search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
advapi32/tests: A couple of spelling fixes in ok() messages.
[wine.git] / dlls / advapi32 / tests / security.c
blobf71d45f1a8f344000c158c220c34918f98e5d5a5
1 /*
2 * Unit tests for security functions
3 *
4 * Copyright (c) 2004 Mike McCormack
5 * Copyright (c) 2011 Dmitry Timoshkov
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22 #include <stdarg.h>
23 #include <stdio.h>
24
25 #include "ntstatus.h"
26 #define WIN32_NO_STATUS
27 #include "windef.h"
28 #include "winbase.h"
29 #include "winerror.h"
30 #include "winternl.h"
31 #include "aclapi.h"
32 #include "winnt.h"
33 #include "sddl.h"
34 #include "ntsecapi.h"
35 #include "lmcons.h"
36
37 #include "wine/test.h"
38
39 #ifndef PROCESS_QUERY_LIMITED_INFORMATION
40 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
41 #endif
42
43 /* PROCESS_ALL_ACCESS in Vista+ PSDKs is incompatible with older Windows versions */
44 #define PROCESS_ALL_ACCESS_NT4 (PROCESS_ALL_ACCESS & ~0xf000)
45 #define PROCESS_ALL_ACCESS_VISTA (PROCESS_ALL_ACCESS | 0xf000)
46
47 #ifndef EVENT_QUERY_STATE
48 #define EVENT_QUERY_STATE 0x0001
49 #endif
50
51 #ifndef SEMAPHORE_QUERY_STATE
52 #define SEMAPHORE_QUERY_STATE 0x0001
53 #endif
54
55 #ifndef THREAD_SET_LIMITED_INFORMATION
56 #define THREAD_SET_LIMITED_INFORMATION 0x0400
57 #define THREAD_QUERY_LIMITED_INFORMATION 0x0800
58 #endif
59
60 #define THREAD_ALL_ACCESS_NT4 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)
61 #define THREAD_ALL_ACCESS_VISTA (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)
62
63 #define expect_eq(expr, value, type, format) { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }
64
65 static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
66 static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
67 static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
68 static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
69 static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
70 static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
71 static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
72 POBJECTS_AND_NAME_A pObjName,
73 SE_OBJECT_TYPE ObjectType,
74 LPSTR ObjectTypeName,
75 LPSTR InheritedObjectTypeName,
76 LPSTR Name );
77 static VOID (WINAPI *pBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
78 POBJECTS_AND_SID pObjSid,
79 GUID* pObjectGuid,
80 GUID* pInheritedObjectGuid,
81 PSID pSid );
82 static LPSTR (WINAPI *pGetTrusteeNameA)( PTRUSTEEA pTrustee );
83 static BOOL (WINAPI *pMakeSelfRelativeSD)( PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, LPDWORD );
84 static BOOL (WINAPI *pConvertSidToStringSidA)( PSID pSid, LPSTR *str );
85 static BOOL (WINAPI *pConvertStringSidToSidA)( LPCSTR str, PSID pSid );
86 static BOOL (WINAPI *pCheckTokenMembership)(HANDLE, PSID, PBOOL);
87 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorA)(LPCSTR, DWORD,
88 PSECURITY_DESCRIPTOR*, PULONG );
89 static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorW)(LPCWSTR, DWORD,
90 PSECURITY_DESCRIPTOR*, PULONG );
91 static BOOL (WINAPI *pConvertSecurityDescriptorToStringSecurityDescriptorA)(PSECURITY_DESCRIPTOR, DWORD,
92 SECURITY_INFORMATION, LPSTR *, PULONG );
93 static BOOL (WINAPI *pGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
94 PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
95 static BOOL (WINAPI *pSetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
96 PSECURITY_DESCRIPTOR);
97 static DWORD (WINAPI *pGetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
98 PSID*, PSID*, PACL*, PACL*,
99 PSECURITY_DESCRIPTOR*);
100 static DWORD (WINAPI *pSetNamedSecurityInfoA)(LPSTR, SE_OBJECT_TYPE, SECURITY_INFORMATION,
101 PSID, PSID, PACL, PACL);
102 static PDWORD (WINAPI *pGetSidSubAuthority)(PSID, DWORD);
103 static PUCHAR (WINAPI *pGetSidSubAuthorityCount)(PSID);
104 static BOOL (WINAPI *pIsValidSid)(PSID);
105 static DWORD (WINAPI *pRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
106 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
107 static BOOL (WINAPI *pDuplicateTokenEx)(HANDLE,DWORD,LPSECURITY_ATTRIBUTES,
108 SECURITY_IMPERSONATION_LEVEL,TOKEN_TYPE,PHANDLE);
109
110 static NTSTATUS (WINAPI *pLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*);
111 static NTSTATUS (WINAPI *pLsaClose)(LSA_HANDLE);
112 static NTSTATUS (WINAPI *pLsaFreeMemory)(PVOID);
113 static NTSTATUS (WINAPI *pLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
114 static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
115 static DWORD (WINAPI *pSetEntriesInAclW)(ULONG, PEXPLICIT_ACCESSW, PACL, PACL*);
116 static DWORD (WINAPI *pSetEntriesInAclA)(ULONG, PEXPLICIT_ACCESSA, PACL, PACL*);
117 static BOOL (WINAPI *pSetSecurityDescriptorControl)(PSECURITY_DESCRIPTOR, SECURITY_DESCRIPTOR_CONTROL,
118 SECURITY_DESCRIPTOR_CONTROL);
119 static DWORD (WINAPI *pGetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
120 PSID*, PSID*, PACL*, PACL*, PSECURITY_DESCRIPTOR*);
121 static DWORD (WINAPI *pSetSecurityInfo)(HANDLE, SE_OBJECT_TYPE, SECURITY_INFORMATION,
122 PSID, PSID, PACL, PACL);
123 static NTSTATUS (WINAPI *pNtAccessCheck)(PSECURITY_DESCRIPTOR, HANDLE, ACCESS_MASK, PGENERIC_MAPPING,
124 PPRIVILEGE_SET, PULONG, PULONG, NTSTATUS*);
125 static BOOL (WINAPI *pCreateRestrictedToken)(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD,
126 PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE);
127 static BOOL (WINAPI *pGetAclInformation)(PACL,LPVOID,DWORD,ACL_INFORMATION_CLASS);
128 static BOOL (WINAPI *pGetAce)(PACL,DWORD,LPVOID*);
129 static NTSTATUS (WINAPI *pNtSetSecurityObject)(HANDLE,SECURITY_INFORMATION,PSECURITY_DESCRIPTOR);
130 static NTSTATUS (WINAPI *pNtCreateFile)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,PLARGE_INTEGER,ULONG,ULONG,ULONG,ULONG,PVOID,ULONG);
131 static BOOL (WINAPI *pRtlDosPathNameToNtPathName_U)(LPCWSTR,PUNICODE_STRING,PWSTR*,CURDIR*);
132 static NTSTATUS (WINAPI *pRtlAnsiStringToUnicodeString)(PUNICODE_STRING,PCANSI_STRING,BOOLEAN);
133 static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
134 static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
135 static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
136 static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
137
138 static HMODULE hmod;
139 static int myARGC;
140 static char** myARGV;
141
142 struct strsid_entry
143 {
144 const char *str;
145 DWORD flags;
146 };
147 #define STRSID_OK 0
148 #define STRSID_OPT 1
149
150 #define SID_SLOTS 4
151 static char debugsid_str[SID_SLOTS][256];
152 static int debugsid_index = 0;
153 static const char* debugstr_sid(PSID sid)
154 {
155 LPSTR sidstr;
156 DWORD le = GetLastError();
157 char* res = debugsid_str[debugsid_index];
158 debugsid_index = (debugsid_index + 1) % SID_SLOTS;
159 if (!pConvertSidToStringSidA)
160 strcpy(res, "missing ConvertSidToStringSidA");
161 else if (!pConvertSidToStringSidA(sid, &sidstr))
162 sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
163 else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
164 {
165 memcpy(res, sidstr, sizeof(*debugsid_str) - 4);
166 strcpy(res + sizeof(*debugsid_str) - 4, "...");
167 LocalFree(sidstr);
168 }
169 else
170 {
171 strcpy(res, sidstr);
172 LocalFree(sidstr);
173 }
174 /* Restore the last error in case ConvertSidToStringSidA() modified it */
175 SetLastError(le);
176 return res;
177 }
178
179 struct sidRef
180 {
181 SID_IDENTIFIER_AUTHORITY auth;
182 const char *refStr;
183 };
184
185 static void init(void)
186 {
187 HMODULE hntdll;
188
189 hntdll = GetModuleHandleA("ntdll.dll");
190 pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
191 pNtAccessCheck = (void *)GetProcAddress( hntdll, "NtAccessCheck" );
192 pNtSetSecurityObject = (void *)GetProcAddress(hntdll, "NtSetSecurityObject");
193 pNtCreateFile = (void *)GetProcAddress(hntdll, "NtCreateFile");
194 pRtlDosPathNameToNtPathName_U = (void *)GetProcAddress(hntdll, "RtlDosPathNameToNtPathName_U");
195 pRtlAnsiStringToUnicodeString = (void *)GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
196 pRtlInitAnsiString = (void *)GetProcAddress(hntdll, "RtlInitAnsiString");
197 pRtlFreeUnicodeString = (void *)GetProcAddress(hntdll, "RtlFreeUnicodeString");
198
199 hmod = GetModuleHandleA("advapi32.dll");
200 pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
201 pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
202 pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
203 pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
204 pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
205 pConvertStringSecurityDescriptorToSecurityDescriptorA =
206 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
207 pConvertStringSecurityDescriptorToSecurityDescriptorW =
208 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorW" );
209 pConvertSecurityDescriptorToStringSecurityDescriptorA =
210 (void *)GetProcAddress(hmod, "ConvertSecurityDescriptorToStringSecurityDescriptorA" );
211 pGetFileSecurityA = (void *)GetProcAddress(hmod, "GetFileSecurityA" );
212 pSetFileSecurityA = (void *)GetProcAddress(hmod, "SetFileSecurityA" );
213 pCreateWellKnownSid = (void *)GetProcAddress( hmod, "CreateWellKnownSid" );
214 pGetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "GetNamedSecurityInfoA");
215 pSetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "SetNamedSecurityInfoA");
216 pGetSidSubAuthority = (void *)GetProcAddress(hmod, "GetSidSubAuthority");
217 pGetSidSubAuthorityCount = (void *)GetProcAddress(hmod, "GetSidSubAuthorityCount");
218 pIsValidSid = (void *)GetProcAddress(hmod, "IsValidSid");
219 pMakeSelfRelativeSD = (void *)GetProcAddress(hmod, "MakeSelfRelativeSD");
220 pSetEntriesInAclW = (void *)GetProcAddress(hmod, "SetEntriesInAclW");
221 pSetEntriesInAclA = (void *)GetProcAddress(hmod, "SetEntriesInAclA");
222 pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
