465 SECURITY_DESCRIPTOR_CONTROL const bitOfInterest = 1 << bit;
4466 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitOfInterest;
4467
4468 SECURITY_DESCRIPTOR_CONTROL ctrl;
4469
4470 DWORD dwExpect = (bitOfInterest & immutable)
4471 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4472 LPCSTR strExpect = (bitOfInterest & immutable)
4473 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4474
4475 ctrl = (bitOfInterest & mutable) ? ref + bitOfInterest : ref;
4476 setOrClear ^= bitOfInterest;
4477 SetLastError (0xbebecaca);
4478 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4479 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4480 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4481 expect_eq(test, ctrl, int, "%x");
4482
4483 setOrClear ^= bitOfInterest;
4484 SetLastError (0xbebecaca);
4485 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4486 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4487 GetSecurityDescriptorControl (sec, &test, &dwRevision);
4488 expect_eq(test, ref, int, "%x");
4489 }
4490
4491 /* Check call barfs if any bit-to-set is immutable
4492 even when not a bit-of-interest */
4493 for (bit = 0; bit < 16; ++bit)
4494 {
4495 SECURITY_DESCRIPTOR_CONTROL const bitsOfInterest = mutable;
4496 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitsOfInterest;
4497
4498 SECURITY_DESCRIPTOR_CONTROL ctrl;
4499
4500 DWORD dwExpect = ((1 << bit) & immutable)
4501 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4502 LPCSTR strExpect = ((1 << bit) & immutable)
4503 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4504
4505 ctrl = ((1 << bit) & immutable) ? test : ref | mutable;
4506 setOrClear ^= bitsOfInterest;
4507 SetLastError (0xbebecaca);
4508 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4509 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4510 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4511 expect_eq(test, ctrl, int, "%x");
4512
4513 ctrl = ((1 << bit) & immutable) ? test : ref | (1 << bit);
4514 setOrClear ^= bitsOfInterest;
4515 SetLastError (0xbebecaca);
4516 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4517 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4518 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4519 expect_eq(test, ctrl, int, "%x");
4520 }
4521 }
4522
4523 static void test_PrivateObjectSecurity(void)
4524 {
4525 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4526 SECURITY_DESCRIPTOR_CONTROL ctrl;
4527 PSECURITY_DESCRIPTOR sec;
4528 DWORD dwDescSize;
4529 DWORD dwRevision;
4530 DWORD retSize;
4531 LPSTR string;
4532 ULONG len;
4533 PSECURITY_DESCRIPTOR buf;
4534 BOOL ret;
4535
4536 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4537 {
4538 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4539 return;
4540 }
4541
4542 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4543 "O:SY"
4544 "G:S-1-5-21-93476-23408-4576"
4545 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
4546 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4547 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4548 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4549
4550 test_SetSecurityDescriptorControl(sec);
4551
4552 LocalFree(sec);
4553
4554 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4555 "O:SY"
4556 "G:S-1-5-21-93476-23408-4576",
4557 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4558
4559 test_SetSecurityDescriptorControl(sec);
4560
4561 LocalFree(sec);
4562
4563 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4564 "O:SY"
4565 "G:S-1-5-21-93476-23408-4576"
4566 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4567 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4568 buf = HeapAlloc(GetProcessHeap(), 0, dwDescSize);
4569 pSetSecurityDescriptorControl(sec, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
4570 GetSecurityDescriptorControl(sec, &ctrl, &dwRevision);
4571 expect_eq(ctrl, 0x9014, int, "%x");
4572
4573 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4574 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4575 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4576 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4577 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4578 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4579 expect_eq(ctrl, 0x8000, int, "%x");
4580
4581 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4582 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4583 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4584 ret = pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len);
4585 ok(ret, "Conversion failed err=%u\n", GetLastError());
4586 CHECK_ONE_OF_AND_FREE("G:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)",
4587 "G:S-1-5-21-93476-23408-4576D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"); /* Win7 */
4588 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4589 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8004, int, "%x");
4590
4591 ret = GetPrivateObjectSecurity(sec, sec_info, buf, dwDescSize, &retSize);
4592 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4593 ok(retSize == dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4594 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4595 CHECK_ONE_OF_AND_FREE("O:SY"
4596 "G:S-1-5-21-93476-23408-4576"
4597 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4598 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4599 "O:SY"
4600 "G:S-1-5-21-93476-23408-4576"
4601 "D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4602 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)"); /* Win7 */
4603 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4604 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8014, int, "%x");
4605
4606 SetLastError(0xdeadbeef);
4607 ok(GetPrivateObjectSecurity(sec, sec_info, buf, 5, &retSize) == FALSE, "GetPrivateObjectSecurity should have failed\n");
4608 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected error ERROR_INSUFFICIENT_BUFFER, got %u\n", GetLastError());
4609
4610 LocalFree(sec);
4611 HeapFree(GetProcessHeap(), 0, buf);
4612 }
4613 #undef CHECK_RESULT_AND_FREE
4614 #undef CHECK_ONE_OF_AND_FREE
4615
4616 static void test_acls(void)
4617 {
4618 char buffer[256];
4619 PACL pAcl = (PACL)buffer;
4620 BOOL ret;
4621
4622 SetLastError(0xdeadbeef);
4623 ret = InitializeAcl(pAcl, sizeof(ACL) - 1, ACL_REVISION);
4624 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4625 {
4626 win_skip("InitializeAcl is not implemented\n");
4627 return;
4628 }
4629
4630 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4631
4632 SetLastError(0xdeadbeef);
4633 ret = InitializeAcl(pAcl, 0xffffffff, ACL_REVISION);
4634 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4635
4636 SetLastError(0xdeadbeef);
4637 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION1);
4638 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4639
4640 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION2);
4641 ok(ret, "InitializeAcl(ACL_REVISION2) failed with error %d\n", GetLastError());
4642
4643 ret = IsValidAcl(pAcl);
4644 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4645
4646 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION3);
4647 ok(ret, "InitializeAcl(ACL_REVISION3) failed with error %d\n", GetLastError());
4648
4649 ret = IsValidAcl(pAcl);
4650 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4651
4652 SetLastError(0xdeadbeef);
4653 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION4);
4654 if (GetLastError() != ERROR_INVALID_PARAMETER)
4655 {
4656 ok(ret, "InitializeAcl(ACL_REVISION4) failed with error %d\n", GetLastError());
4657
4658 ret = IsValidAcl(pAcl);
4659 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4660 }
4661 else
4662 win_skip("ACL_REVISION4 is not implemented on NT4\n");
4663
4664 SetLastError(0xdeadbeef);
4665 ret = InitializeAcl(pAcl, sizeof(buffer), -1);
4666 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4667 }
4668
4669 static void test_GetSecurityInfo(void)
4670 {
4671 char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
4672 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
4673 DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
4674 PSID admin_sid = (PSID) admin_ptr, user_sid;
4675 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
4676 ACL_SIZE_INFORMATION acl_size;
4677 PSECURITY_DESCRIPTOR pSD;
4678 ACCESS_ALLOWED_ACE *ace;
4679 HANDLE token, obj;
4680 PSID owner, group;
4681 BOOL bret = TRUE;
4682 PACL pDacl;
4683 DWORD ret;
4684
4685 if (!pGetSecurityInfo || !pSetSecurityInfo)
4686 {
4687 win_skip("[Get|Set]SecurityInfo is not available\n");
4688 return;
4689 }
4690
4691 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
4692 {
4693 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
4694 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
4695 }
4696 if (!bret)
4697 {
4698 win_skip("Failed to get current user token\n");
4699 return;
4700 }
4701 bret = GetTokenInformation(token, TokenUser, b, l, &l);
4702 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
4703 CloseHandle( token );
4704 user_sid = ((TOKEN_USER *)b)->User.Sid;
4705
4706 /* Create something. Files have lots of associated security info. */
4707 obj = CreateFileA(myARGV[0], GENERIC_READ|WRITE_DAC, FILE_SHARE_READ, NULL,
4708 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4709 if (obj == INVALID_HANDLE_VALUE)
4710 {
4711 skip("Couldn't create an object for GetSecurityInfo test\n");
4712 return;
4713 }
4714
4715 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4716 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4717 &owner, &group, &pDacl, NULL, &pSD);
4718 if (ret == ERROR_CALL_NOT_IMPLEMENTED)
4719 {
4720 win_skip("GetSecurityInfo is not implemented\n");
4721 CloseHandle(obj);
4722 return;
4723 }
4724 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4725 ok(pSD != NULL, "GetSecurityInfo\n");
4726 ok(owner != NULL, "GetSecurityInfo\n");
4727 ok(group != NULL, "GetSecurityInfo\n");
4728 if (pDacl != NULL)
4729 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4730 else
4731 win_skip("No ACL information returned\n");
4732
4733 LocalFree(pSD);
4734
4735 if (!pCreateWellKnownSid)
4736 {
4737 win_skip("NULL parameter test would crash on NT4\n");
4738 CloseHandle(obj);
4739 return;
4740 }
4741
4742 /* If we don't ask for the security descriptor, Windows will still give us
4743 the other stuff, leaving us no way to free it. */
4744 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4745 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4746 &owner, &group, &pDacl, NULL, NULL);
4747 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4748 ok(owner != NULL, "GetSecurityInfo\n");
4749 ok(group != NULL, "GetSecurityInfo\n");
4750 if (pDacl != NULL)
4751 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4752 else
4753 win_skip("No ACL information returned\n");
4754
4755 /* Create security descriptor information and test that it comes back the same */
4756 pSD = &sd;
4757 pDacl = (PACL)&dacl;
4758 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
4759 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
4760 bret = InitializeAcl(pDacl, sizeof(dacl), ACL_REVISION);
4761 ok(bret, "Failed to initialize ACL.\n");
4762 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4763 ok(bret, "Failed to add Current User to ACL.\n");
4764 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
4765 ok(bret, "Failed to add Administrator Group to ACL.\n");
4766 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4767 ok(bret, "Failed to add ACL to security descriptor.\n");
4768 ret = pSetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4769 NULL, NULL, pDacl, NULL);
4770 ok(ret == ERROR_SUCCESS, "SetSecurityInfo returned %d\n", ret);
4771 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4772 NULL, NULL, &pDacl, NULL, &pSD);
4773 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4774 ok(pDacl && IsValidAcl(pDacl), "GetSecurityInfo returned invalid DACL.\n");
4775 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4776 ok(bret, "GetAclInformation failed\n");
4777 if (acl_size.AceCount > 0)
4778 {
4779 bret = pGetAce(pDacl, 0, (VOID **)&ace);
4780 ok(bret, "Failed to get Current User ACE.\n");
4781 bret = EqualSid(&ace->SidStart, user_sid);
4782 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
4783 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
4784 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4785 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4786 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4787 ace->Mask);
4788 }
4789 if (acl_size.AceCount > 1)
4790 {
4791 bret = pGetAce(pDacl, 1, (VOID **)&ace);
4792 ok(bret, "Failed to get Administators Group ACE.\n");
4793 bret = EqualSid(&ace->SidStart, admin_sid);
4794 todo_wine ok(bret, "Administators Group ACE (%s) != Administators Group SID (%s).\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
4795 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4796 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4797 ok(ace->Mask == 0x1f01ff, "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4798 ace->Mask);
4799 }
4800 LocalFree(pSD);
4801 CloseHandle(obj);
4802 }
4803
4804 static void test_GetSidSubAuthority(void)
4805 {
4806 PSID psid = NULL;
4807
4808 if (!pGetSidSubAuthority || !pConvertStringSidToSidA || !pIsValidSid || !pGetSidSubAuthorityCount)
4809 {
4810 win_skip("Some functions not available\n");
4811 return;
4812 }
4813 /* Note: on windows passing in an invalid index like -1, lets GetSidSubAuthority return 0x05000000 but