223 pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
224 pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
225 pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
226 pConvertSidToStringSidA = (void *)GetProcAddress(hmod, "ConvertSidToStringSidA");
227 pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
228 pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
229 pGetAce = (void *)GetProcAddress(hmod, "GetAce");
230 pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
231 pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
232 pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
233
234 myARGC = winetest_get_mainargs( &myARGV );
235 }
236
237 static SECURITY_DESCRIPTOR* test_get_security_descriptor(HANDLE handle, int line)
238 {
239 /* use HeapFree(GetProcessHeap(), 0, sd); when done */
240 DWORD ret, length, needed;
241 SECURITY_DESCRIPTOR *sd;
242
243 needed = 0xdeadbeef;
244 SetLastError(0xdeadbeef);
245 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
246 NULL, 0, &needed);
247 ok_(__FILE__, line)(!ret, "GetKernelObjectSecurity should fail\n");
248 ok_(__FILE__, line)(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
249 ok_(__FILE__, line)(needed != 0xdeadbeef, "GetKernelObjectSecurity should return required buffer length\n");
250
251 length = needed;
252 sd = HeapAlloc(GetProcessHeap(), 0, length);
253
254 needed = 0xdeadbeef;
255 SetLastError(0xdeadbeef);
256 ret = GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
257 sd, length, &needed);
258 ok_(__FILE__, line)(ret, "GetKernelObjectSecurity error %d\n", GetLastError());
259 ok_(__FILE__, line)(needed == length || needed == 0 /* file, pipe */, "GetKernelObjectSecurity should return %u instead of %u\n", length, needed);
260 return sd;
261 }
262
263 static void test_owner_equal(HANDLE Handle, PSID expected, int line)
264 {
265 BOOL res;
266 SECURITY_DESCRIPTOR *queriedSD = NULL;
267 PSID owner;
268 BOOL owner_defaulted;
269
270 queriedSD = test_get_security_descriptor( Handle, line );
271
272 res = GetSecurityDescriptorOwner(queriedSD, &owner, &owner_defaulted);
273 ok_(__FILE__, line)(res, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
274
275 ok_(__FILE__, line)(EqualSid(owner, expected), "Owner SIDs are not equal %s != %s\n",
276 debugstr_sid(owner), debugstr_sid(expected));
277 ok_(__FILE__, line)(!owner_defaulted, "Defaulted is true\n");
278
279 HeapFree(GetProcessHeap(), 0, queriedSD);
280 }
281
282 static void test_group_equal(HANDLE Handle, PSID expected, int line)
283 {
284 BOOL res;
285 SECURITY_DESCRIPTOR *queriedSD = NULL;
286 PSID group;
287 BOOL group_defaulted;
288
289 queriedSD = test_get_security_descriptor( Handle, line );
290
291 res = GetSecurityDescriptorGroup(queriedSD, &group, &group_defaulted);
292 ok_(__FILE__, line)(res, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
293
294 ok_(__FILE__, line)(EqualSid(group, expected), "Group SIDs are not equal %s != %s\n",
295 debugstr_sid(group), debugstr_sid(expected));
296 ok_(__FILE__, line)(!group_defaulted, "Defaulted is true\n");
297
298 HeapFree(GetProcessHeap(), 0, queriedSD);
299 }
300
301 static void test_sid(void)
302 {
303 struct sidRef refs[] = {
304 { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
305 { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1" },
306 { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1" },
307 { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1" },
308 { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1" },
309 { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1" },
310 };
311 struct strsid_entry strsid_table[] = {
312 {"AO", STRSID_OK}, {"RU", STRSID_OK}, {"AN", STRSID_OK}, {"AU", STRSID_OK},
313 {"BA", STRSID_OK}, {"BG", STRSID_OK}, {"BO", STRSID_OK}, {"BU", STRSID_OK},
314 {"CA", STRSID_OPT}, {"CG", STRSID_OK}, {"CO", STRSID_OK}, {"DA", STRSID_OPT},
315 {"DC", STRSID_OPT}, {"DD", STRSID_OPT}, {"DG", STRSID_OPT}, {"DU", STRSID_OPT},
316 {"EA", STRSID_OPT}, {"ED", STRSID_OK}, {"WD", STRSID_OK}, {"PA", STRSID_OPT},
317 {"IU", STRSID_OK}, {"LA", STRSID_OK}, {"LG", STRSID_OK}, {"LS", STRSID_OK},
318 {"SY", STRSID_OK}, {"NU", STRSID_OK}, {"NO", STRSID_OK}, {"NS", STRSID_OK},
319 {"PO", STRSID_OK}, {"PS", STRSID_OK}, {"PU", STRSID_OK}, {"RS", STRSID_OPT},
320 {"RD", STRSID_OK}, {"RE", STRSID_OK}, {"RC", STRSID_OK}, {"SA", STRSID_OPT},
321 {"SO", STRSID_OK}, {"SU", STRSID_OK}};
322
323 const char noSubAuthStr[] = "S-1-5";
324 unsigned int i;
325 PSID psid = NULL;
326 SID *pisid;
327 BOOL r;
328 LPSTR str = NULL;
329
330 if( !pConvertSidToStringSidA || !pConvertStringSidToSidA )
331 {
332 win_skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
333 return;
334 }
335
336 r = pConvertStringSidToSidA( NULL, NULL );
337 ok( !r, "expected failure with NULL parameters\n" );
338 if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
339 return;
340 ok( GetLastError() == ERROR_INVALID_PARAMETER,
341 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
342 GetLastError() );
343
344 r = pConvertStringSidToSidA( refs[0].refStr, NULL );
345 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
346 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
347 GetLastError() );
348
349 r = pConvertStringSidToSidA( NULL, &str );
350 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
351 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %d\n",
352 GetLastError() );
353
354 r = pConvertStringSidToSidA( noSubAuthStr, &psid );
355 ok( !r,
356 "expected failure with no sub authorities\n" );
357 ok( GetLastError() == ERROR_INVALID_SID,
358 "expected GetLastError() is ERROR_INVALID_SID, got %d\n",
359 GetLastError() );
360
361 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid), "ConvertStringSidToSidA failed\n");
362 pisid = psid;
363 ok(pisid->SubAuthorityCount == 4, "Invalid sub authority count - expected 4, got %d\n", pisid->SubAuthorityCount);
364 ok(pisid->SubAuthority[0] == 21, "Invalid subauthority 0 - expected 21, got %d\n", pisid->SubAuthority[0]);
365 ok(pisid->SubAuthority[3] == 4576, "Invalid subauthority 0 - expected 4576, got %d\n", pisid->SubAuthority[3]);
366 LocalFree(str);
367 LocalFree(psid);
368
369 for( i = 0; i < sizeof(refs) / sizeof(refs[0]); i++ )
370 {
371 r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
372 &psid );
373 ok( r, "failed to allocate sid\n" );
374 r = pConvertSidToStringSidA( psid, &str );
375 ok( r, "failed to convert sid\n" );
376 if (r)
377 {
378 ok( !strcmp( str, refs[i].refStr ),
379 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
380 LocalFree( str );
381 }
382 if( psid )
383 FreeSid( psid );
384
385 r = pConvertStringSidToSidA( refs[i].refStr, &psid );
386 ok( r, "failed to parse sid string\n" );
387 pisid = psid;
388 ok( pisid &&
389 !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
390 sizeof(refs[i].auth) ),
391 "string sid %s didn't parse to expected value\n"
392 "(got 0x%04x%08x, expected 0x%04x%08x)\n",
393 refs[i].refStr,
394 MAKEWORD( pisid->IdentifierAuthority.Value[1],
395 pisid->IdentifierAuthority.Value[0] ),
396 MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
397 pisid->IdentifierAuthority.Value[4] ),
398 MAKEWORD( pisid->IdentifierAuthority.Value[3],
399 pisid->IdentifierAuthority.Value[2] ) ),
400 MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
401 MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
402 MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
403 if( psid )
404 LocalFree( psid );
405 }
406
407 /* string constant format not supported before XP */
408 r = pConvertStringSidToSidA(strsid_table[0].str, &psid);
409 if(!r)
410 {
411 win_skip("String constant format not supported\n");
412 return;
413 }
414 LocalFree(psid);
415
416 for(i = 0; i < sizeof(strsid_table) / sizeof(strsid_table[0]); i++)
417 {
418 char *temp;
419
420 SetLastError(0xdeadbeef);
421 r = pConvertStringSidToSidA(strsid_table[i].str, &psid);
422
423 if (!(strsid_table[i].flags & STRSID_OPT))
424 {
425 ok(r, "%s: got %u\n", strsid_table[i].str, GetLastError());
426 }
427
428 if (r)
429 {
430 if ((winetest_debug > 1) && (pConvertSidToStringSidA(psid, &temp)))
431 {
432 trace(" %s: %s\n", strsid_table[i].str, temp);
433 LocalFree(temp);
434 }
435 LocalFree(psid);
436 }
437 else
438 {
439 if (GetLastError() != ERROR_INVALID_SID)
440 trace(" %s: couldn't be converted, returned %d\n", strsid_table[i].str, GetLastError());
441 else
442 trace(" %s: couldn't be converted\n", strsid_table[i].str);
443 }
444 }
445 }
446
447 static void test_trustee(void)
448 {
449 GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
450 GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
451 GUID ZeroGuid;
452 OBJECTS_AND_NAME_A oan;
453 OBJECTS_AND_SID oas;
454 TRUSTEEA trustee;
455 PSID psid;
456 char szObjectTypeName[] = "ObjectTypeName";
457 char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
458 char szTrusteeName[] = "szTrusteeName";
459 SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
460
461 memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
462
463 pBuildTrusteeWithSidA = (void *)GetProcAddress( hmod, "BuildTrusteeWithSidA" );
464 pBuildTrusteeWithNameA = (void *)GetProcAddress( hmod, "BuildTrusteeWithNameA" );
465 pBuildTrusteeWithObjectsAndNameA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
466 pBuildTrusteeWithObjectsAndSidA = (void *)GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
467 pGetTrusteeNameA = (void *)GetProcAddress (hmod, "GetTrusteeNameA" );
468 if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
469 !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
470 !pGetTrusteeNameA )
471 return;
472
473 if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
474 {
475 trace( "failed to init SID\n" );
476 return;
477 }
478
479 /* test BuildTrusteeWithSidA */
480 memset( &trustee, 0xff, sizeof trustee );
481 pBuildTrusteeWithSidA( &trustee, psid );
482
483 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
484 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
485 "MultipleTrusteeOperation wrong\n");
486 ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
487 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
488 ok( trustee.ptstrName == psid, "ptstrName wrong\n" );
489
490 /* test BuildTrusteeWithObjectsAndSidA (test 1) */
491 memset( &trustee, 0xff, sizeof trustee );
492 memset( &oas, 0xff, sizeof(oas) );
493 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
494 &InheritedObjectType, psid);
495
496 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
497 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
498 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
499 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
500 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
501
502 ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
503 ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
504 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
505 ok(oas.pSid == psid, "pSid wrong\n");
506
507 /* test GetTrusteeNameA */
508 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
509
510 /* test BuildTrusteeWithObjectsAndSidA (test 2) */
511 memset( &trustee, 0xff, sizeof trustee );
512 memset( &oas, 0xff, sizeof(oas) );
513 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
514 &InheritedObjectType, psid);
515
516 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
517 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
518 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
519 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
520 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
521
522 ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
523 ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
524 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
525 ok(oas.pSid == psid, "pSid wrong\n");
526
527 FreeSid( psid );
528
529 /* test BuildTrusteeWithNameA */
530 memset( &trustee, 0xff, sizeof trustee );
531 pBuildTrusteeWithNameA( &trustee, szTrusteeName );
532
533 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
534 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
535 "MultipleTrusteeOperation wrong\n");
536 ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
537 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
538 ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
539
540 /* test BuildTrusteeWithObjectsAndNameA (test 1) */
541 memset( &trustee, 0xff, sizeof trustee );
542 memset( &oan, 0xff, sizeof(oan) );
543 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
544 szInheritedObjectTypeName, szTrusteeName);
545
546 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
547 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
548 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
549 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
550 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
551
552 ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
553 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
554 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
555 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
556
557 /* test GetTrusteeNameA */
558 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
559
560 /* test BuildTrusteeWithObjectsAndNameA (test 2) */
561 memset( &trustee, 0xff, sizeof trustee );
562 memset( &oan, 0xff, sizeof(oan) );
563 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
564 szInheritedObjectTypeName, szTrusteeName);
565
566 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
567 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
568 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
569 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
570 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
571
572 ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
573 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
574 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
575 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
576
577 /* test BuildTrusteeWithObjectsAndNameA (test 3) */
578 memset( &trustee, 0xff, sizeof trustee );
579 memset( &oan, 0xff, sizeof(oan) );
580 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
581 NULL, szTrusteeName);
582
583 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
584 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
585 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
586 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
587 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
588
589 ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
590 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
591 ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
592 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
593 }
594
595 /* If the first isn't defined, assume none is */
596 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
597 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2L
598 #define SE_CREATE_TOKEN_PRIVILEGE 2L
599 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3L
600 #define SE_LOCK_MEMORY_PRIVILEGE 4L
601 #define SE_INCREASE_QUOTA_PRIVILEGE 5L
602 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6L
603 #define SE_TCB_PRIVILEGE 7L
604 #define SE_SECURITY_PRIVILEGE 8L
605 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9L
606 #define SE_LOAD_DRIVER_PRIVILEGE 10L
607 #define SE_SYSTEM_PROFILE_PRIVILEGE 11L
608 #define SE_SYSTEMTIME_PRIVILEGE 12L
609 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
610 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14L
611 #define SE_CREATE_PAGEFILE_PRIVILEGE 15L
612 #define SE_CREATE_PERMANENT_PRIVILEGE 16L
613 #define SE_BACKUP_PRIVILEGE 17L
614 #define SE_RESTORE_PRIVILEGE 18L
615 #define SE_SHUTDOWN_PRIVILEGE 19L
616 #define SE_DEBUG_PRIVILEGE 20L
617 #define SE_AUDIT_PRIVILEGE 21L
618 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22L
619 #define SE_CHANGE_NOTIFY_PRIVILEGE 23L
620 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24L
621 #define SE_UNDOCK_PRIVILEGE 25L
622 #define SE_SYNC_AGENT_PRIVILEGE 26L
623 #define SE_ENABLE_DELEGATION_PRIVILEGE 27L
624 #define SE_MANAGE_VOLUME_PRIVILEGE 28L
625 #define SE_IMPERSONATE_PRIVILEGE 29L
626 #define SE_CREATE_GLOBAL_PRIVILEGE 30L
627 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
628 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
629
630 static void test_allocateLuid(void)
631 {
632 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
633 LUID luid1, luid2;
634 BOOL ret;
635
636 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
637 if (!pAllocateLocallyUniqueId) return;
638
639 ret = pAllocateLocallyUniqueId(&luid1);
640 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
641 return;
642
643 ok(ret,
644 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
645 ret = pAllocateLocallyUniqueId(&luid2);
646 ok( ret,
647 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
648 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
649 "AllocateLocallyUniqueId returned a well-known LUID\n");
650 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
651 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
652 ret = pAllocateLocallyUniqueId(NULL);
653 ok( !ret && GetLastError() == ERROR_NOACCESS,
654 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
655 GetLastError());
656 }
657
658 static void test_lookupPrivilegeName(void)
659 {
660 BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
661 char buf[MAX_PATH]; /* arbitrary, seems long enough */
662 DWORD cchName = sizeof(buf);
663 LUID luid = { 0, 0 };
664 LONG i;
665 BOOL ret;
666
667 /* check whether it's available first */
668 pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
669 if (!pLookupPrivilegeNameA) return;
670 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
671 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
672 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
673 return;
674
675 /* check with a short buffer */
676 cchName = 0;
677 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
678 ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
679 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
680 "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %d\n",
681 GetLastError());
682 ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
683 "LookupPrivilegeNameA returned an incorrect required length for\n"
684 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
685 lstrlenA("SeCreateTokenPrivilege") + 1);
686 /* check a known value and its returned length on success */
687 cchName = sizeof(buf);
688 ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
689 cchName == strlen("SeCreateTokenPrivilege"),
690 "LookupPrivilegeNameA returned an incorrect output length for\n"
691 "SeCreateTokenPrivilege (got %d, expected %d)\n", cchName,
692 (int)strlen("SeCreateTokenPrivilege"));
693 /* check known values */
694 for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i <= SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
695 {
696 luid.LowPart = i;
697 cchName = sizeof(buf);
698 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
699 ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
700 "LookupPrivilegeNameA(0.%d) failed: %d\n", i, GetLastError());
701 }
702 /* check a bogus LUID */
703 luid.LowPart = 0xdeadbeef;
704 cchName = sizeof(buf);
705 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
706 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
707 "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
708 GetLastError());
709 /* check on a bogus system */
710 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
711 cchName = sizeof(buf);
712 ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
713 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
714 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