4814 still GetLastError returns ERROR_SUCCESS then. We don't test these unlikely cornercases here for now */
4815 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576",&psid),"ConvertStringSidToSidA failed\n");
4816 ok(pIsValidSid(psid),"Sid is not valid\n");
4817 SetLastError(0xbebecaca);
4818 ok(*pGetSidSubAuthorityCount(psid) == 4,"GetSidSubAuthorityCount gave %d expected 4\n",*pGetSidSubAuthorityCount(psid));
4819 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4820 SetLastError(0xbebecaca);
4821 ok(*pGetSidSubAuthority(psid,0) == 21,"GetSidSubAuthority gave %d expected 21\n",*pGetSidSubAuthority(psid,0));
4822 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4823 SetLastError(0xbebecaca);
4824 ok(*pGetSidSubAuthority(psid,1) == 93476,"GetSidSubAuthority gave %d expected 93476\n",*pGetSidSubAuthority(psid,1));
4825 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4826 SetLastError(0xbebecaca);
4827 ok(pGetSidSubAuthority(psid,4) != NULL,"Expected out of bounds GetSidSubAuthority to return a non-NULL pointer\n");
4828 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4829 LocalFree(psid);
4830 }
4831
4832 static void test_CheckTokenMembership(void)
4833 {
4834 PTOKEN_GROUPS token_groups;
4835 DWORD size;
4836 HANDLE process_token, token;
4837 BOOL is_member;
4838 BOOL ret;
4839 DWORD i;
4840
4841 if (!pCheckTokenMembership)
4842 {
4843 win_skip("CheckTokenMembership is not available\n");
4844 return;
4845 }
4846 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4847 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
4848
4849 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
4850 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
4851
4852 /* groups */
4853 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
4854 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
4855 "GetTokenInformation(TokenGroups) %s with error %d\n",
4856 ret ? "succeeded" : "failed", GetLastError());
4857 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
4858 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
4859 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
4860
4861 for (i = 0; i < token_groups->GroupCount; i++)
4862 {
4863 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
4864 break;
4865 }
4866
4867 if (i == token_groups->GroupCount)
4868 {
4869 HeapFree(GetProcessHeap(), 0, token_groups);
4870 CloseHandle(token);
4871 skip("user not a member of any group\n");
4872 return;
4873 }
4874
4875 is_member = FALSE;
4876 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
4877 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4878 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4879
4880 is_member = FALSE;
4881 ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
4882 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4883 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4884
4885 is_member = TRUE;
4886 SetLastError(0xdeadbeef);
4887 ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
4888 ok(!ret && GetLastError() == ERROR_NO_IMPERSONATION_TOKEN,
4889 "CheckTokenMembership with process token %s with error %d\n",
4890 ret ? "succeeded" : "failed", GetLastError());
4891 ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
4892
4893 HeapFree(GetProcessHeap(), 0, token_groups);
4894 CloseHandle(token);
4895 CloseHandle(process_token);
4896 }
4897
4898 static void test_EqualSid(void)
4899 {
4900 PSID sid1, sid2;
4901 BOOL ret;
4902 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
4903 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
4904
4905 SetLastError(0xdeadbeef);
4906 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4907 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid1);
4908 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4909 {
4910 win_skip("AllocateAndInitializeSid is not implemented\n");
4911 return;
4912 }
4913 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4914 ok(GetLastError() == 0xdeadbeef,
4915 "AllocateAndInitializeSid shouldn't have set last error to %d\n",
4916 GetLastError());
4917
4918 ret = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID,
4919 0, 0, 0, 0, 0, 0, 0, &sid2);
4920 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4921
4922 SetLastError(0xdeadbeef);
4923 ret = EqualSid(sid1, sid2);
4924 ok(!ret, "World and domain admins sids shouldn't have been equal\n");
4925 ok(GetLastError() == ERROR_SUCCESS ||
4926 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4927 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4928 GetLastError());
4929
4930 SetLastError(0xdeadbeef);
4931 sid2 = FreeSid(sid2);
4932 ok(!sid2, "FreeSid should have returned NULL instead of %p\n", sid2);
4933 ok(GetLastError() == 0xdeadbeef,
4934 "FreeSid shouldn't have set last error to %d\n",
4935 GetLastError());
4936
4937 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4938 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid2);
4939 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4940
4941 SetLastError(0xdeadbeef);
4942 ret = EqualSid(sid1, sid2);
4943 ok(ret, "Same sids should have been equal %s != %s\n",
4944 debugstr_sid(sid1), debugstr_sid(sid2));
4945 ok(GetLastError() == ERROR_SUCCESS ||
4946 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4947 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4948 GetLastError());
4949
4950 ((SID *)sid2)->Revision = 2;
4951 SetLastError(0xdeadbeef);
4952 ret = EqualSid(sid1, sid2);
4953 ok(!ret, "EqualSid with invalid sid should have returned FALSE\n");
4954 ok(GetLastError() == ERROR_SUCCESS ||
4955 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4956 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4957 GetLastError());
4958 ((SID *)sid2)->Revision = SID_REVISION;
4959
4960 FreeSid(sid1);
4961 FreeSid(sid2);
4962 }
4963
4964 static void test_GetUserNameA(void)
4965 {
4966 char buffer[UNLEN + 1], filler[UNLEN + 1];
4967 DWORD required_len, buffer_len;
4968 BOOL ret;
4969
4970 /* Test crashes on Windows. */
4971 if (0)
4972 {
4973 SetLastError(0xdeadbeef);
4974 GetUserNameA(NULL, NULL);
4975 }
4976
4977 SetLastError(0xdeadbeef);
4978 required_len = 0;
4979 ret = GetUserNameA(NULL, &required_len);
4980 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4981 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4982 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4983
4984 SetLastError(0xdeadbeef);
4985 required_len = 1;
4986 ret = GetUserNameA(NULL, &required_len);
4987 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4988 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4989 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4990
4991 /* Tests crashes on Windows. */
4992 if (0)
4993 {
4994 SetLastError(0xdeadbeef);
4995 required_len = UNLEN + 1;
4996 GetUserNameA(NULL, &required_len);
4997
4998 SetLastError(0xdeadbeef);
4999 GetUserNameA(buffer, NULL);
5000 }
5001
5002 memset(filler, 'x', sizeof(filler));
5003
5004 /* Note that GetUserNameA on XP and newer outputs the number of bytes
5005 * required for a Unicode string, which affects a test in the next block. */
5006 SetLastError(0xdeadbeef);
5007 memcpy(buffer, filler, sizeof(filler));
5008 required_len = 0;
5009 ret = GetUserNameA(buffer, &required_len);
5010 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
5011 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
5012 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
5013 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5014
5015 SetLastError(0xdeadbeef);
5016 memcpy(buffer, filler, sizeof(filler));
5017 buffer_len = required_len;
5018 ret = GetUserNameA(buffer, &buffer_len);
5019 ok(ret == TRUE, "GetUserNameA returned %d, last error %u\n", ret, GetLastError());
5020 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
5021 ok(buffer_len == required_len ||
5022 broken(buffer_len == required_len / sizeof(WCHAR)), /* XP+ */
5023 "Outputted buffer length was %u\n", buffer_len);
5024
5025 /* Use the reported buffer size from the last GetUserNameA call and pass
5026 * a length that is one less than the required value. */
5027 SetLastError(0xdeadbeef);
5028 memcpy(buffer, filler, sizeof(filler));
5029 buffer_len--;
5030 ret = GetUserNameA(buffer, &buffer_len);
5031 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
5032 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was untouched\n");
5033 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
5034 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5035 }
5036
5037 static void test_GetUserNameW(void)
5038 {
5039 WCHAR buffer[UNLEN + 1], filler[UNLEN + 1];
5040 DWORD required_len, buffer_len;
5041 BOOL ret;
5042
5043 /* Test crashes on Windows. */
5044 if (0)
5045 {
5046 SetLastError(0xdeadbeef);
5047 GetUserNameW(NULL, NULL);
5048 }
5049
5050 SetLastError(0xdeadbeef);
5051 required_len = 0;
5052 ret = GetUserNameW(NULL, &required_len);
5053 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5054 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
5055 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5056
5057 SetLastError(0xdeadbeef);
5058 required_len = 1;
5059 ret = GetUserNameW(NULL, &required_len);
5060 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5061 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
5062 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5063
5064 /* Tests crash on Windows. */
5065 if (0)
5066 {
5067 SetLastError(0xdeadbeef);
5068 required_len = UNLEN + 1;
5069 GetUserNameW(NULL, &required_len);
5070
5071 SetLastError(0xdeadbeef);
5072 GetUserNameW(buffer, NULL);
5073 }
5074
5075 memset(filler, 'x', sizeof(filler));
5076
5077 SetLastError(0xdeadbeef);
5078 memcpy(buffer, filler, sizeof(filler));
5079 required_len = 0;
5080 ret = GetUserNameW(buffer, &required_len);
5081 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5082 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
5083 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
5084 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5085
5086 SetLastError(0xdeadbeef);
5087 memcpy(buffer, filler, sizeof(filler));
5088 buffer_len = required_len;
5089 ret = GetUserNameW(buffer, &buffer_len);
5090 ok(ret == TRUE, "GetUserNameW returned %d, last error %u\n", ret, GetLastError());
5091 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
5092 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
5093
5094 /* GetUserNameW on XP and newer writes a truncated portion of the username string to the buffer. */
5095 SetLastError(0xdeadbeef);
5096 memcpy(buffer, filler, sizeof(filler));
5097 buffer_len--;
5098 ret = GetUserNameW(buffer, &buffer_len);
5099 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
5100 ok(!memcmp(buffer, filler, sizeof(filler)) ||
5101 broken(memcmp(buffer, filler, sizeof(filler)) != 0), /* XP+ */
5102 "Output buffer was altered\n");
5103 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
5104 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
5105 }
5106
5107 static void test_CreateRestrictedToken(void)
5108 {
5109 HANDLE process_token, token, r_token;
5110 PTOKEN_GROUPS token_groups, groups2;
5111 SID_AND_ATTRIBUTES sattr;
5112 SECURITY_IMPERSONATION_LEVEL level;
5113 TOKEN_TYPE type;
5114 BOOL is_member;
5115 DWORD size;
5116 BOOL ret;
5117 DWORD i, j;
5118
5119 if (!pCreateRestrictedToken)
5120 {
5121 win_skip("CreateRestrictedToken is not available\n");
5122 return;
5123 }
5124
5125 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
5126 ok(ret, "got error %d\n", GetLastError());
5127
5128 ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
5129 NULL, SecurityImpersonation, TokenImpersonation, &token);
5130 ok(ret, "got error %d\n", GetLastError());
5131
5132 /* groups */
5133 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
5134 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
5135 "got %d with error %d\n", ret, GetLastError());
5136 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5137 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5138 ok(ret, "got error %d\n", GetLastError());
5139
5140 for (i = 0; i < token_groups->GroupCount; i++)
5141 {
5142 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5143 break;
5144 }
5145
5146 if (i == token_groups->GroupCount)
5147 {
5148 HeapFree(GetProcessHeap(), 0, token_groups);
5149 CloseHandle(token);
5150 skip("User not a member of any group\n");
5151 return;
5152 }
5153
5154 is_member = FALSE;
5155 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5156 ok(ret, "got error %d\n", GetLastError());
5157 ok(is_member, "not a member\n");
5158
5159 /* disable a SID in new token */
5160 sattr.Sid = token_groups->Groups[i].Sid;
5161 sattr.Attributes = 0;
5162 r_token = NULL;
5163 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
5164 ok(ret, "got error %d\n", GetLastError());
5165
5166 if (ret)
5167 {
5168 /* check if a SID is enabled */
5169 is_member = TRUE;
5170 ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
5171 ok(ret, "got error %d\n", GetLastError());
5172 todo_wine ok(!is_member, "not a member\n");
5173
5174 ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
5175 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
5176 ret, GetLastError());
5177 groups2 = HeapAlloc(GetProcessHeap(), 0, size);
5178 ret = GetTokenInformation(r_token, TokenGroups, groups2, size, &size);
5179 ok(ret, "got error %d\n", GetLastError());
5180
5181 for (j = 0; j < groups2->GroupCount; j++)
5182 {
5183 if (EqualSid(groups2->Groups[j].Sid, token_groups->Groups[i].Sid))
5184 break;
5185 }
5186