715 "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
716 GetLastError());
717 }
718
719 struct NameToLUID
720 {
721 const char *name;
722 DWORD lowPart;
723 };
724
725 static void test_lookupPrivilegeValue(void)
726 {
727 static const struct NameToLUID privs[] = {
728 { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
729 { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
730 { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
731 { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
732 { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
733 { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
734 { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
735 { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
736 { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
737 { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
738 { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
739 { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
740 { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
741 { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
742 { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
743 { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
744 { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
745 { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
746 { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
747 { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
748 { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
749 { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILEGE },
750 { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
751 { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
752 { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
753 { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
754 { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
755 { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
756 { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
757 };
758 BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
759 unsigned int i;
760 LUID luid;
761 BOOL ret;
762
763 /* check whether it's available first */
764 pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
765 if (!pLookupPrivilegeValueA) return;
766 ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
767 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
768 return;
769
770 /* check a bogus system name */
771 ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
772 ok( !ret && (GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
773 GetLastError() == RPC_S_INVALID_NET_ADDR) /* w2k8 */,
774 "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR: %d\n",
775 GetLastError());
776 /* check a NULL string */
777 ret = pLookupPrivilegeValueA(NULL, 0, &luid);
778 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
779 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
780 GetLastError());
781 /* check a bogus privilege name */
782 ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
783 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
784 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %d\n",
785 GetLastError());
786 /* check case insensitive */
787 ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
788 ok( ret,
789 "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %d\n",
790 GetLastError());
791 for (i = 0; i < sizeof(privs) / sizeof(privs[0]); i++)
792 {
793 /* Not all privileges are implemented on all Windows versions, so
794 * don't worry if the call fails
795 */
796 if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
797 {
798 ok(luid.LowPart == privs[i].lowPart,
799 "LookupPrivilegeValueA returned an invalid LUID for %s\n",
800 privs[i].name);
801 }
802 }
803 }
804
805 static void test_luid(void)
806 {
807 test_allocateLuid();
808 test_lookupPrivilegeName();
809 test_lookupPrivilegeValue();
810 }
811
812 static void test_FileSecurity(void)
813 {
814 char wintmpdir [MAX_PATH];
815 char path [MAX_PATH];
816 char file [MAX_PATH];
817 HANDLE fh, token;
818 DWORD sdSize, retSize, rc, granted, priv_set_len;
819 PRIVILEGE_SET priv_set;
820 BOOL status;
821 BYTE *sd;
822 GENERIC_MAPPING mapping = { FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, FILE_ALL_ACCESS };
823 const SECURITY_INFORMATION request = OWNER_SECURITY_INFORMATION
824 | GROUP_SECURITY_INFORMATION
825 | DACL_SECURITY_INFORMATION;
826
827 if (!pGetFileSecurityA) {
828 win_skip ("GetFileSecurity is not available\n");
829 return;
830 }
831
832 if (!pSetFileSecurityA) {
833 win_skip ("SetFileSecurity is not available\n");
834 return;
835 }
836
837 if (!GetTempPathA (sizeof (wintmpdir), wintmpdir)) {
838 win_skip ("GetTempPathA failed\n");
839 return;
840 }
841
842 /* Create a temporary directory and in it a temporary file */
843 strcat (strcpy (path, wintmpdir), "rary");
844 SetLastError(0xdeadbeef);
845 rc = CreateDirectoryA (path, NULL);
846 ok (rc || GetLastError() == ERROR_ALREADY_EXISTS, "CreateDirectoryA "
847 "failed for '%s' with %d\n", path, GetLastError());
848
849 strcat (strcpy (file, path), "\\ess");
850 SetLastError(0xdeadbeef);
851 fh = CreateFileA (file, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
852 ok (fh != INVALID_HANDLE_VALUE, "CreateFileA "
853 "failed for '%s' with %d\n", file, GetLastError());
854 CloseHandle (fh);
855
856 /* For the temporary file ... */
857
858 /* Get size needed */
859 retSize = 0;
860 SetLastError(0xdeadbeef);
861 rc = pGetFileSecurityA (file, request, NULL, 0, &retSize);
862 if (!rc && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)) {
863 win_skip("GetFileSecurityA is not implemented\n");
864 goto cleanup;
865 }
866 ok (!rc, "GetFileSecurityA "
867 "was expected to fail for '%s'\n", file);
868 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
869 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
870 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
871
872 sdSize = retSize;
873 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
874
875 /* Get security descriptor for real */
876 retSize = -1;
877 SetLastError(0xdeadbeef);
878 rc = pGetFileSecurityA (file, request, sd, sdSize, &retSize);
879 ok (rc, "GetFileSecurityA "
880 "was not expected to fail '%s': %d\n", file, GetLastError());
881 ok (retSize == sdSize ||
882 broken(retSize == 0), /* NT4 */
883 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
884
885 /* Use it to set security descriptor */
886 SetLastError(0xdeadbeef);
887 rc = pSetFileSecurityA (file, request, sd);
888 ok (rc, "SetFileSecurityA "
889 "was not expected to fail '%s': %d\n", file, GetLastError());
890
891 HeapFree (GetProcessHeap (), 0, sd);
892
893 /* Repeat for the temporary directory ... */
894
895 /* Get size needed */
896 retSize = 0;
897 SetLastError(0xdeadbeef);
898 rc = pGetFileSecurityA (path, request, NULL, 0, &retSize);
899 ok (!rc, "GetFileSecurityA "
900 "was expected to fail for '%s'\n", path);
901 ok (GetLastError() == ERROR_INSUFFICIENT_BUFFER, "GetFileSecurityA "
902 "returned %d; expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
903 ok (retSize > sizeof (SECURITY_DESCRIPTOR), "GetFileSecurityA returned size %d\n", retSize);
904
905 sdSize = retSize;
906 sd = HeapAlloc (GetProcessHeap (), 0, sdSize);
907
908 /* Get security descriptor for real */
909 retSize = -1;
910 SetLastError(0xdeadbeef);
911 rc = pGetFileSecurityA (path, request, sd, sdSize, &retSize);
912 ok (rc, "GetFileSecurityA "
913 "was not expected to fail '%s': %d\n", path, GetLastError());
914 ok (retSize == sdSize ||
915 broken(retSize == 0), /* NT4 */
916 "GetFileSecurityA returned size %d; expected %d\n", retSize, sdSize);
917
918 /* Use it to set security descriptor */
919 SetLastError(0xdeadbeef);
920 rc = pSetFileSecurityA (path, request, sd);
921 ok (rc, "SetFileSecurityA "
922 "was not expected to fail '%s': %d\n", path, GetLastError());
923 HeapFree (GetProcessHeap (), 0, sd);
924
925 /* Old test */
926 strcpy (wintmpdir, "\\Should not exist");
927 SetLastError(0xdeadbeef);
928 rc = pGetFileSecurityA (wintmpdir, OWNER_SECURITY_INFORMATION, NULL, 0, &sdSize);
929 ok (!rc, "GetFileSecurityA should fail for not existing directories/files\n");
930 ok (GetLastError() == ERROR_FILE_NOT_FOUND,
931 "last error ERROR_FILE_NOT_FOUND expected, got %d\n", GetLastError());
932
933 cleanup:
934 /* Remove temporary file and directory */
935 DeleteFileA(file);
936 RemoveDirectoryA(path);
937
938 /* Test file access permissions for a file with FILE_ATTRIBUTE_ARCHIVE */
939 SetLastError(0xdeadbeef);
940 rc = GetTempPathA(sizeof(wintmpdir), wintmpdir);
941 ok(rc, "GetTempPath error %d\n", GetLastError());
942
943 SetLastError(0xdeadbeef);
944 rc = GetTempFileNameA(wintmpdir, "tmp", 0, file);
945 ok(rc, "GetTempFileName error %d\n", GetLastError());
946
947 rc = GetFileAttributesA(file);
948 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
949 ok(rc == FILE_ATTRIBUTE_ARCHIVE, "expected FILE_ATTRIBUTE_ARCHIVE got %#x\n", rc);
950
951 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
952 NULL, 0, &sdSize);
953 ok(!rc, "GetFileSecurity should fail\n");
954 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
955 "expected ERROR_INSUFFICIENT_BUFFER got %d\n", GetLastError());
956 ok(sdSize > sizeof(SECURITY_DESCRIPTOR), "got sd size %d\n", sdSize);
957
958 sd = HeapAlloc(GetProcessHeap (), 0, sdSize);
959 retSize = 0xdeadbeef;
960 SetLastError(0xdeadbeef);
961 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
962 sd, sdSize, &retSize);
963 ok(rc, "GetFileSecurity error %d\n", GetLastError());
964 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
965
966 SetLastError(0xdeadbeef);
967 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
968 ok(!rc, "OpenThreadToken should fail\n");
969 ok(GetLastError() == ERROR_NO_TOKEN, "expected ERROR_NO_TOKEN, got %d\n", GetLastError());
970
971 SetLastError(0xdeadbeef);
972 rc = ImpersonateSelf(SecurityIdentification);
973 ok(rc, "ImpersonateSelf error %d\n", GetLastError());
974
975 SetLastError(0xdeadbeef);
976 rc = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
977 ok(rc, "OpenThreadToken error %d\n", GetLastError());
978
979 SetLastError(0xdeadbeef);
980 rc = RevertToSelf();
981 ok(rc, "RevertToSelf error %d\n", GetLastError());
982
983 priv_set_len = sizeof(priv_set);
984 granted = 0xdeadbeef;
985 status = 0xdeadbeef;
986 SetLastError(0xdeadbeef);
987 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
988 ok(rc, "AccessCheck error %d\n", GetLastError());
989 ok(status == 1, "expected 1, got %d\n", status);
990 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
991
992 granted = 0xdeadbeef;
993 status = 0xdeadbeef;
994 SetLastError(0xdeadbeef);
995 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
996 ok(rc, "AccessCheck error %d\n", GetLastError());
997 ok(status == 1, "expected 1, got %d\n", status);
998 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
999
1000 granted = 0xdeadbeef;
1001 status = 0xdeadbeef;
1002 SetLastError(0xdeadbeef);
1003 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1004 ok(rc, "AccessCheck error %d\n", GetLastError());
1005 ok(status == 1, "expected 1, got %d\n", status);
1006 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1007
1008 granted = 0xdeadbeef;
1009 status = 0xdeadbeef;
1010 SetLastError(0xdeadbeef);
1011 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1012 ok(rc, "AccessCheck error %d\n", GetLastError());
1013 ok(status == 1, "expected 1, got %d\n", status);
1014 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1015
1016 granted = 0xdeadbeef;
1017 status = 0xdeadbeef;
1018 SetLastError(0xdeadbeef);
1019 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1020 ok(rc, "AccessCheck error %d\n", GetLastError());
1021 ok(status == 1, "expected 1, got %d\n", status);
1022 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1023
1024 granted = 0xdeadbeef;
1025 status = 0xdeadbeef;
1026 SetLastError(0xdeadbeef);
1027 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1028 ok(rc, "AccessCheck error %d\n", GetLastError());
1029 ok(status == 1, "expected 1, got %d\n", status);
1030 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1031
1032 granted = 0xdeadbeef;
1033 status = 0xdeadbeef;
1034 SetLastError(0xdeadbeef);
1035 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1036 ok(rc, "AccessCheck error %d\n", GetLastError());
1037 ok(status == 1, "expected 1, got %d\n", status);
1038 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1039
1040 SetLastError(0xdeadbeef);
1041 rc = AccessCheck(sd, token, 0xffffffff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1042 ok(!rc, "AccessCheck should fail\n");
1043 ok(GetLastError() == ERROR_GENERIC_NOT_MAPPED, "expected ERROR_GENERIC_NOT_MAPPED, got %d\n", GetLastError());
1044
1045 /* Test file access permissions for a file with FILE_ATTRIBUTE_READONLY */
1046 SetLastError(0xdeadbeef);
1047 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1048 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1049 retSize = 0xdeadbeef;
1050 SetLastError(0xdeadbeef);
1051 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1052 ok(!rc, "WriteFile should fail\n");
1053 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1054 ok(retSize == 0, "expected 0, got %d\n", retSize);
1055 CloseHandle(fh);
1056
1057 rc = GetFileAttributesA(file);
1058 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1059 todo_wine
1060 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1061 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1062
1063 SetLastError(0xdeadbeef);
1064 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1065 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1066 SetLastError(0xdeadbeef);
1067 rc = DeleteFileA(file);
1068 ok(rc, "DeleteFile error %d\n", GetLastError());
1069
1070 SetLastError(0xdeadbeef);
1071 fh = CreateFileA(file, FILE_READ_DATA, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_READONLY, 0);
1072 ok(fh != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
1073 retSize = 0xdeadbeef;
1074 SetLastError(0xdeadbeef);
1075 rc = WriteFile(fh, "1", 1, &retSize, NULL);
1076 ok(!rc, "WriteFile should fail\n");
1077 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1078 ok(retSize == 0, "expected 0, got %d\n", retSize);
1079 CloseHandle(fh);
1080
1081 rc = GetFileAttributesA(file);
1082 rc &= ~(FILE_ATTRIBUTE_NOT_CONTENT_INDEXED|FILE_ATTRIBUTE_COMPRESSED);
1083 ok(rc == (FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY),
1084 "expected FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_READONLY got %#x\n", rc);
1085
1086 retSize = 0xdeadbeef;
1087 SetLastError(0xdeadbeef);
1088 rc = GetFileSecurityA(file, OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
1089 sd, sdSize, &retSize);
1090 ok(rc, "GetFileSecurity error %d\n", GetLastError());
1091 ok(retSize == sdSize || broken(retSize == 0) /* NT4 */, "expected %d, got %d\n", sdSize, retSize);
1092
1093 priv_set_len = sizeof(priv_set);
1094 granted = 0xdeadbeef;
1095 status = 0xdeadbeef;
1096 SetLastError(0xdeadbeef);
1097 rc = AccessCheck(sd, token, FILE_READ_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1098 ok(rc, "AccessCheck error %d\n", GetLastError());
1099 ok(status == 1, "expected 1, got %d\n", status);
1100 ok(granted == FILE_READ_DATA, "expected FILE_READ_DATA, got %#x\n", granted);
1101
1102 granted = 0xdeadbeef;
1103 status = 0xdeadbeef;
1104 SetLastError(0xdeadbeef);
1105 rc = AccessCheck(sd, token, FILE_WRITE_DATA, &mapping, &priv_set, &priv_set_len, &granted, &status);
1106 ok(rc, "AccessCheck error %d\n", GetLastError());
1107 todo_wine {
1108 ok(status == 1, "expected 1, got %d\n", status);
1109 ok(granted == FILE_WRITE_DATA, "expected FILE_WRITE_DATA, got %#x\n", granted);
1110 }
1111 granted = 0xdeadbeef;
1112 status = 0xdeadbeef;
1113 SetLastError(0xdeadbeef);
1114 rc = AccessCheck(sd, token, FILE_EXECUTE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1115 ok(rc, "AccessCheck error %d\n", GetLastError());
1116 ok(status == 1, "expected 1, got %d\n", status);
1117 ok(granted == FILE_EXECUTE, "expected FILE_EXECUTE, got %#x\n", granted);
1118
1119 granted = 0xdeadbeef;
1120 status = 0xdeadbeef;
1121 SetLastError(0xdeadbeef);
1122 rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
1123 ok(rc, "AccessCheck error %d\n", GetLastError());
1124 todo_wine {
1125 ok(status == 1, "expected 1, got %d\n", status);
1126 ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
1127 }
1128 granted = 0xdeadbeef;
1129 status = 0xdeadbeef;
1130 SetLastError(0xdeadbeef);
1131 rc = AccessCheck(sd, token, FILE_DELETE_CHILD, &mapping, &priv_set, &priv_set_len, &granted, &status);
1132 ok(rc, "AccessCheck error %d\n", GetLastError());
1133 todo_wine {
1134 ok(status == 1, "expected 1, got %d\n", status);
1135 ok(granted == FILE_DELETE_CHILD, "expected FILE_DELETE_CHILD, got %#x\n", granted);
1136 }
1137 granted = 0xdeadbeef;
1138 status = 0xdeadbeef;
1139 SetLastError(0xdeadbeef);
1140 rc = AccessCheck(sd, token, 0x1ff, &mapping, &priv_set, &priv_set_len, &granted, &status);
1141 ok(rc, "AccessCheck error %d\n", GetLastError());
1142 todo_wine {
1143 ok(status == 1, "expected 1, got %d\n", status);
1144 ok(granted == 0x1ff, "expected 0x1ff, got %#x\n", granted);
1145 }
1146 granted = 0xdeadbeef;
1147 status = 0xdeadbeef;
1148 SetLastError(0xdeadbeef);
1149 rc = AccessCheck(sd, token, FILE_ALL_ACCESS, &mapping, &priv_set, &priv_set_len, &granted, &status);
1150 ok(rc, "AccessCheck error %d\n", GetLastError());
1151 todo_wine {
1152 ok(status == 1, "expected 1, got %d\n", status);
1153 ok(granted == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", granted);
1154 }
1155 SetLastError(0xdeadbeef);
1156 rc = DeleteFileA(file);
1157 ok(!rc, "DeleteFile should fail\n");
1158 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
1159 SetLastError(0xdeadbeef);
1160 rc = SetFileAttributesA(file, FILE_ATTRIBUTE_ARCHIVE);
1161 ok(rc, "SetFileAttributes error %d\n", GetLastError());
1162 SetLastError(0xdeadbeef);
1163 rc = DeleteFileA(file);
1164 ok(rc, "DeleteFile error %d\n", GetLastError());
1165
1166 CloseHandle(token);
1167 HeapFree(GetProcessHeap(), 0, sd);
1168 }
1169
1170 static void test_AccessCheck(void)
1171 {
1172 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
1173 PACL Acl = NULL;
1174 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
1175 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
1176 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
1177 GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
1178 ACCESS_MASK Access;
1179 BOOL AccessStatus;
1180 HANDLE Token;
1181 HANDLE ProcessToken;
1182 BOOL ret;
1183 DWORD PrivSetLen;
1184 PRIVILEGE_SET *PrivSet;
1185 BOOL res;
1186 HMODULE NtDllModule;
1187 BOOLEAN Enabled;
1188 DWORD err;
1189 NTSTATUS ntret, ntAccessStatus;
1190
1191 NtDllModule = GetModuleHandleA("ntdll.dll");
1192 if (!NtDllModule)
1193 {
1194 skip("not running on NT, skipping test\n");
1195 return;
1196 }
1197 pRtlAdjustPrivilege = (void *)GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
1198 if (!pRtlAdjustPrivilege)
1199 {
1200 win_skip("missing RtlAdjustPrivilege, skipping test\n");
1201 return;
1202 }
1203
1204 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
1205 res = InitializeAcl(Acl, 256, ACL_REVISION);
1206 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1207 {
1208 skip("ACLs not implemented - skipping tests\n");
1209 HeapFree(GetProcessHeap(), 0, Acl);
1210 return;
1211 }
1212 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
1213
1214 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1215 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1216
1217 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1218 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