5187 todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
5188 "got wrong attributes\n");
5189 todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
5190 "got wrong attributes\n");
5191
5192 HeapFree(GetProcessHeap(), 0, groups2);
5193
5194 size = sizeof(type);
5195 ret = GetTokenInformation(r_token, TokenType, &type, size, &size);
5196 ok(ret, "got error %d\n", GetLastError());
5197 ok(type == TokenImpersonation, "got type %u\n", type);
5198
5199 size = sizeof(level);
5200 ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
5201 ok(ret, "got error %d\n", GetLastError());
5202 ok(level == SecurityImpersonation, "got level %u\n", type);
5203 }
5204
5205 HeapFree(GetProcessHeap(), 0, token_groups);
5206 CloseHandle(r_token);
5207 CloseHandle(token);
5208 CloseHandle(process_token);
5209 }
5210
5211 static void validate_default_security_descriptor(SECURITY_DESCRIPTOR *sd)
5212 {
5213 BOOL ret, present, defaulted;
5214 ACL *acl;
5215 void *sid;
5216
5217 ret = IsValidSecurityDescriptor(sd);
5218 ok(ret, "security descriptor is not valid\n");
5219
5220 present = -1;
5221 defaulted = -1;
5222 acl = (void *)0xdeadbeef;
5223 SetLastError(0xdeadbeef);
5224 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
5225 ok(ret, "GetSecurityDescriptorDacl error %d\n", GetLastError());
5226 todo_wine
5227 ok(present == 1, "acl is not present\n");
5228 todo_wine
5229 ok(acl != (void *)0xdeadbeef && acl != NULL, "acl pointer is not set\n");
5230 ok(defaulted == 0, "defaulted is set to TRUE\n");
5231
5232 defaulted = -1;
5233 sid = (void *)0xdeadbeef;
5234 SetLastError(0xdeadbeef);
5235 ret = GetSecurityDescriptorOwner(sd, &sid, &defaulted);
5236 ok(ret, "GetSecurityDescriptorOwner error %d\n", GetLastError());
5237 todo_wine
5238 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5239 ok(defaulted == 0, "defaulted is set to TRUE\n");
5240
5241 defaulted = -1;
5242 sid = (void *)0xdeadbeef;
5243 SetLastError(0xdeadbeef);
5244 ret = GetSecurityDescriptorGroup(sd, &sid, &defaulted);
5245 ok(ret, "GetSecurityDescriptorGroup error %d\n", GetLastError());
5246 todo_wine
5247 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5248 ok(defaulted == 0, "defaulted is set to TRUE\n");
5249 }
5250
5251 static void test_default_handle_security(HANDLE token, HANDLE handle, GENERIC_MAPPING *mapping)
5252 {
5253 DWORD ret, granted, priv_set_len;
5254 BOOL status;
5255 PRIVILEGE_SET priv_set;
5256 SECURITY_DESCRIPTOR *sd;
5257
5258 sd = test_get_security_descriptor(handle, __LINE__);
5259 validate_default_security_descriptor(sd);
5260
5261 priv_set_len = sizeof(priv_set);
5262 granted = 0xdeadbeef;
5263 status = 0xdeadbeef;
5264 SetLastError(0xdeadbeef);
5265 ret = AccessCheck(sd, token, MAXIMUM_ALLOWED, mapping, &priv_set, &priv_set_len, &granted, &status);
5266 todo_wine {
5267 ok(ret, "AccessCheck error %d\n", GetLastError());
5268 ok(status == 1, "expected 1, got %d\n", status);
5269 ok(granted == mapping->GenericAll, "expected all access %#x, got %#x\n", mapping->GenericAll, granted);
5270 }
5271 priv_set_len = sizeof(priv_set);
5272 granted = 0xdeadbeef;
5273 status = 0xdeadbeef;
5274 SetLastError(0xdeadbeef);
5275 ret = AccessCheck(sd, token, 0, mapping, &priv_set, &priv_set_len, &granted, &status);
5276 todo_wine {
5277 ok(ret, "AccessCheck error %d\n", GetLastError());
5278 ok(status == 0 || broken(status == 1) /* NT4 */, "expected 0, got %d\n", status);
5279 ok(granted == 0 || broken(granted == mapping->GenericRead) /* NT4 */, "expected 0, got %#x\n", granted);
5280 }
5281 priv_set_len = sizeof(priv_set);
5282 granted = 0xdeadbeef;
5283 status = 0xdeadbeef;
5284 SetLastError(0xdeadbeef);
5285 ret = AccessCheck(sd, token, ACCESS_SYSTEM_SECURITY, mapping, &priv_set, &priv_set_len, &granted, &status);
5286 todo_wine {
5287 ok(ret, "AccessCheck error %d\n", GetLastError());
5288 ok(status == 0, "expected 0, got %d\n", status);
5289 ok(granted == 0, "expected 0, got %#x\n", granted);
5290 }
5291 priv_set_len = sizeof(priv_set);
5292 granted = 0xdeadbeef;
5293 status = 0xdeadbeef;
5294 SetLastError(0xdeadbeef);
5295 ret = AccessCheck(sd, token, mapping->GenericRead, mapping, &priv_set, &priv_set_len, &granted, &status);
5296 todo_wine {
5297 ok(ret, "AccessCheck error %d\n", GetLastError());
5298 ok(status == 1, "expected 1, got %d\n", status);
5299 ok(granted == mapping->GenericRead, "expected read access %#x, got %#x\n", mapping->GenericRead, granted);
5300 }
5301 priv_set_len = sizeof(priv_set);
5302 granted = 0xdeadbeef;
5303 status = 0xdeadbeef;
5304 SetLastError(0xdeadbeef);
5305 ret = AccessCheck(sd, token, mapping->GenericWrite, mapping, &priv_set, &priv_set_len, &granted, &status);
5306 todo_wine {
5307 ok(ret, "AccessCheck error %d\n", GetLastError());
5308 ok(status == 1, "expected 1, got %d\n", status);
5309 ok(granted == mapping->GenericWrite, "expected write access %#x, got %#x\n", mapping->GenericWrite, granted);
5310 }
5311 priv_set_len = sizeof(priv_set);
5312 granted = 0xdeadbeef;
5313 status = 0xdeadbeef;
5314 SetLastError(0xdeadbeef);
5315 ret = AccessCheck(sd, token, mapping->GenericExecute, mapping, &priv_set, &priv_set_len, &granted, &status);
5316 todo_wine {
5317 ok(ret, "AccessCheck error %d\n", GetLastError());
5318 ok(status == 1, "expected 1, got %d\n", status);
5319 ok(granted == mapping->GenericExecute, "expected execute access %#x, got %#x\n", mapping->GenericExecute, granted);
5320 }
5321 HeapFree(GetProcessHeap(), 0, sd);
5322 }
5323
5324 static ACCESS_MASK get_obj_access(HANDLE obj)
5325 {
5326 OBJECT_BASIC_INFORMATION info;
5327 NTSTATUS status;
5328
5329 if (!pNtQueryObject) return 0;
5330
5331 status = pNtQueryObject(obj, ObjectBasicInformation, &info, sizeof(info), NULL);
5332 ok(!status, "NtQueryObject error %#x\n", status);
5333
5334 return info.GrantedAccess;
5335 }
5336
5337 static void test_mutex_security(HANDLE token)
5338 {
5339 DWORD ret, i, access;
5340 HANDLE mutex, dup;
5341 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE | SYNCHRONIZE,
5342 STANDARD_RIGHTS_WRITE | MUTEX_MODIFY_STATE | SYNCHRONIZE,
5343 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5344 STANDARD_RIGHTS_ALL | MUTEX_ALL_ACCESS };
5345 static const struct
5346 {
5347 int generic, mapped;
5348 } map[] =
5349 {
5350 { 0, 0 },
5351 { GENERIC_READ, STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE },
5352 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE },
5353 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5354 { GENERIC_ALL, STANDARD_RIGHTS_ALL | MUTANT_QUERY_STATE }
5355 };
5356
5357 SetLastError(0xdeadbeef);
5358 mutex = OpenMutexA(0, FALSE, "WineTestMutex");
5359 ok(!mutex, "mutex should not exist\n");
5360 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5361
5362 SetLastError(0xdeadbeef);
5363 mutex = CreateMutexA(NULL, FALSE, "WineTestMutex");
5364 ok(mutex != 0, "CreateMutex error %d\n", GetLastError());
5365
5366 access = get_obj_access(mutex);
5367 ok(access == MUTANT_ALL_ACCESS, "expected MUTANT_ALL_ACCESS, got %#x\n", access);
5368
5369 for (i = 0; i < ARRAY_SIZE(map); i++)
5370 {
5371 SetLastError( 0xdeadbeef );
5372 ret = DuplicateHandle(GetCurrentProcess(), mutex, GetCurrentProcess(), &dup,
5373 map[i].generic, FALSE, 0);
5374 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5375
5376 access = get_obj_access(dup);
5377 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5378
5379 CloseHandle(dup);
5380
5381 SetLastError(0xdeadbeef);
5382 dup = OpenMutexA(0, FALSE, "WineTestMutex");
5383 todo_wine
5384 ok(!dup, "OpenMutex should fail\n");
5385 todo_wine
5386 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5387 }
5388
5389 test_default_handle_security(token, mutex, &mapping);
5390
5391 CloseHandle (mutex);
5392 }
5393
5394 static void test_event_security(HANDLE token)
5395 {
5396 DWORD ret, i, access;
5397 HANDLE event, dup;
5398 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | EVENT_QUERY_STATE | SYNCHRONIZE,
5399 STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE | SYNCHRONIZE,
5400 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5401 STANDARD_RIGHTS_ALL | EVENT_ALL_ACCESS };
5402 static const struct
5403 {
5404 int generic, mapped;
5405 } map[] =
5406 {
5407 { 0, 0 },
5408 { GENERIC_READ, STANDARD_RIGHTS_READ | EVENT_QUERY_STATE },
5409 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE },
5410 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5411 { GENERIC_ALL, STANDARD_RIGHTS_ALL | EVENT_QUERY_STATE | EVENT_MODIFY_STATE }
5412 };
5413
5414 SetLastError(0xdeadbeef);
5415 event = OpenEventA(0, FALSE, "WineTestEvent");
5416 ok(!event, "event should not exist\n");
5417 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5418
5419 SetLastError(0xdeadbeef);
5420 event = CreateEventA(NULL, FALSE, FALSE, "WineTestEvent");
5421 ok(event != 0, "CreateEvent error %d\n", GetLastError());
5422
5423 access = get_obj_access(event);
5424 ok(access == EVENT_ALL_ACCESS, "expected EVENT_ALL_ACCESS, got %#x\n", access);
5425
5426 for (i = 0; i < ARRAY_SIZE(map); i++)
5427 {
5428 SetLastError( 0xdeadbeef );
5429 ret = DuplicateHandle(GetCurrentProcess(), event, GetCurrentProcess(), &dup,
5430 map[i].generic, FALSE, 0);
5431 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5432
5433 access = get_obj_access(dup);
5434 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5435
5436 CloseHandle(dup);
5437
5438 SetLastError(0xdeadbeef);
5439 dup = OpenEventA(0, FALSE, "WineTestEvent");
5440 todo_wine
5441 ok(!dup, "OpenEvent should fail\n");
5442 todo_wine
5443 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5444 }
5445
5446 test_default_handle_security(token, event, &mapping);
5447
5448 CloseHandle(event);
5449 }
5450
5451 static void test_semaphore_security(HANDLE token)
5452 {
5453 DWORD ret, i, access;
5454 HANDLE sem, dup;
5455 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE,
5456 STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE,
5457 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5458 STANDARD_RIGHTS_ALL | SEMAPHORE_ALL_ACCESS };
5459 static const struct
5460 {
5461 int generic, mapped;
5462 } map[] =
5463 {
5464 { 0, 0 },
5465 { GENERIC_READ, STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE },
5466 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE },
5467 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5468 { GENERIC_ALL, STANDARD_RIGHTS_ALL | SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE }
5469 };
5470
5471 SetLastError(0xdeadbeef);
5472 sem = OpenSemaphoreA(0, FALSE, "WineTestSemaphore");
5473 ok(!sem, "semaphore should not exist\n");
5474 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5475
5476 SetLastError(0xdeadbeef);
5477 sem = CreateSemaphoreA(NULL, 0, 10, "WineTestSemaphore");
5478 ok(sem != 0, "CreateSemaphore error %d\n", GetLastError());
5479
5480 access = get_obj_access(sem);
5481 ok(access == SEMAPHORE_ALL_ACCESS, "expected SEMAPHORE_ALL_ACCESS, got %#x\n", access);
5482
5483 for (i = 0; i < ARRAY_SIZE(map); i++)
5484 {
5485 SetLastError( 0xdeadbeef );
5486 ret = DuplicateHandle(GetCurrentProcess(), sem, GetCurrentProcess(), &dup,
5487 map[i].generic, FALSE, 0);
5488 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5489
5490 access = get_obj_access(dup);
5491 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5492
5493 CloseHandle(dup);
5494 }
5495
5496 test_default_handle_security(token, sem, &mapping);
5497
5498 CloseHandle(sem);
5499 }
5500
5501 #define WINE_TEST_PIPE "\\\\.\\pipe\\WineTestPipe"
5502 static void test_named_pipe_security(HANDLE token)
5503 {
5504 DWORD ret, i, access;
5505 HANDLE pipe, file, dup;
5506 GENERIC_MAPPING mapping = { FILE_GENERIC_READ,
5507 FILE_GENERIC_WRITE,
5508 FILE_GENERIC_EXECUTE,
5509 STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS };
5510 static const struct
5511 {
5512 int todo, generic, mapped;
5513 } map[] =
5514 {
5515 { 0, 0, 0 },
5516 { 1, GENERIC_READ, FILE_GENERIC_READ },
5517 { 1, GENERIC_WRITE, FILE_GENERIC_WRITE },
5518 { 1, GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5519 { 1, GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5520 };
5521 static const struct
5522 {
5523 DWORD open_mode;
5524 DWORD access;
5525 } creation_access[] =
5526 {
5527 { PIPE_ACCESS_INBOUND, FILE_GENERIC_READ },
5528 { PIPE_ACCESS_OUTBOUND, FILE_GENERIC_WRITE },
5529 { PIPE_ACCESS_DUPLEX, FILE_GENERIC_READ|FILE_GENERIC_WRITE },
5530 { PIPE_ACCESS_INBOUND|WRITE_DAC, FILE_GENERIC_READ|WRITE_DAC },
5531 { PIPE_ACCESS_INBOUND|WRITE_OWNER, FILE_GENERIC_READ|WRITE_OWNER }
5532 /* ACCESS_SYSTEM_SECURITY is also valid, but will fail with ERROR_PRIVILEGE_NOT_HELD */
5533 };
5534
5535 /* Test the different security access options for pipes */
5536 for (i = 0; i < ARRAY_SIZE(creation_access); i++)
5537 {
5538 SetLastError(0xdeadbeef);
5539 pipe = CreateNamedPipeA(WINE_TEST_PIPE, creation_access[i].open_mode,
5540 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 0, 0,
5541 NMPWAIT_USE_DEFAULT_WAIT, NULL);
5542 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe(0x%x) error %d\n",
5543 creation_access[i].open_mode, GetLastError());
5544 access = get_obj_access(pipe);
5545 ok(access == creation_access[i].access,
5546 "CreateNamedPipeA(0x%x) pipe expected access 0x%x (got 0x%x)\n",
5547 creation_access[i].open_mode, creation_access[i].access, access);
5548 CloseHandle(pipe);
5549 }
5550
5551 SetLastError(0xdeadbeef);
5552 pipe = CreateNamedPipeA(WINE_TEST_PIPE, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE,
5553 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES,
5554 0, 0, NMPWAIT_USE_DEFAULT_WAIT, NULL);