1219 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1220
1221 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
1222 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1223 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1224
1225 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
1226
1227 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
1228 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
1229
1230 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1231 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1232
1233 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1234 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
1235 PrivSet->PrivilegeCount = 16;
1236
1237 res = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &ProcessToken);
1238 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
1239
1240 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
1241
1242 res = DuplicateToken(ProcessToken, SecurityImpersonation, &Token);
1243 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1244
1245 /* SD without owner/group */
1246 SetLastError(0xdeadbeef);
1247 Access = AccessStatus = 0x1abe11ed;
1248 ret = AccessCheck(SecurityDescriptor, Token, KEY_QUERY_VALUE, &Mapping,
1249 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1250 err = GetLastError();
1251 ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
1252 "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
1253 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1254 "Access and/or AccessStatus were changed!\n");
1255
1256 /* Set owner and group */
1257 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
1258 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
1259 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
1260 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
1261
1262 /* Generic access mask */
1263 SetLastError(0xdeadbeef);
1264 Access = AccessStatus = 0x1abe11ed;
1265 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1266 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1267 err = GetLastError();
1268 ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
1269 "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
1270 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1271 "Access and/or AccessStatus were changed!\n");
1272
1273 /* Generic access mask - no privilegeset buffer */
1274 SetLastError(0xdeadbeef);
1275 Access = AccessStatus = 0x1abe11ed;
1276 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1277 NULL, &PrivSetLen, &Access, &AccessStatus);
1278 err = GetLastError();
1279 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1280 "with ERROR_NOACCESS, instead of %d\n", err);
1281 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1282 "Access and/or AccessStatus were changed!\n");
1283
1284 /* Generic access mask - no returnlength */
1285 SetLastError(0xdeadbeef);
1286 Access = AccessStatus = 0x1abe11ed;
1287 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1288 PrivSet, NULL, &Access, &AccessStatus);
1289 err = GetLastError();
1290 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1291 "with ERROR_NOACCESS, instead of %d\n", err);
1292 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1293 "Access and/or AccessStatus were changed!\n");
1294
1295 /* Generic access mask - no privilegeset buffer, no returnlength */
1296 SetLastError(0xdeadbeef);
1297 Access = AccessStatus = 0x1abe11ed;
1298 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1299 NULL, NULL, &Access, &AccessStatus);
1300 err = GetLastError();
1301 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1302 "with ERROR_NOACCESS, instead of %d\n", err);
1303 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1304 "Access and/or AccessStatus were changed!\n");
1305
1306 /* sd with no dacl present */
1307 Access = AccessStatus = 0x1abe11ed;
1308 ret = SetSecurityDescriptorDacl(SecurityDescriptor, FALSE, NULL, FALSE);
1309 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1310 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1311 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1312 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1313 ok(AccessStatus && (Access == KEY_READ),
1314 "AccessCheck failed to grant access with error %d\n",
1315 GetLastError());
1316
1317 /* sd with no dacl present - no privilegeset buffer */
1318 SetLastError(0xdeadbeef);
1319 Access = AccessStatus = 0x1abe11ed;
1320 ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1321 NULL, &PrivSetLen, &Access, &AccessStatus);
1322 err = GetLastError();
1323 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1324 "with ERROR_NOACCESS, instead of %d\n", err);
1325 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1326 "Access and/or AccessStatus were changed!\n");
1327
1328 if(pNtAccessCheck)
1329 {
1330 /* Generic access mask - no privilegeset buffer */
1331 SetLastError(0xdeadbeef);
1332 Access = ntAccessStatus = 0x1abe11ed;
1333 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1334 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1335 err = GetLastError();
1336 ok(ntret == STATUS_ACCESS_VIOLATION,
1337 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1338 ok(err == 0xdeadbeef,
1339 "NtAccessCheck shouldn't set last error, got %d\n", err);
1340 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1341 "Access and/or AccessStatus were changed!\n");
1342
1343 /* Generic access mask - no returnlength */
1344 SetLastError(0xdeadbeef);
1345 Access = ntAccessStatus = 0x1abe11ed;
1346 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1347 PrivSet, NULL, &Access, &ntAccessStatus);
1348 err = GetLastError();
1349 ok(ntret == STATUS_ACCESS_VIOLATION,
1350 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1351 ok(err == 0xdeadbeef,
1352 "NtAccessCheck shouldn't set last error, got %d\n", err);
1353 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1354 "Access and/or AccessStatus were changed!\n");
1355
1356 /* Generic access mask - no privilegeset buffer, no returnlength */
1357 SetLastError(0xdeadbeef);
1358 Access = ntAccessStatus = 0x1abe11ed;
1359 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1360 NULL, NULL, &Access, &ntAccessStatus);
1361 err = GetLastError();
1362 ok(ntret == STATUS_ACCESS_VIOLATION,
1363 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1364 ok(err == 0xdeadbeef,
1365 "NtAccessCheck shouldn't set last error, got %d\n", err);
1366 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1367 "Access and/or AccessStatus were changed!\n");
1368 }
1369 else
1370 win_skip("NtAccessCheck unavailable. Skipping.\n");
1371
1372 /* sd with NULL dacl */
1373 Access = AccessStatus = 0x1abe11ed;
1374 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, NULL, FALSE);
1375 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1376 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1377 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1378 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1379 ok(AccessStatus && (Access == KEY_READ),
1380 "AccessCheck failed to grant access with error %d\n",
1381 GetLastError());
1382 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1383 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1384 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1385 ok(AccessStatus && (Access == KEY_ALL_ACCESS),
1386 "AccessCheck failed to grant access with error %d\n",
1387 GetLastError());
1388
1389 /* sd with blank dacl */
1390 ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
1391 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1392 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1393 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1394 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1395 err = GetLastError();
1396 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1397 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1398 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1399
1400 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
1401 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
1402
1403 res = AddAccessDeniedAce(Acl, ACL_REVISION, KEY_SET_VALUE, AdminSid);
1404 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
1405
1406 /* sd with dacl */
1407 Access = AccessStatus = 0x1abe11ed;
1408 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1409 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1410 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1411 ok(AccessStatus && (Access == KEY_READ),
1412 "AccessCheck failed to grant access with error %d\n",
1413 GetLastError());
1414
1415 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1416 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1417 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1418 ok(AccessStatus,
1419 "AccessCheck failed to grant any access with error %d\n",
1420 GetLastError());
1421 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
1422
1423 /* Null PrivSet with null PrivSetLen pointer */
1424 SetLastError(0xdeadbeef);
1425 Access = AccessStatus = 0x1abe11ed;
1426 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1427 NULL, NULL, &Access, &AccessStatus);
1428 err = GetLastError();
1429 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1430 "failed with ERROR_NOACCESS, instead of %d\n", err);
1431 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1432 "Access and/or AccessStatus were changed!\n");
1433
1434 /* Null PrivSet with zero PrivSetLen */
1435 SetLastError(0xdeadbeef);
1436 Access = AccessStatus = 0x1abe11ed;
1437 PrivSetLen = 0;
1438 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1439 0, &PrivSetLen, &Access, &AccessStatus);
1440 err = GetLastError();
1441 todo_wine
1442 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1443 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1444 todo_wine
1445 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1446 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1447 "Access and/or AccessStatus were changed!\n");
1448
1449 /* Null PrivSet with insufficient PrivSetLen */
1450 SetLastError(0xdeadbeef);
1451 Access = AccessStatus = 0x1abe11ed;
1452 PrivSetLen = 1;
1453 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1454 0, &PrivSetLen, &Access, &AccessStatus);
1455 err = GetLastError();
1456 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1457 "failed with ERROR_NOACCESS, instead of %d\n", err);
1458 ok(PrivSetLen == 1, "PrivSetLen returns %d\n", PrivSetLen);
1459 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1460 "Access and/or AccessStatus were changed!\n");
1461
1462 /* Null PrivSet with insufficient PrivSetLen */
1463 SetLastError(0xdeadbeef);
1464 Access = AccessStatus = 0x1abe11ed;
1465 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1466 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1467 0, &PrivSetLen, &Access, &AccessStatus);
1468 err = GetLastError();
1469 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1470 "failed with ERROR_NOACCESS, instead of %d\n", err);
1471 ok(PrivSetLen == sizeof(PRIVILEGE_SET) - 1, "PrivSetLen returns %d\n", PrivSetLen);
1472 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1473 "Access and/or AccessStatus were changed!\n");
1474
1475 /* Null PrivSet with minimal sufficient PrivSetLen */
1476 SetLastError(0xdeadbeef);
1477 Access = AccessStatus = 0x1abe11ed;
1478 PrivSetLen = sizeof(PRIVILEGE_SET);
1479 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1480 0, &PrivSetLen, &Access, &AccessStatus);
1481 err = GetLastError();
1482 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1483 "failed with ERROR_NOACCESS, instead of %d\n", err);
1484 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1485 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1486 "Access and/or AccessStatus were changed!\n");
1487
1488 /* Valid PrivSet with zero PrivSetLen */
1489 SetLastError(0xdeadbeef);
1490 Access = AccessStatus = 0x1abe11ed;
1491 PrivSetLen = 0;
1492 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1493 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1494 err = GetLastError();
1495 todo_wine
1496 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1497 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1498 todo_wine
1499 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1500 todo_wine
1501 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1502 "Access and/or AccessStatus were changed!\n");
1503
1504 /* Valid PrivSet with insufficient PrivSetLen */
1505 SetLastError(0xdeadbeef);
1506 Access = AccessStatus = 0x1abe11ed;
1507 PrivSetLen = 1;
1508 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1509 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1510 err = GetLastError();
1511 todo_wine
1512 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1513 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1514 todo_wine
1515 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1516 todo_wine
1517 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1518 "Access and/or AccessStatus were changed!\n");
1519
1520 /* Valid PrivSet with insufficient PrivSetLen */
1521 SetLastError(0xdeadbeef);
1522 Access = AccessStatus = 0x1abe11ed;
1523 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1524 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1525 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1526 err = GetLastError();
1527 todo_wine
1528 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1529 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1530 todo_wine
1531 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1532 todo_wine
1533 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1534 "Access and/or AccessStatus were changed!\n");
1535
1536 /* Valid PrivSet with minimal sufficient PrivSetLen */
1537 SetLastError(0xdeadbeef);
1538 Access = AccessStatus = 0x1abe11ed;
1539 PrivSetLen = sizeof(PRIVILEGE_SET);
1540 memset(PrivSet, 0xcc, PrivSetLen);
1541 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1542 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1543 err = GetLastError();
1544 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1545 todo_wine
1546 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1547 ok(AccessStatus && (Access == KEY_READ),
1548 "AccessCheck failed to grant access with error %d\n", GetLastError());
1549 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1550 PrivSet->PrivilegeCount);
1551
1552 /* Valid PrivSet with sufficient PrivSetLen */
1553 SetLastError(0xdeadbeef);
1554 Access = AccessStatus = 0x1abe11ed;
1555 PrivSetLen = sizeof(PRIVILEGE_SET) + 1;
1556 memset(PrivSet, 0xcc, PrivSetLen);
1557 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1558 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1559 err = GetLastError();
1560 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1561 todo_wine
1562 ok(PrivSetLen == sizeof(PRIVILEGE_SET) + 1, "PrivSetLen returns %d\n", PrivSetLen);
1563 ok(AccessStatus && (Access == KEY_READ),
1564 "AccessCheck failed to grant access with error %d\n", GetLastError());
1565 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1566 PrivSet->PrivilegeCount);
1567
1568 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1569
1570 /* Null PrivSet with valid PrivSetLen */
1571 SetLastError(0xdeadbeef);
1572 Access = AccessStatus = 0x1abe11ed;
1573 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1574 0, &PrivSetLen, &Access, &AccessStatus);
1575 err = GetLastError();
1576 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1577 "failed with ERROR_NOACCESS, instead of %d\n", err);
1578 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1579 "Access and/or AccessStatus were changed!\n");
1580
1581 /* Access denied by SD */
1582 SetLastError(0xdeadbeef);
1583 Access = AccessStatus = 0x1abe11ed;
1584 ret = AccessCheck(SecurityDescriptor, Token, KEY_WRITE, &Mapping,
1585 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1586 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1587 err = GetLastError();
1588 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1589 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1590 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1591
1592 SetLastError(0xdeadbeef);
1593 PrivSet->PrivilegeCount = 16;
1594 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1595 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1596 ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
1597 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1598 GetLastError());
1599
1600 ret = ImpersonateLoggedOnUser(Token);
1601 ok(ret, "ImpersonateLoggedOnUser failed with error %d\n", GetLastError());
1602 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
1603 if (!ret)
1604 {
1605 /* Valid PrivSet with zero PrivSetLen */
1606 SetLastError(0xdeadbeef);
1607 Access = AccessStatus = 0x1abe11ed;
1608 PrivSetLen = 0;
1609 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1610 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1611 err = GetLastError();
1612 todo_wine
1613 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1614 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1615 todo_wine
1616 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1617 todo_wine
1618 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1619 "Access and/or AccessStatus were changed!\n");
1620
1621 /* Valid PrivSet with insufficient PrivSetLen */
1622 SetLastError(0xdeadbeef);
1623 Access = AccessStatus = 0x1abe11ed;
1624 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1625 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1626 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1627 err = GetLastError();
1628 todo_wine
1629 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1630 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1631 todo_wine
1632 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1633 todo_wine
1634 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1635 "Access and/or AccessStatus were changed!\n");
1636
1637 /* Valid PrivSet with minimal sufficient PrivSetLen */
1638 SetLastError(0xdeadbeef);
1639 Access = AccessStatus = 0x1abe11ed;
1640 PrivSetLen = sizeof(PRIVILEGE_SET);
1641 memset(PrivSet, 0xcc, PrivSetLen);
1642 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1643 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1644 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1645 "AccessCheck should have succeeded, error %d\n",
1646 GetLastError());
1647 ok(Access == ACCESS_SYSTEM_SECURITY,
1648 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1649 Access);
1650 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1651 PrivSet->PrivilegeCount);
1652
1653 /* Valid PrivSet with large PrivSetLen */
1654 SetLastError(0xdeadbeef);
1655 Access = AccessStatus = 0x1abe11ed;
1656 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1657 memset(PrivSet, 0xcc, PrivSetLen);
1658 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
1659 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1660 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1661 "AccessCheck should have succeeded, error %d\n",
1662 GetLastError());
1663 ok(Access == ACCESS_SYSTEM_SECURITY,
1664 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1665 Access);
1666 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1667 PrivSet->PrivilegeCount);
1668 }
1669 else
1670 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
1671 ret);
1672 ret = RevertToSelf();
1673 ok(ret, "RevertToSelf failed with error %d\n", GetLastError());
1674
1675 /* test INHERIT_ONLY_ACE */
1676 ret = InitializeAcl(Acl, 256, ACL_REVISION);
1677 ok(ret, "InitializeAcl failed with error %d\n", GetLastError());
1678
1679 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1680 * the next ones.