5555 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe error %d\n", GetLastError());
5556
5557 test_default_handle_security(token, pipe, &mapping);
5558
5559 SetLastError(0xdeadbeef);
5560 file = CreateFileA(WINE_TEST_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
5561 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5562
5563 access = get_obj_access(file);
5564 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5565
5566 for (i = 0; i < ARRAY_SIZE(map); i++)
5567 {
5568 SetLastError( 0xdeadbeef );
5569 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5570 map[i].generic, FALSE, 0);
5571 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5572
5573 access = get_obj_access(dup);
5574 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5575
5576 CloseHandle(dup);
5577 }
5578
5579 CloseHandle(file);
5580 CloseHandle(pipe);
5581
5582 SetLastError(0xdeadbeef);
5583 file = CreateFileA("\\\\.\\pipe\\", FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0);
5584 ok(file != INVALID_HANDLE_VALUE || broken(file == INVALID_HANDLE_VALUE) /* before Vista */, "CreateFile error %d\n", GetLastError());
5585
5586 if (file != INVALID_HANDLE_VALUE)
5587 {
5588 access = get_obj_access(file);
5589 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5590
5591 for (i = 0; i < ARRAY_SIZE(map); i++)
5592 {
5593 SetLastError( 0xdeadbeef );
5594 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5595 map[i].generic, FALSE, 0);
5596 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5597
5598 access = get_obj_access(dup);
5599 todo_wine_if (map[i].todo)
5600 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5601
5602 CloseHandle(dup);
5603 }
5604 }
5605
5606 CloseHandle(file);
5607 }
5608
5609 static void test_file_security(HANDLE token)
5610 {
5611 DWORD ret, i, access, bytes;
5612 HANDLE file, dup;
5613 static const struct
5614 {
5615 int generic, mapped;
5616 } map[] =
5617 {
5618 { 0, 0 },
5619 { GENERIC_READ, FILE_GENERIC_READ },
5620 { GENERIC_WRITE, FILE_GENERIC_WRITE },
5621 { GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5622 { GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5623 };
5624 char temp_path[MAX_PATH];
5625 char file_name[MAX_PATH];
5626 char buf[16];
5627
5628 GetTempPathA(MAX_PATH, temp_path);
5629 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5630
5631 /* file */
5632 SetLastError(0xdeadbeef);
5633 file = CreateFileA(file_name, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
5634 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5635
5636 access = get_obj_access(file);
5637 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5638
5639 for (i = 0; i < ARRAY_SIZE(map); i++)
5640 {
5641 SetLastError( 0xdeadbeef );
5642 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5643 map[i].generic, FALSE, 0);
5644 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5645
5646 access = get_obj_access(dup);
5647 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5648
5649 CloseHandle(dup);
5650 }
5651
5652 CloseHandle(file);
5653
5654 SetLastError(0xdeadbeef);
5655 file = CreateFileA(file_name, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
5656 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5657
5658 access = get_obj_access(file);
5659 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5660
5661 bytes = 0xdeadbeef;
5662 SetLastError(0xdeadbeef);
5663 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5664 ok(!ret, "ReadFile should fail\n");
5665 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5666 ok(bytes == 0, "expected 0, got %u\n", bytes);
5667
5668 CloseHandle(file);
5669
5670 SetLastError(0xdeadbeef);
5671 file = CreateFileA(file_name, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0);
5672 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5673
5674 access = get_obj_access(file);
5675 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5676
5677 bytes = 0xdeadbeef;
5678 SetLastError(0xdeadbeef);
5679 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5680 ok(!ret, "ReadFile should fail\n");
5681 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5682 ok(bytes == 0, "expected 0, got %u\n", bytes);
5683
5684 CloseHandle(file);
5685 DeleteFileA(file_name);
5686
5687 /* directory */
5688 SetLastError(0xdeadbeef);
5689 file = CreateFileA(temp_path, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5690 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5691
5692 access = get_obj_access(file);
5693 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5694
5695 for (i = 0; i < ARRAY_SIZE(map); i++)
5696 {
5697 SetLastError( 0xdeadbeef );
5698 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5699 map[i].generic, FALSE, 0);
5700 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5701
5702 access = get_obj_access(dup);
5703 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5704
5705 CloseHandle(dup);
5706 }
5707
5708 CloseHandle(file);
5709
5710 SetLastError(0xdeadbeef);
5711 file = CreateFileA(temp_path, 0, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5712 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5713
5714 access = get_obj_access(file);
5715 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5716
5717 CloseHandle(file);
5718
5719 SetLastError(0xdeadbeef);
5720 file = CreateFileA(temp_path, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5721 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5722
5723 access = get_obj_access(file);
5724 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5725
5726 CloseHandle(file);
5727 }
5728
5729 static void test_filemap_security(void)
5730 {
5731 char temp_path[MAX_PATH];
5732 char file_name[MAX_PATH];
5733 DWORD ret, i, access;
5734 HANDLE file, mapping, dup, created_mapping;
5735 static const struct
5736 {
5737 int generic, mapped;
5738 BOOL open_only;
5739 } map[] =
5740 {
5741 { 0, 0 },
5742 { GENERIC_READ, STANDARD_RIGHTS_READ | SECTION_QUERY | SECTION_MAP_READ },
5743 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SECTION_MAP_WRITE },
5744 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SECTION_MAP_EXECUTE },
5745 { GENERIC_ALL, STANDARD_RIGHTS_REQUIRED | SECTION_ALL_ACCESS },
5746 { SECTION_MAP_READ | SECTION_MAP_WRITE, SECTION_MAP_READ | SECTION_MAP_WRITE },
5747 { SECTION_MAP_WRITE, SECTION_MAP_WRITE },
5748 { SECTION_MAP_READ | SECTION_QUERY, SECTION_MAP_READ | SECTION_QUERY },
5749 { SECTION_QUERY, SECTION_MAP_READ, TRUE },
5750 { SECTION_QUERY | SECTION_MAP_READ, SECTION_QUERY | SECTION_MAP_READ }
5751 };
5752 static const struct
5753 {
5754 int prot, mapped;
5755 } prot_map[] =
5756 {
5757 { 0, 0 },
5758 { PAGE_NOACCESS, 0 },
5759 { PAGE_READONLY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5760 { PAGE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE },
5761 { PAGE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5762 { PAGE_EXECUTE, 0 },
5763 { PAGE_EXECUTE_READ, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE },
5764 { PAGE_EXECUTE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE },
5765 { PAGE_EXECUTE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE }
5766 };
5767
5768 GetTempPathA(MAX_PATH, temp_path);
5769 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5770
5771 SetLastError(0xdeadbeef);
5772 file = CreateFileA(file_name, GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE, 0, NULL, CREATE_ALWAYS, 0, 0);
5773 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5774 SetFilePointer(file, 4096, NULL, FILE_BEGIN);
5775 SetEndOfFile(file);
5776
5777 for (i = 0; i < ARRAY_SIZE(prot_map); i++)
5778 {
5779 if (map[i].open_only) continue;
5780
5781 SetLastError(0xdeadbeef);
5782 mapping = CreateFileMappingW(file, NULL, prot_map[i].prot, 0, 4096, NULL);
5783 if (prot_map[i].mapped)
5784 {
5785 if (!mapping)
5786 {
5787 /* NT4 and win2k don't support EXEC on file mappings */
5788 if (prot_map[i].prot == PAGE_EXECUTE_READ || prot_map[i].prot == PAGE_EXECUTE_READWRITE || prot_map[i].prot == PAGE_EXECUTE_WRITECOPY)
5789 {
5790 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5791 continue;
5792 }
5793 }
5794 ok(mapping != 0, "CreateFileMapping(%04x) error %d\n", prot_map[i].prot, GetLastError());
5795 }
5796 else
5797 {
5798 ok(!mapping, "CreateFileMapping(%04x) should fail\n", prot_map[i].prot);
5799 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
5800 continue;
5801 }
5802
5803 access = get_obj_access(mapping);
5804 ok(access == prot_map[i].mapped, "%d: expected %#x, got %#x\n", i, prot_map[i].mapped, access);
5805
5806 CloseHandle(mapping);
5807 }
5808
5809 SetLastError(0xdeadbeef);
5810 mapping = CreateFileMappingW(file, NULL, PAGE_EXECUTE_READWRITE, 0, 4096, NULL);
5811 if (!mapping)
5812 {
5813 /* NT4 and win2k don't support EXEC on file mappings */
5814 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5815 CloseHandle(file);
5816 DeleteFileA(file_name);
5817 return;
5818 }
5819 ok(mapping != 0, "CreateFileMapping error %d\n", GetLastError());
5820
5821 access = get_obj_access(mapping);
5822 ok(access == (STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE),
5823 "expected STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, got %#x\n", access);
5824
5825 for (i = 0; i < ARRAY_SIZE(map); i++)
5826 {
5827 if (map[i].open_only) continue;
5828
5829 SetLastError( 0xdeadbeef );
5830 ret = DuplicateHandle(GetCurrentProcess(), mapping, GetCurrentProcess(), &dup,
5831 map[i].generic, FALSE, 0);
5832 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5833
5834 access = get_obj_access(dup);
5835 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5836
5837 CloseHandle(dup);
5838 }
5839
5840 CloseHandle(mapping);
5841 CloseHandle(file);
5842 DeleteFileA(file_name);
5843
5844 created_mapping = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000,
5845 "Wine Test Open Mapping");
5846 ok(created_mapping != NULL, "CreateFileMapping failed with error %u\n", GetLastError());
5847
5848 for (i = 0; i < ARRAY_SIZE(map); i++)
5849 {
5850 if (!map[i].generic) continue;
5851
5852 mapping = OpenFileMappingA(map[i].generic, FALSE, "Wine Test Open Mapping");
5853 ok(mapping != NULL, "OpenFileMapping failed with error %d\n", GetLastError());
5854 access = get_obj_access(mapping);
5855 ok(access == map[i].mapped, "%d: unexpected access flags %#x, expected %#x\n",
5856 i, access, map[i].mapped);
5857 CloseHandle(mapping);
5858 }
5859
5860 CloseHandle(created_mapping);
5861 }
5862
5863 static void test_thread_security(void)
5864 {
5865 DWORD ret, i, access;
5866 HANDLE thread, dup;
5867 static const struct
5868 {
5869 int generic, mapped;
5870 } map[] =
5871 {
5872 { 0, 0 },
5873 { GENERIC_READ, STANDARD_RIGHTS_READ | THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT },
5874 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | THREAD_SET_INFORMATION | THREAD_SET_CONTEXT | THREAD_TERMINATE | THREAD_SUSPEND_RESUME | 0x4 },
5875 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5876 { GENERIC_ALL, THREAD_ALL_ACCESS_NT4 }
5877 };
5878
5879 SetLastError(0xdeadbeef);
5880 thread = CreateThread(NULL, 0, (void *)0xdeadbeef, NULL, CREATE_SUSPENDED, &ret);
5881 ok(thread != 0, "CreateThread error %d\n", GetLastError());
5882
5883 access = get_obj_access(thread);
5884 ok(access == THREAD_ALL_ACCESS_NT4 || access == THREAD_ALL_ACCESS_VISTA, "expected THREAD_ALL_ACCESS, got %#x\n", access);
5885
5886 for (i = 0; i < ARRAY_SIZE(map); i++)
5887 {
5888 SetLastError( 0xdeadbeef );
5889 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5890 map[i].generic, FALSE, 0);
5891 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5892
5893 access = get_obj_access(dup);
5894 switch (map[i].generic)
5895 {
5896 case GENERIC_READ:
5897 case GENERIC_EXECUTE:
5898 ok(access == map[i].mapped ||
5899 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5900 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5901 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5902 break;
5903 case GENERIC_WRITE:
5904 todo_wine
5905 ok(access == map[i].mapped ||
5906 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION) /* Vista+ */ ||
5907 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5908 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5909 break;
5910 case GENERIC_ALL:
5911 ok(access == map[i].mapped || access == THREAD_ALL_ACCESS_VISTA,
5912 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5913 break;
5914 default:
5915 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5916 break;
5917 }
5918
5919 CloseHandle(dup);
5920 }
5921
5922 SetLastError( 0xdeadbeef );
5923 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5924 THREAD_QUERY_INFORMATION, FALSE, 0);
5925 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5926 access = get_obj_access(dup);
5927 ok(access == (THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5928 access == THREAD_QUERY_INFORMATION /* before Vista */,
5929 "expected THREAD_QUERY_INFORMATION|THREAD_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5930 CloseHandle(dup);
5931
5932 TerminateThread(thread, 0);
5933 CloseHandle(thread);
5934 }
5935
5936 static void test_process_access(void)
5937 {
5938 DWORD ret, i, access;
5939 HANDLE process, dup;
5940 STARTUPINFOA sti;
5941 PROCESS_INFORMATION pi;
5942 char cmdline[] = "winver.exe";
5943 static const struct
5944 {
5945 int generic, mapped;
5946 } map[] =
5947 {
5948 { 0, 0 },
5949 { GENERIC_READ, STANDARD_RIGHTS_READ | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ },
5950 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME |
5951 PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION },
5952 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5953 { GENERIC_ALL, PROCESS_ALL_ACCESS_NT4 }
5954 };
5955
5956 memset(&sti, 0, sizeof(sti));
5957 sti.cb = sizeof(sti);
5958 SetLastError(0xdeadbeef);
5959 ret = CreateProcessA(NULL, cmdline, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sti, &pi);
5960 ok(ret, "CreateProcess() error %d\n", GetLastError());
5961
5962 CloseHandle(pi.hThread);
5963 process = pi.hProcess;
5964
5965 access = get_obj_access(process);
5966 ok(access == PROCESS_ALL_ACCESS_NT4 || access == PROCESS_ALL_ACCESS_VISTA, "expected PROCESS_ALL_ACCESS, got %#x\n", access);
5967
5968 for (i = 0; i < ARRAY_SIZE(map); i++)
5969 {
5970 SetLastError( 0xdeadbeef );
5971 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5972 map[i].generic, FALSE, 0);
5973 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5974
5975 access = get_obj_access(dup);
5976 switch (map[i].generic)
5977 {
5978 case GENERIC_READ:
5979 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */,
5980 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5981 break;
5982 case GENERIC_WRITE:
5983 ok(access == map[i].mapped ||
5984 access == (map[i].mapped | PROCESS_TERMINATE) /* before Vista */ ||
5985 access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */ ||
5986 access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION) /* Win10 Anniversary Update */,
5987 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5988 break;
5989 case GENERIC_EXECUTE:
5990 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE) /* Vista+ */,
5991 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5992 break;
5993 case GENERIC_ALL:
5994 ok(access == map[i].mapped || access == PROCESS_ALL_ACCESS_VISTA,
5995 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5996 break;
5997 default:
5998 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5999 break;
6000 }
6001
6002 CloseHandle(dup);
6003 }
6004
6005 SetLastError( 0xdeadbeef );
6006 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
6007 PROCESS_QUERY_INFORMATION, FALSE, 0);
6008 ok(ret, "DuplicateHandle error %d\n", GetLastError());
6009 access = get_obj_access(dup);
6010 ok(access == (PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
6011 access == PROCESS_QUERY_INFORMATION /* before Vista */,
6012 "expected PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION, got %#x\n", access);
6013 CloseHandle(dup);
6014
6015 TerminateProcess(process, 0);
6016 CloseHandle(process);
6017 }
6018
6019 static BOOL validate_impersonation_token(HANDLE token, DWORD *token_type)
6020 {
6021 DWORD ret, needed;
6022 TOKEN_TYPE type;
6023 SECURITY_IMPERSONATION_LEVEL sil;
6024
6025 type = 0xdeadbeef;
6026 needed = 0;
6027 SetLastError(0xdeadbeef);
6028 ret = GetTokenInformation(token, TokenType, &type, sizeof(type), &needed);
6029 ok(ret, "GetTokenInformation error %d\n", GetLastError());
6030 ok(needed == sizeof(type), "GetTokenInformation should return required buffer length\n");
6031 ok(type == TokenPrimary || type == TokenImpersonation, "expected TokenPrimary or TokenImpersonation, got %d\n", type);
6032
6033 *token_type = type;
6034 if (type != TokenImpersonation) return FALSE;
6035
6036 needed = 0;
6037 SetLastError(0xdeadbeef);
6038 ret = GetTokenInformation(token, TokenImpersonationLevel, &sil, sizeof(sil), &needed);
6039 ok(ret, "GetTokenInformation error %d\n", GetLastError());
6040 ok(needed == sizeof(sil), "GetTokenInformation should return required buffer length\n");
6041 ok(sil == SecurityImpersonation, "expected SecurityImpersonation, got %d\n", sil);
6042
6043 needed = 0xdeadbeef;
6044 SetLastError(0xdeadbeef);
6045 ret = GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &needed);
6046 ok(!ret, "GetTokenInformation should fail\n");
6047 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6048 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6049 ok(needed > sizeof(TOKEN_DEFAULT_DACL), "GetTokenInformation returned empty default DACL\n");
6050
6051 needed = 0xdeadbeef;
6052 SetLastError(0xdeadbeef);
6053 ret = GetTokenInformation(token, TokenOwner, NULL, 0, &needed);
6054 ok(!ret, "GetTokenInformation should fail\n");
6055 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6056 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6057 ok(needed > sizeof(TOKEN_OWNER), "GetTokenInformation returned empty token owner\n");
6058
6059 needed = 0xdeadbeef;
6060 SetLastError(0xdeadbeef);
6061 ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &needed);
6062 ok(!ret, "GetTokenInformation should fail\n");
6063 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6064 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
6065 ok(needed > sizeof(TOKEN_PRIMARY_GROUP), "GetTokenInformation returned empty token primary group\n");
6066
6067 return TRUE;
6068 }
6069
6070 static void test_kernel_objects_security(void)
6071 {
6072 HANDLE token, process_token;
6073 DWORD ret, token_type;
6074
6075 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &process_token);
6076 ok(ret, "OpenProcessToken error %d\n", GetLastError());
6077
6078 ret = validate_impersonation_token(process_token, &token_type);
6079 ok(token_type == TokenPrimary, "expected TokenPrimary, got %d\n", token_type);
6080 ok(!ret, "access token should not be an impersonation token\n");
6081
6082 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
6083 ok(ret, "DuplicateToken error %d\n", GetLastError());
6084
6085 ret = validate_impersonation_token(token, &token_type);
6086 ok(ret, "access token should be a valid impersonation token\n");
6087 ok(token_type == TokenImpersonation, "expected TokenImpersonation, got %d\n", token_type);
6088
6089 test_mutex_security(token);
6090 test_event_security(token);
6091 test_named_pipe_security(token);
6092 test_semaphore_security(token);
6093 test_file_security(token);
6094 test_filemap_security();
6095 test_thread_security();
6096 test_process_access();
6097 /* FIXME: test other kernel object types */
6098
6099 CloseHandle(process_token);
6100 CloseHandle(token);
6101 }
6102
6103 static void test_TokenIntegrityLevel(void)
6104 {
6105 TOKEN_MANDATORY_LABEL *tml;
6106 BYTE buffer[64]; /* using max. 28 byte in win7 x64 */
6107 HANDLE token;
6108 DWORD size;
6109 DWORD res;
6110 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6111 {SECURITY_MANDATORY_HIGH_RID}};
6112 static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6113 {SECURITY_MANDATORY_MEDIUM_RID}};
6114
6115 SetLastError(0xdeadbeef);
6116 res = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6117 ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
6118
6119 SetLastError(0xdeadbeef);
6120 res = GetTokenInformation(token, TokenIntegrityLevel, buffer, sizeof(buffer), &size);
6121
6122 /* not supported before Vista */
6123 if (!res && ((GetLastError() == ERROR_INVALID_PARAMETER) || GetLastError() == ERROR_INVALID_FUNCTION))
6124 {
6125 win_skip("TokenIntegrityLevel not supported\n");
6126 CloseHandle(token);
6127 return;
6128 }
6129
6130 ok(res, "got %u with %u (expected TRUE)\n", res, GetLastError());
6131 if (!res)
6132 {
6133 CloseHandle(token);
6134 return;
6135 }
6136
6137 tml = (TOKEN_MANDATORY_LABEL*) buffer;
6138 ok(tml->Label.Attributes == (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED),
6139 "got 0x%x (expected 0x%x)\n", tml->Label.Attributes, (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED));
6140
6141 ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
6142 "got %s (expected %s or %s)\n", debugstr_sid(tml->Label.Sid),
6143 debugstr_sid(&medium_level), debugstr_sid(&high_level));
6144
6145 CloseHandle(token);
6146 }
6147
6148 static void test_default_dacl_owner_sid(void)
6149 {
6150 HANDLE handle;
6151 BOOL ret, defaulted, present, found;
6152 DWORD size, index;
6153 SECURITY_DESCRIPTOR *sd;
6154 SECURITY_ATTRIBUTES sa;
6155 PSID owner;
6156 ACL *dacl;
6157 ACCESS_ALLOWED_ACE *ace;
6158
6159 sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
6160 ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
6161 ok( ret, "error %u\n", GetLastError() );
6162
6163 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6164 sa.lpSecurityDescriptor = sd;
6165 sa.bInheritHandle = FALSE;
6166 handle = CreateEventA( &sa, TRUE, TRUE, "test_event" );
6167 ok( handle != NULL, "error %u\n", GetLastError() );
6168
6169 size = 0;
6170 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
6171 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
6172
6173 sd = HeapAlloc( GetProcessHeap(), 0, size );
6174 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
6175 ok( ret, "error %u\n", GetLastError() );
6176
6177 owner = (void *)0xdeadbeef;
6178 defaulted = TRUE;
6179 ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
6180 ok( ret, "error %u\n", GetLastError() );
6181 ok( owner != (void *)0xdeadbeef, "owner not set\n" );
6182 ok( !defaulted, "owner defaulted\n" );
6183
6184 dacl = (void *)0xdeadbeef;
6185 present = FALSE;
6186 defaulted = TRUE;
6187 ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
6188 ok( ret, "error %u\n", GetLastError() );
6189 ok( present, "dacl not present\n" );
6190 ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
6191 ok( !defaulted, "dacl defaulted\n" );
6192
6193 index = 0;
6194 found = FALSE;
6195 while (pGetAce( dacl, index++, (void **)&ace ))
6196 {
6197 if (EqualSid( &ace->SidStart, owner )) found = TRUE;
6198 }
6199 ok( found, "owner sid not found in dacl\n" );
6200
6201 HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
6202 HeapFree( GetProcessHeap(), 0, sd );
6203 CloseHandle( handle );
6204 }
6205
6206 static void test_AdjustTokenPrivileges(void)
6207 {
6208 TOKEN_PRIVILEGES tp;
6209 HANDLE token;
6210 DWORD len;
6211 LUID luid;
6212 BOOL ret;
6213
6214 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
6215 return;
6216
6217 if (!LookupPrivilegeValueA(NULL, SE_BACKUP_NAME, &luid))
6218 {
6219 CloseHandle(token);
6220 return;
6221 }
6222
6223 tp.PrivilegeCount = 1;
6224 tp.Privileges[0].Luid = luid;
6225 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6226
6227 len = 0xdeadbeef;
6228 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, &len);
6229 ok(ret, "got %d\n", ret);
6230 ok(len == 0xdeadbeef, "got length %d\n", len);
6231
6232 /* revert */
6233 tp.PrivilegeCount = 1;
6234 tp.Privileges[0].Luid = luid;
6235 tp.Privileges[0].Attributes = 0;
6236 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
6237 ok(ret, "got %d\n", ret);
6238
6239 CloseHandle(token);
6240 }
6241
6242 static void test_AddAce(void)
6243 {
6244 static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
6245
6246 char acl_buf[1024], ace_buf[256];
6247 ACCESS_ALLOWED_ACE *ace = (ACCESS_ALLOWED_ACE*)ace_buf;
6248 PACL acl = (PACL)acl_buf;
6249 BOOL ret;
6250
6251 memset(ace, 0, sizeof(ace_buf));
6252 ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
6253 ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+sizeof(SID);
6254 memcpy(&ace->SidStart, &sidWorld, sizeof(sidWorld));
6255
6256 ret = InitializeAcl(acl, sizeof(acl_buf), ACL_REVISION2);
6257 ok(ret, "InitializeAcl failed: %d\n", GetLastError());
6258
6259 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6260 ok(ret, "AddAce failed: %d\n", GetLastError());
6261 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6262 ok(ret, "AddAce failed: %d\n", GetLastError());
6263 ret = AddAce(acl, ACL_REVISION3, MAXDWORD, ace, ace->Header.AceSize);
6264 ok(ret, "AddAce failed: %d\n", GetLastError());
6265 ok(acl->AclRevision == ACL_REVISION3, "acl->AclRevision = %d\n", acl->AclRevision);
6266 ret = AddAce(acl, ACL_REVISION4, MAXDWORD, ace, ace->Header.AceSize);
6267 ok(ret, "AddAce failed: %d\n", GetLastError());
6268 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6269 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6270 ok(ret, "AddAce failed: %d\n", GetLastError());
6271 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6272 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6273 ok(ret, "AddAce failed: %d\n", GetLastError());
6274
6275 ret = AddAce(acl, MIN_ACL_REVISION-1, MAXDWORD, ace, ace->Header.AceSize);
6276 ok(ret, "AddAce failed: %d\n", GetLastError());
6277 /* next test succeededs but corrupts ACL */
6278 ret = AddAce(acl, MAX_ACL_REVISION+1, MAXDWORD, ace, ace->Header.AceSize);
6279 ok(ret, "AddAce failed: %d\n", GetLastError());
6280 ok(acl->AclRevision == MAX_ACL_REVISION+1, "acl->AclRevision = %d\n", acl->AclRevision);
6281 SetLastError(0xdeadbeef);
6282 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6283 ok(!ret, "AddAce succeeded\n");
6284 ok(GetLastError() == ERROR_INVALID_PARAMETER, "GetLastError() = %d\n", GetLastError());
6285 }
6286
6287 static void test_AddMandatoryAce(void)
6288 {
6289 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6290 {SECURITY_MANDATORY_LOW_RID}};
6291 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6292 {SECURITY_MANDATORY_MEDIUM_RID}};
6293 static SID_IDENTIFIER_AUTHORITY sia_world = {SECURITY_WORLD_SID_AUTHORITY};
6294 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6295 SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6296 BOOL defaulted, present, ret, found, found2;
6297 ACL_SIZE_INFORMATION acl_size_info;
6298 SYSTEM_MANDATORY_LABEL_ACE *ace;
6299 char buffer_acl[256];
6300 ACL *acl = (ACL *)&buffer_acl;
6301 SECURITY_ATTRIBUTES sa;
6302 DWORD index, size;
6303 HANDLE handle;
6304 SID *everyone;
6305 ACL *sacl;
6306
6307 if (!pAddMandatoryAce)
6308 {
6309 win_skip("AddMandatoryAce not supported, skipping test\n");
6310 return;
6311 }
6312
6313 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6314 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6315
6316 sa.nLength = sizeof(sa);
6317 sa.lpSecurityDescriptor = sd;
6318 sa.bInheritHandle = FALSE;
6319
6320 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6321 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6322
6323 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6324 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6325 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6326
6327 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6328 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6329 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6330
6331 sacl = (void *)0xdeadbeef;
6332 present = TRUE;
6333 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6334 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6335 ok(!present, "SACL is present\n");
6336 ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
6337
6338 HeapFree(GetProcessHeap(), 0, sd2);
6339 CloseHandle(handle);
6340
6341 memset(buffer_acl, 0, sizeof(buffer_acl));
6342 ret = InitializeAcl(acl, 256, ACL_REVISION);
6343 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6344
6345 SetLastError(0xdeadbeef);
6346 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
6347 ok(!ret, "AddMandatoryAce succeeded\n");
6348 ok(GetLastError() == ERROR_INVALID_PARAMETER,
6349 "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
6350
6351 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6352 ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
6353
6354 index = 0;
6355 found = FALSE;
6356 while (pGetAce(acl, index++, (void **)&ace))
6357 {
6358 if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
6359 ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
6360 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6361 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6362 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6363 found = TRUE;
6364 }
6365 ok(found, "Could not find mandatory label ace\n");
6366
6367 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6368 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6369
6370 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6371 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6372
6373 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6374 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6375 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6376
6377 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6378 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6379 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6380
6381 sacl = (void *)0xdeadbeef;
6382 present = FALSE;
6383 defaulted = TRUE;
6384 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6385 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6386 ok(present, "SACL not present\n");
6387 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6388 ok(!defaulted, "SACL defaulted\n");
6389 ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
6390 ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
6391 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6392
6393 ret = pGetAce(sacl, 0, (void **)&ace);
6394 ok(ret, "GetAce failed with error %u\n", GetLastError());
6395 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6396 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6397 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6398 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6399
6400 HeapFree(GetProcessHeap(), 0, sd2);
6401
6402 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6403 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6404
6405 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6406 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6407
6408 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6409 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6410 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6411
6412 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6413 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6414 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6415
6416 sacl = (void *)0xdeadbeef;
6417 present = FALSE;
6418 defaulted = TRUE;
6419 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6420 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6421 ok(present, "SACL not present\n");
6422 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6423 ok(sacl->AceCount == 2, "Expected 2 ACEs, got %d\n", sacl->AceCount);
6424 ok(!defaulted, "SACL defaulted\n");
6425
6426 index = 0;
6427 found = found2 = FALSE;
6428 while (pGetAce(sacl, index++, (void **)&ace))
6429 {
6430 if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
6431 {
6432 if (EqualSid(&ace->SidStart, &low_level))
6433 {
6434 found = TRUE;
6435 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6436 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6437 "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
6438 }
6439 if (EqualSid(&ace->SidStart, &medium_level))
6440 {
6441 found2 = TRUE;
6442 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6443 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP,
6444 "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
6445 }
6446 }
6447 }
6448 ok(found, "Could not find low mandatory label\n");
6449 ok(found2, "Could not find medium mandatory label\n");
6450
6451 HeapFree(GetProcessHeap(), 0, sd2);
6452
6453 ret = SetSecurityDescriptorSacl(sd, FALSE, NULL, FALSE);
6454 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6455
6456 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6457 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6458
6459 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6460 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6461 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6462
6463 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6464 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6465 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6466
6467 sacl = (void *)0xdeadbeef;
6468 present = FALSE;
6469 defaulted = TRUE;
6470 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6471 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6472 ok(present, "SACL not present\n");
6473 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6474 ok(!defaulted, "SACL defaulted\n");
6475 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6476
6477 HeapFree(GetProcessHeap(), 0, sd2);
6478
6479 ret = InitializeAcl(acl, 256, ACL_REVISION);
6480 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6481
6482 ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6483 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6484
6485 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6486 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6487
6488 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6489 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6490
6491 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6492 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6493 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6494
6495 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6496 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6497 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6498
6499 sacl = (void *)0xdeadbeef;
6500 present = FALSE;
6501 defaulted = TRUE;
6502 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6503 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6504 ok(present, "SACL not present\n");
6505 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6506 ok(sacl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sacl->AclRevision);
6507 ok(!defaulted, "SACL defaulted\n");
6508
6509 HeapFree(GetProcessHeap(), 0, sd2);
6510
6511 ret = InitializeAcl(acl, 256, ACL_REVISION);
6512 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6513
6514 ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
6515 ok(ret, "AllocateAndInitializeSid failed with error %u\n", GetLastError());
6516
6517 ret = AddAccessAllowedAce(acl, ACL_REVISION, KEY_READ, everyone);
6518 ok(ret, "AddAccessAllowedAce failed with error %u\n", GetLastError());
6519
6520 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6521 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6522
6523 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6524 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6525
6526 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6527 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6528 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6529
6530 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6531 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6532 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6533
6534 sacl = (void *)0xdeadbeef;
6535 present = FALSE;
6536 defaulted = TRUE;
6537 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6538 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6539 ok(present, "SACL not present\n");
6540 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6541 ok(!defaulted, "SACL defaulted\n");
6542 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6543
6544 FreeSid(everyone);
6545 HeapFree(GetProcessHeap(), 0, sd2);
6546 CloseHandle(handle);
6547 }
6548
6549 static void test_system_security_access(void)
6550 {
6551 static const WCHAR testkeyW[] =
6552 {'S','O','F','T','W','A','R','E','\\','W','i','n','e','\\','S','A','C','L','t','e','s','t',0};
6553 LONG res;
6554 HKEY hkey;
6555 PSECURITY_DESCRIPTOR sd;
6556 ACL *sacl;
6557 DWORD err, len = 128;
6558 TOKEN_PRIVILEGES priv, *priv_prev;
6559 HANDLE token;
6560 LUID luid;
6561 BOOL ret;
6562
6563 if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token )) return;
6564 if (!LookupPrivilegeValueA( NULL, SE_SECURITY_NAME, &luid ))
6565 {
6566 CloseHandle( token );
6567 return;
6568 }
6569
6570 /* ACCESS_SYSTEM_SECURITY requires special privilege */
6571 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6572 if (res == ERROR_ACCESS_DENIED)
6573 {
6574 skip( "unprivileged user\n" );
6575 CloseHandle( token );
6576 return;
6577 }
6578 todo_wine ok( res == ERROR_PRIVILEGE_NOT_HELD, "got %d\n", res );
6579
6580 priv.PrivilegeCount = 1;
6581 priv.Privileges[0].Luid = luid;
6582 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6583
6584 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6585 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6586 ok( ret, "got %u\n", GetLastError());
6587
6588 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6589 if (res == ERROR_PRIVILEGE_NOT_HELD)
6590 {
6591 win_skip( "privilege not held\n" );
6592 HeapFree( GetProcessHeap(), 0, priv_prev );
6593 CloseHandle( token );
6594 return;
6595 }
6596 ok( !res, "got %d\n", res );
6597
6598 /* restore privileges */
6599 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6600 ok( ret, "got %u\n", GetLastError() );
6601 HeapFree( GetProcessHeap(), 0, priv_prev );
6602
6603 /* privilege is checked on access */
6604 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6605 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD || err == ERROR_ACCESS_DENIED, "got %u\n", err );
6606 if (err == ERROR_SUCCESS)
6607 LocalFree( sd );
6608
6609 priv.PrivilegeCount = 1;
6610 priv.Privileges[0].Luid = luid;
6611 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6612
6613 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6614 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6615 ok( ret, "got %u\n", GetLastError());
6616
6617 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6618 ok( err == ERROR_SUCCESS, "got %u\n", err );
6619 RegCloseKey( hkey );
6620 LocalFree( sd );
6621
6622 /* handle created without ACCESS_SYSTEM_SECURITY, privilege held */
6623 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6624 ok( res == ERROR_SUCCESS, "got %d\n", res );
6625
6626 sd = NULL;
6627 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6628 todo_wine ok( err == ERROR_SUCCESS, "got %u\n", err );
6629 RegCloseKey( hkey );
6630 LocalFree( sd );
6631
6632 /* restore privileges */
6633 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6634 ok( ret, "got %u\n", GetLastError() );
6635 HeapFree( GetProcessHeap(), 0, priv_prev );
6636
6637 /* handle created without ACCESS_SYSTEM_SECURITY, privilege not held */
6638 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6639 ok( res == ERROR_SUCCESS, "got %d\n", res );
6640
6641 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6642 ok( err == ERROR_PRIVILEGE_NOT_HELD || err == ERROR_ACCESS_DENIED, "got %u\n", err );
6643 RegCloseKey( hkey );
6644
6645 res = RegDeleteKeyW( HKEY_LOCAL_MACHINE, testkeyW );
6646 ok( !res, "got %d\n", res );
6647 CloseHandle( token );
6648 }
6649
6650 static void test_GetWindowsAccountDomainSid(void)
6651 {
6652 char *user, buffer1[SECURITY_MAX_SID_SIZE], buffer2[SECURITY_MAX_SID_SIZE];
6653 SID_IDENTIFIER_AUTHORITY domain_ident = { SECURITY_NT_AUTHORITY };
6654 PSID domain_sid = (PSID *)&buffer1;
6655 PSID domain_sid2 = (PSID *)&buffer2;
6656 DWORD sid_size;
6657 PSID user_sid;
6658 HANDLE token;
6659 BOOL bret = TRUE;
6660 int i;
6661
6662 if (!pGetWindowsAccountDomainSid)
6663 {
6664 win_skip("GetWindowsAccountDomainSid not available\n");
6665 return;
6666 }
6667
6668 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
6669 {
6670 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
6671 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
6672 }
6673 if (!bret)
6674 {
6675 win_skip("Failed to get current user token\n");
6676 return;
6677 }
6678
6679 bret = GetTokenInformation(token, TokenUser, NULL, 0, &sid_size);
6680 ok(!bret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6681 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6682 user = HeapAlloc(GetProcessHeap(), 0, sid_size);
6683 bret = GetTokenInformation(token, TokenUser, user, sid_size, &sid_size);
6684 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6685 CloseHandle(token);
6686 user_sid = ((TOKEN_USER *)user)->User.Sid;
6687
6688 SetLastError(0xdeadbeef);
6689 bret = pGetWindowsAccountDomainSid(0, 0, 0);
6690 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6691 ok(GetLastError() == ERROR_INVALID_SID, "expected ERROR_INVALID_SID, got %d\n", GetLastError());
6692
6693 SetLastError(0xdeadbeef);
6694 bret = pGetWindowsAccountDomainSid(user_sid, 0, 0);
6695 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6696 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6697
6698 sid_size = SECURITY_MAX_SID_SIZE;
6699 SetLastError(0xdeadbeef);
6700 bret = pGetWindowsAccountDomainSid(user_sid, 0, &sid_size);
6701 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6702 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6703 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6704
6705 SetLastError(0xdeadbeef);
6706 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, 0);
6707 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6708 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6709
6710 sid_size = 1;
6711 SetLastError(0xdeadbeef);
6712 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6713 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6714 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6715 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6716
6717 sid_size = SECURITY_MAX_SID_SIZE;
6718 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6719 ok(bret, "GetWindowsAccountDomainSid failed with error %d\n", GetLastError());
6720 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6721 InitializeSid(domain_sid2, &domain_ident, 4);
6722 for (i = 0; i < 4; i++)
6723 *GetSidSubAuthority(domain_sid2, i) = *GetSidSubAuthority(user_sid, i);
6724 ok(EqualSid(domain_sid, domain_sid2), "unexpected domain sid %s != %s\n",
6725 debugstr_sid(domain_sid), debugstr_sid(domain_sid2));
6726
6727 HeapFree(GetProcessHeap(), 0, user);
6728 }
6729
6730 static void test_GetSidIdentifierAuthority(void)
6731 {
6732 char buffer[SECURITY_MAX_SID_SIZE];
6733 PSID authority_sid = (PSID *)buffer;
6734 PSID_IDENTIFIER_AUTHORITY id;
6735 BOOL ret;
6736
6737 if (!pGetSidIdentifierAuthority)
6738 {
6739 win_skip("GetSidIdentifierAuthority not available\n");
6740 return;
6741 }
6742
6743 memset(buffer, 0xcc, sizeof(buffer));
6744 ret = IsValidSid(authority_sid);
6745 ok(!ret, "expected FALSE, got %u\n", ret);
6746
6747 SetLastError(0xdeadbeef);
6748 id = GetSidIdentifierAuthority(authority_sid);
6749 ok(id != NULL, "got NULL pointer as identifier authority\n");
6750 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6751
6752 SetLastError(0xdeadbeef);
6753 id = GetSidIdentifierAuthority(NULL);
6754 ok(id != NULL, "got NULL pointer as identifier authority\n");
6755 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6756 }
6757
6758 static void test_pseudo_tokens(void)
6759 {
6760 TOKEN_STATISTICS statistics1, statistics2;
6761 HANDLE token;
6762 DWORD retlen;
6763 BOOL ret;
6764
6765 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6766 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6767 memset(&statistics1, 0x11, sizeof(statistics1));
6768 ret = GetTokenInformation(token, TokenStatistics, &statistics1, sizeof(statistics1), &retlen);
6769 ok(ret, "GetTokenInformation failed with %u\n", GetLastError());
6770 CloseHandle(token);
6771
6772 /* test GetCurrentProcessToken() */
6773 SetLastError(0xdeadbeef);
6774 memset(&statistics2, 0x22, sizeof(statistics2));
6775 ret = GetTokenInformation(GetCurrentProcessToken(), TokenStatistics,
6776 &statistics2, sizeof(statistics2), &retlen);
6777 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6778 "GetTokenInformation failed with %u\n", GetLastError());
6779 if (ret)
6780 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6781 else
6782 win_skip("CurrentProcessToken not supported, skipping test\n");
6783
6784 /* test GetCurrentThreadEffectiveToken() */
6785 SetLastError(0xdeadbeef);
6786 memset(&statistics2, 0x22, sizeof(statistics2));
6787 ret = GetTokenInformation(GetCurrentThreadEffectiveToken(), TokenStatistics,
6788 &statistics2, sizeof(statistics2), &retlen);
6789 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6790 "GetTokenInformation failed with %u\n", GetLastError());
6791 if (ret)
6792 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6793 else
6794 win_skip("CurrentThreadEffectiveToken not supported, skipping test\n");
6795
6796 SetLastError(0xdeadbeef);
6797 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
6798 ok(!ret, "OpenThreadToken should have failed\n");
6799 ok(GetLastError() == ERROR_NO_TOKEN, "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6800
6801 /* test GetCurrentThreadToken() */
6802 SetLastError(0xdeadbeef);
6803 ret = GetTokenInformation(GetCurrentThreadToken(), TokenStatistics,
6804 &statistics2, sizeof(statistics2), &retlen);
6805 todo_wine ok(GetLastError() == ERROR_NO_TOKEN || broken(GetLastError() == ERROR_INVALID_HANDLE),
6806 "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6807 }
6808
6809 static void test_maximum_allowed(void)
6810 {
6811 HANDLE (WINAPI *pCreateEventExA)(SECURITY_ATTRIBUTES *, LPCSTR, DWORD, DWORD);
6812 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH], buffer_acl[256];
6813 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6814 SECURITY_ATTRIBUTES sa;
6815 ACL *acl = (ACL *)&buffer_acl;
6816 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
6817 ACCESS_MASK mask;
6818 HANDLE handle;
6819 BOOL ret;
6820
6821 pCreateEventExA = (void *)GetProcAddress(hkernel32, "CreateEventExA");
6822 if (!pCreateEventExA)
6823 {
6824 win_skip("CreateEventExA is not available\n");
6825 return;
6826 }
6827
6828 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6829 ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
6830 memset(buffer_acl, 0, sizeof(buffer_acl));
6831 ret = InitializeAcl(acl, 256, ACL_REVISION);
6832 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6833 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6834 ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
6835
6836 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6837 sa.lpSecurityDescriptor = sd;
6838 sa.bInheritHandle = FALSE;
6839
6840 handle = pCreateEventExA(&sa, NULL, 0, MAXIMUM_ALLOWED | 0x4);
6841 ok(handle != NULL, "CreateEventExA failed with error %u\n", GetLastError());
6842 mask = get_obj_access(handle);
6843 ok(mask == EVENT_ALL_ACCESS, "Expected %x, got %x\n", EVENT_ALL_ACCESS, mask);
6844 CloseHandle(handle);
6845 }
6846
6847 static void test_token_label(void)
6848 {
6849 static SID medium_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6850 {SECURITY_MANDATORY_MEDIUM_RID}};
6851 static SID high_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6852 {SECURITY_MANDATORY_HIGH_RID}};
6853 SECURITY_DESCRIPTOR_CONTROL control;
6854 SYSTEM_MANDATORY_LABEL_ACE *ace;
6855 BOOL ret, present, defaulted;
6856 SECURITY_DESCRIPTOR *sd;
6857 ACL *sacl = NULL, *dacl;
6858 DWORD size, revision;
6859 HANDLE token;
6860 char *str;
6861 SID *sid;
6862
6863 ret = OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, &token);
6864 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6865
6866 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6867 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6868 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6869
6870 sd = HeapAlloc(GetProcessHeap(), 0, size);
6871 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
6872 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6873
6874 ret = GetSecurityDescriptorControl(sd, &control, &revision);
6875 ok(ret, "GetSecurityDescriptorControl failed with error %u\n", GetLastError());
6876 todo_wine ok(control == (SE_SELF_RELATIVE | SE_SACL_AUTO_INHERITED | SE_SACL_PRESENT) ||
6877 broken(control == SE_SELF_RELATIVE) /* WinXP, Win2003 */,
6878 "Unexpected security descriptor control %#x\n", control);
6879 ok(revision == 1, "Unexpected security descriptor revision %u\n", revision);
6880
6881 sid = (void *)0xdeadbeef;
6882 defaulted = TRUE;
6883 ret = GetSecurityDescriptorOwner(sd, (void **)&sid, &defaulted);
6884 ok(ret, "GetSecurityDescriptorOwner failed with error %u\n", GetLastError());
6885 ok(!sid, "Owner present\n");
6886 ok(!defaulted, "Owner defaulted\n");
6887
6888 sid = (void *)0xdeadbeef;
6889 defaulted = TRUE;
6890 ret = GetSecurityDescriptorGroup(sd, (void **)&sid, &defaulted);
6891 ok(ret, "GetSecurityDescriptorGroup failed with error %u\n", GetLastError());
6892 ok(!sid, "Group present\n");
6893 ok(!defaulted, "Group defaulted\n");
6894
6895 ret = GetSecurityDescriptorSacl(sd, &present, &sacl, &defaulted);
6896 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6897 ok(present || broken(!present) /* WinXP, Win2003 */, "No SACL in the security descriptor\n");
6898 ok(sacl || broken(!sacl) /* WinXP, Win2003 */, "NULL SACL in the security descriptor\n");
6899
6900 if (present)
6901 {
6902 ok(!defaulted, "SACL defaulted\n");
6903 ok(sacl->AceCount == 1, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6904
6905 ret = pGetAce(sacl, 0, (void **)&ace);
6906 ok(ret, "GetAce failed with error %u\n", GetLastError());
6907
6908 ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
6909 "Unexpected ACE type %#x\n", ace->Header.AceType);
6910 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6911 ok(ace->Header.AceSize, "Unexpected ACE size %u\n", ace->Header.AceSize);
6912 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6913
6914 sid = (SID *)&ace->SidStart;
6915 ConvertSidToStringSidA(sid, &str);
6916 ok(EqualSid(sid, &medium_sid) || EqualSid(sid, &high_sid), "Got unexpected SID %s\n", str);
6917 LocalFree(str);
6918 }
6919
6920 ret = GetSecurityDescriptorDacl(sd, &present, &dacl, &defaulted);
6921 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6922 todo_wine ok(!present, "DACL present\n");
6923
6924 HeapFree(GetProcessHeap(), 0, sd);
6925 CloseHandle(token);
6926 }
6927
6928 static void test_token_security_descriptor(void)
6929 {
6930 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6931 {SECURITY_MANDATORY_LOW_RID}};
6932 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6933 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
6934 char buffer_acl[256], buffer[MAX_PATH];
6935 ACL *acl = (ACL *)&buffer_acl, *acl2, *acl_child;
6936 BOOL defaulted, present, ret, found;
6937 HANDLE token, token2, token3;
6938 EXPLICIT_ACCESSW exp_access;
6939 PROCESS_INFORMATION info;
6940 DWORD size, index, retd;
6941 ACCESS_ALLOWED_ACE *ace;
6942 SECURITY_ATTRIBUTES sa;
6943 STARTUPINFOA startup;
6944 PSID psid;
6945
6946 if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
6947 || !pSetEntriesInAclW)
6948 {
6949 win_skip("Some functions not available\n");
6950 return;
6951 }
6952
6953 /* Test whether we can create tokens with security descriptors */
6954 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
6955 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6956
6957 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6958 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6959
6960 memset(buffer_acl, 0, sizeof(buffer_acl));
6961 ret = InitializeAcl(acl, 256, ACL_REVISION);
6962 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6963
6964 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
6965 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
6966
6967 ret = pAddAccessAllowedAceEx(acl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
6968 ok(ret, "AddAccessAllowedAceEx failed with error %u\n", GetLastError());
6969
6970 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6971 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6972
6973 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6974 sa.lpSecurityDescriptor = sd;
6975 sa.bInheritHandle = FALSE;
6976
6977 ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
6978 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
6979
6980 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6981 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6982 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6983
6984 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6985 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
6986 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6987
6988 acl2 = (void *)0xdeadbeef;
6989 present = FALSE;
6990 defaulted = TRUE;
6991 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6992 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6993 ok(present, "acl2 not present\n");
6994 ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
6995 ok(acl2->AceCount == 1, "Expected 1 ACE, got %d\n", acl2->AceCount);
6996 ok(!defaulted, "acl2 defaulted\n");
6997
6998 ret = pGetAce(acl2, 0, (void **)&ace);
6999 ok(ret, "GetAce failed with error %u\n", GetLastError());
7000 ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
7001 ok(EqualSid(&ace->SidStart, psid), "Expected access allowed ACE\n");
7002 ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
7003 "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
7004
7005 HeapFree(GetProcessHeap(), 0, sd2);
7006
7007 /* Duplicate token without security attributes.
7008 * Tokens do not inherit the security descriptor in DuplicateToken. */
7009 ret = pDuplicateTokenEx(token2, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &token3);
7010 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
7011
7012 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7013 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7014 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7015
7016 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
7017 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
7018 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7019
7020 acl2 = (void *)0xdeadbeef;
7021 present = FALSE;
7022 defaulted = TRUE;
7023 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
7024 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7025 todo_wine
7026 ok(present, "DACL not present\n");
7027
7028 if (present)
7029 {
7030 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
7031 ok(!defaulted, "DACL defaulted\n");
7032
7033 index = 0;
7034 found = FALSE;
7035 while (pGetAce(acl2, index++, (void **)&ace))
7036 {
7037 if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
7038 found = TRUE;
7039 }
7040 ok(!found, "Access allowed ACE was inherited\n");
7041 }
7042
7043 HeapFree(GetProcessHeap(), 0, sd2);
7044
7045 /* When creating a child process, the process does inherit the token of
7046 * the parent but not the DACL of the token */
7047 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7048 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7049 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7050
7051 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
7052 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd2, size, &size);
7053 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7054
7055 acl2 = (void *)0xdeadbeef;
7056 present = FALSE;
7057 defaulted = TRUE;
7058 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
7059 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7060 ok(present, "DACL not present\n");
7061 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
7062 ok(!defaulted, "DACL defaulted\n");
7063
7064 exp_access.grfAccessPermissions = GENERIC_ALL;
7065 exp_access.grfAccessMode = GRANT_ACCESS;
7066 exp_access.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
7067 exp_access.Trustee.pMultipleTrustee = NULL;
7068 exp_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7069 exp_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
7070 exp_access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
7071 exp_access.Trustee.ptstrName = (void*)psid;
7072
7073 retd = pSetEntriesInAclW(1, &exp_access, acl2, &acl_child);
7074 ok(retd == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %u\n", retd);
7075
7076 memset(sd, 0, sizeof(buffer_sd));
7077 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
7078 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
7079
7080 ret = SetSecurityDescriptorDacl(sd, TRUE, acl_child, FALSE);
7081 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7082
7083 ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
7084 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
7085
7086 /* The security label is also not inherited */
7087 if (pAddMandatoryAce)
7088 {
7089 ret = InitializeAcl(acl, 256, ACL_REVISION);
7090 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
7091
7092 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
7093 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
7094
7095 memset(sd, 0, sizeof(buffer_sd));
7096 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
7097 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
7098
7099 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
7100 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7101
7102 ret = SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd);
7103 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
7104 }
7105 else
7106 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7107
7108 /* Start child process with our modified token */
7109 memset(&startup, 0, sizeof(startup));
7110 startup.cb = sizeof(startup);
7111 startup.dwFlags = STARTF_USESHOWWINDOW;
7112 startup.wShowWindow = SW_SHOWNORMAL;
7113
7114 sprintf(buffer, "%s tests/security.c test_token_sd", myARGV[0]);
7115 ret = CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startup, &info);
7116 ok(ret, "CreateProcess failed with error %u\n", GetLastError());
7117 winetest_wait_child_process(info.hProcess);
7118 CloseHandle(info.hProcess);
7119 CloseHandle(info.hThread);
7120
7121 LocalFree(acl_child);
7122 HeapFree(GetProcessHeap(), 0, sd2);
7123 LocalFree(psid);
7124
7125 CloseHandle(token3);
7126 CloseHandle(token2);
7127 CloseHandle(token);
7128 }
7129
7130 static void test_child_token_sd(void)
7131 {
7132 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7133 {SECURITY_MANDATORY_LOW_RID}};
7134 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7135 BOOL ret, present, defaulted;
7136 ACCESS_ALLOWED_ACE *acc_ace;
7137 SECURITY_DESCRIPTOR *sd;
7138 DWORD size, i;
7139 HANDLE token;
7140 PSID psid;
7141 ACL *acl;
7142
7143 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
7144 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
7145
7146 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
7147 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7148
7149 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7150 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7151 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7152
7153 sd = HeapAlloc(GetProcessHeap(), 0, size);
7154 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd, size, &size);
7155 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7156
7157 acl = NULL;
7158 present = FALSE;
7159 defaulted = TRUE;
7160 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
7161 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7162 ok(present, "DACL not present\n");
7163 ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
7164 ok(!defaulted, "DACL defaulted\n");
7165
7166 ok(acl->AceCount, "Expected at least one ACE\n");
7167 for (i = 0; i < acl->AceCount; i++)
7168 {
7169 ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
7170 ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
7171 "ACE inherited from the parent\n");
7172 }
7173
7174 LocalFree(psid);
7175 HeapFree(GetProcessHeap(), 0, sd);
7176
7177 if (!pAddMandatoryAce)
7178 {
7179 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7180 return;
7181 }
7182
7183 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
7184 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7185 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7186
7187 sd = HeapAlloc(GetProcessHeap(), 0, size);
7188 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
7189 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7190
7191 acl = NULL;
7192 present = FALSE;
7193 defaulted = TRUE;
7194 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7195 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7196 ok(present, "SACL not present\n");
7197 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7198 ok(!defaulted, "SACL defaulted\n");
7199 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7200 ret = pGetAce(acl, 0, (void **)&ace_label);
7201 ok(ret, "GetAce failed with error %u\n", GetLastError());
7202 ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
7203 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7204 ok(!EqualSid(&ace_label->SidStart, &low_level),
7205 "Low integrity level should not have been inherited\n");
7206
7207 HeapFree(GetProcessHeap(), 0, sd);
7208 }
7209
7210 static void test_GetExplicitEntriesFromAclW(void)
7211 {
7212 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
7213 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
7214 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
7215 PSID everyone_sid = NULL, users_sid = NULL;
7216 EXPLICIT_ACCESSW access;
7217 EXPLICIT_ACCESSW *access2;
7218 PACL new_acl, old_acl = NULL;
7219 ULONG count;
7220 DWORD res;
7221
7222 if (!pGetExplicitEntriesFromAclW)
7223 {
7224 win_skip("GetExplicitEntriesFromAclW is not available\n");
7225 return;
7226 }
7227
7228 if (!pSetEntriesInAclW)
7229 {
7230 win_skip("SetEntriesInAclW is not available\n");
7231 return;
7232 }
7233
7234 old_acl = HeapAlloc(GetProcessHeap(), 0, 256);
7235 res = InitializeAcl(old_acl, 256, ACL_REVISION);
7236 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
7237 {
7238 win_skip("ACLs not implemented - skipping tests\n");
7239 HeapFree(GetProcessHeap(), 0, old_acl);
7240 return;
7241 }
7242 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
7243
7244 res = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid);
7245 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
7246
7247 res = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
7248 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &users_sid);
7249 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
7250
7251 res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, users_sid);
7252 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
7253
7254 access2 = NULL;
7255 res = pGetExplicitEntriesFromAclW(old_acl, &count, &access2);
7256 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7257 ok(count == 1, "Expected count == 1, got %d\n", count);
7258 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7259 ok(access2[0].grfAccessPermissions == KEY_READ, "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
7260 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7261 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7262 ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
7263 LocalFree(access2);
7264
7265 access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
7266 access.Trustee.pMultipleTrustee = NULL;
7267
7268 access.grfAccessPermissions = KEY_WRITE;
7269 access.grfAccessMode = GRANT_ACCESS;
7270 access.grfInheritance = NO_INHERITANCE;
7271 access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
7272 access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7273 access.Trustee.ptstrName = everyone_sid;
7274 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7275 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7276 ok(new_acl != NULL, "returned acl was NULL\n");
7277
7278 access2 = NULL;
7279 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7280 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7281 ok(count == 2, "Expected count == 2, got %d\n", count);
7282 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7283 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7284 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7285 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7286 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7287 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7288 ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
7289 LocalFree(access2);
7290 LocalFree(new_acl);
7291
7292 access.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
7293 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7294 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7295 ok(new_acl != NULL, "returned acl was NULL\n");
7296
7297 access2 = NULL;
7298 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7299 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7300 ok(count == 2, "Expected count == 2, got %d\n", count);
7301 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7302 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7303 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7304 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7305 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7306 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7307 ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
7308 LocalFree(access2);
7309 LocalFree(new_acl);
7310
7311 access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
7312 access.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
7313 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7314 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7315 ok(new_acl != NULL, "returned acl was NULL\n");
7316
7317 access2 = NULL;
7318 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7319 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7320 ok(count == 2, "Expected count == 2, got %d\n", count);
7321 ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
7322 ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
7323 ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
7324 "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
7325 ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
7326 ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
7327 LocalFree(access2);
7328 LocalFree(new_acl);
7329
7330 access.grfAccessMode = REVOKE_ACCESS;
7331 access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
7332 access.Trustee.ptstrName = users_sid;
7333 res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
7334 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
7335 ok(new_acl != NULL, "returned acl was NULL\n");
7336
7337 access2 = (void *)0xdeadbeef;
7338 res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
7339 ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
7340 ok(count == 0, "Expected count == 0, got %d\n", count);
7341 ok(access2 == NULL, "access2 was not NULL\n");
7342 LocalFree(new_acl);
7343
7344 FreeSid(users_sid);
7345 FreeSid(everyone_sid);
7346 HeapFree(GetProcessHeap(), 0, old_acl);
7347 }
7348
7349 static void test_BuildSecurityDescriptorW(void)
7350 {
7351 SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
7352 ULONG new_sd_size;
7353 DWORD buf_size;
7354 char buf[1024];
7355 BOOL success;
7356 DWORD ret;
7357
7358 InitializeSecurityDescriptor(&old_sd, SECURITY_DESCRIPTOR_REVISION);
7359
7360 buf_size = sizeof(buf);
7361 rel_sd = (SECURITY_DESCRIPTOR *)buf;
7362 success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size);
7363 ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError());
7364
7365 new_sd = NULL;
7366 new_sd_size = 0;
7367 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
7368 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
7369 ok(new_sd != NULL, "expected new_sd != NULL\n");
7370 LocalFree(new_sd);
7371
7372 new_sd = (void *)0xdeadbeef;
7373 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
7374 ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
7375 ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd);
7376
7377 new_sd = NULL;
7378 new_sd_size = 0;
7379 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
7380 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
7381 ok(new_sd != NULL, "expected new_sd != NULL\n");
7382 LocalFree(new_sd);
7383 }
7384
7385 START_TEST(security)
7386 {
7387 init();
7388 if (!hmod) return;
7389
7390 if (myARGC >= 3)
7391 {
7392 if (!strcmp(myARGV[2], "test_token_sd"))
7393 test_child_token_sd();
7394 else
7395 test_process_security_child();
7396 return;
7397 }
7398 test_kernel_objects_security();
7399 test_sid();
7400 test_trustee();
7401 test_luid();
7402 test_CreateWellKnownSid();
7403 test_FileSecurity();
7404 test_AccessCheck();
7405 test_token_attr();
7406 test_GetTokenInformation();
7407 test_LookupAccountSid();
7408 test_LookupAccountName();
7409 test_security_descriptor();
7410 test_process_security();
7411 test_impersonation_level();
7412 test_SetEntriesInAclW();
7413 test_SetEntriesInAclA();
7414 test_CreateDirectoryA();
7415 test_GetNamedSecurityInfoA();
7416 test_ConvertStringSecurityDescriptor();
7417 test_ConvertSecurityDescriptorToString();
7418 test_PrivateObjectSecurity();
7419 test_acls();
7420 test_GetWindowsAccountDomainSid();
7421 test_GetSecurityInfo();
7422 test_GetSidSubAuthority();
7423 test_CheckTokenMembership();
7424 test_EqualSid();
7425 test_GetUserNameA();
7426 test_GetUserNameW();
7427 test_CreateRestrictedToken();
7428 test_TokenIntegrityLevel();
7429 test_default_dacl_owner_sid();
7430 test_AdjustTokenPrivileges();
7431 test_AddAce();
7432 test_AddMandatoryAce();
7433 test_system_security_access();
7434 test_GetSidIdentifierAuthority();
7435 test_pseudo_tokens();
7436 test_maximum_allowed();
7437 test_token_label();
7438 test_GetExplicitEntriesFromAclW();
7439 test_BuildSecurityDescriptorW();
7440
7441 /* Must be the last test, modifies process token */
7442 test_token_security_descriptor();
7443 }
Windows API implementation