1681 */
1682 if (pAddAccessAllowedAceEx)
1683 {
1684 ret = pAddAccessAllowedAceEx(Acl, ACL_REVISION, INHERIT_ONLY_ACE, KEY_READ, EveryoneSid);
1685 ok(ret, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
1686 }
1687 else
1688 win_skip("AddAccessAllowedAceEx is not available\n");
1689
1690 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
1691 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1692 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1693 err = GetLastError();
1694 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1695 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1696 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1697
1698 CloseHandle(Token);
1699
1700 res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
1701 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1702
1703 SetLastError(0xdeadbeef);
1704 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
1705 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1706 err = GetLastError();
1707 ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
1708 "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
1709
1710 CloseHandle(Token);
1711
1712 SetLastError(0xdeadbeef);
1713 ret = AccessCheck(SecurityDescriptor, ProcessToken, KEY_READ, &Mapping,
1714 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1715 err = GetLastError();
1716 ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
1717 "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
1718
1719 CloseHandle(ProcessToken);
1720
1721 if (EveryoneSid)
1722 FreeSid(EveryoneSid);
1723 if (AdminSid)
1724 FreeSid(AdminSid);
1725 if (UsersSid)
1726 FreeSid(UsersSid);
1727 HeapFree(GetProcessHeap(), 0, Acl);
1728 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
1729 HeapFree(GetProcessHeap(), 0, PrivSet);
1730 }
1731
1732 /* test GetTokenInformation for the various attributes */
1733 static void test_token_attr(void)
1734 {
1735 HANDLE Token, ImpersonationToken;
1736 DWORD Size, Size2;
1737 TOKEN_PRIVILEGES *Privileges;
1738 TOKEN_GROUPS *Groups;
1739 TOKEN_USER *User;
1740 TOKEN_DEFAULT_DACL *Dacl;
1741 BOOL ret;
1742 DWORD i, GLE;
1743 LPSTR SidString;
1744 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
1745 ACL *acl;
1746
1747 /* cygwin-like use case */
1748 SetLastError(0xdeadbeef);
1749 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Token);
1750 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
1751 {
1752 win_skip("OpenProcessToken is not implemented\n");
1753 return;
1754 }
1755 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1756 if (ret)
1757 {
1758 DWORD buf[256]; /* GetTokenInformation wants a dword-aligned buffer */
1759 Size = sizeof(buf);
1760 ret = GetTokenInformation(Token, TokenUser,(void*)buf, Size, &Size);
1761 ok(ret, "GetTokenInformation failed with error %d\n", GetLastError());
1762 Size = sizeof(ImpersonationLevel);
1763 ret = GetTokenInformation(Token, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1764 GLE = GetLastError();
1765 ok(!ret && (GLE == ERROR_INVALID_PARAMETER), "GetTokenInformation(TokenImpersonationLevel) on primary token should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GLE);
1766 CloseHandle(Token);
1767 }
1768
1769 if(!pConvertSidToStringSidA)
1770 {
1771 win_skip("ConvertSidToStringSidA is not available\n");
1772 return;
1773 }
1774
1775 SetLastError(0xdeadbeef);
1776 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &Token);
1777 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
1778
1779 /* groups */
1780 /* insufficient buffer length */
1781 SetLastError(0xdeadbeef);
1782 Size2 = 0;
1783 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size2);
1784 ok(Size2 > 1, "got %d\n", Size2);
1785 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1786 "%d with error %d\n", ret, GetLastError());
1787 Size2 -= 1;
1788 Groups = HeapAlloc(GetProcessHeap(), 0, Size2);
1789 memset(Groups, 0xcc, Size2);
1790 Size = 0;
1791 ret = GetTokenInformation(Token, TokenGroups, Groups, Size2, &Size);
1792 ok(Size > 1, "got %d\n", Size);
1793 ok((!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER) || broken(ret) /* wow64 */,
1794 "%d with error %d\n", ret, GetLastError());
1795 if(!ret)
1796 ok(*((BYTE*)Groups) == 0xcc, "buffer altered\n");
1797
1798 HeapFree(GetProcessHeap(), 0, Groups);
1799
1800 SetLastError(0xdeadbeef);
1801 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
1802 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
1803 "GetTokenInformation(TokenGroups) %s with error %d\n",
1804 ret ? "succeeded" : "failed", GetLastError());
1805 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
1806 SetLastError(0xdeadbeef);
1807 ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
1808 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
1809 ok(GetLastError() == 0xdeadbeef,
1810 "GetTokenInformation shouldn't have set last error to %d\n",
1811 GetLastError());
1812 trace("TokenGroups:\n");
1813 for (i = 0; i < Groups->GroupCount; i++)
1814 {
1815 DWORD NameLength = 255;
1816 CHAR Name[255];
1817 DWORD DomainLength = 255;
1818 CHAR Domain[255];
1819 SID_NAME_USE SidNameUse;
1820 Name[0] = '\0';
1821 Domain[0] = '\0';
1822 ret = LookupAccountSidA(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
1823 if (ret)
1824 {
1825 pConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
1826 trace("%s, %s\\%s use: %d attr: 0x%08x\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
1827 LocalFree(SidString);
1828 }
1829 else trace("attr: 0x%08x LookupAccountSid failed with error %d\n", Groups->Groups[i].Attributes, GetLastError());
1830 }
1831 HeapFree(GetProcessHeap(), 0, Groups);
1832
1833 /* user */
1834 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
1835 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1836 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1837 User = HeapAlloc(GetProcessHeap(), 0, Size);
1838 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
1839 ok(ret,
1840 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
1841
1842 pConvertSidToStringSidA(User->User.Sid, &SidString);
1843 trace("TokenUser: %s attr: 0x%08x\n", SidString, User->User.Attributes);
1844 LocalFree(SidString);
1845 HeapFree(GetProcessHeap(), 0, User);
1846
1847 /* privileges */
1848 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
1849 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1850 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1851 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
1852 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
1853 ok(ret,
1854 "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
1855 trace("TokenPrivileges:\n");
1856 for (i = 0; i < Privileges->PrivilegeCount; i++)
1857 {
1858 CHAR Name[256];
1859 DWORD NameLen = sizeof(Name)/sizeof(Name[0]);
1860 LookupPrivilegeNameA(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
1861 trace("\t%s, 0x%x\n", Name, Privileges->Privileges[i].Attributes);
1862 }
1863 HeapFree(GetProcessHeap(), 0, Privileges);
1864
1865 ret = DuplicateToken(Token, SecurityAnonymous, &ImpersonationToken);
1866 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
1867
1868 Size = sizeof(ImpersonationLevel);
1869 ret = GetTokenInformation(ImpersonationToken, TokenImpersonationLevel, &ImpersonationLevel, Size, &Size);
1870 ok(ret, "GetTokenInformation(TokenImpersonationLevel) failed with error %d\n", GetLastError());
1871 ok(ImpersonationLevel == SecurityAnonymous, "ImpersonationLevel should have been SecurityAnonymous instead of %d\n", ImpersonationLevel);
1872
1873 CloseHandle(ImpersonationToken);
1874
1875 /* default dacl */
1876 ret = GetTokenInformation(Token, TokenDefaultDacl, NULL, 0, &Size);
1877 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
1878 "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1879
1880 Dacl = HeapAlloc(GetProcessHeap(), 0, Size);
1881 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size);
1882 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1883
1884 SetLastError(0xdeadbeef);
1885 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, 0);
1886 GLE = GetLastError();
1887 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1888 ok(GLE == ERROR_BAD_LENGTH, "expected ERROR_BAD_LENGTH got %u\n", GLE);
1889
1890 SetLastError(0xdeadbeef);
1891 ret = SetTokenInformation(Token, TokenDefaultDacl, NULL, Size);
1892 GLE = GetLastError();
1893 ok(!ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1894 ok(GLE == ERROR_NOACCESS, "expected ERROR_NOACCESS got %u\n", GLE);
1895
1896 acl = Dacl->DefaultDacl;
1897 Dacl->DefaultDacl = NULL;
1898
1899 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1900 ok(ret, "SetTokenInformation(TokenDefaultDacl) succeeded\n");
1901
1902 Size2 = 0;
1903 Dacl->DefaultDacl = (ACL *)0xdeadbeef;
1904 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1905 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1906 ok(Dacl->DefaultDacl == NULL, "expected NULL, got %p\n", Dacl->DefaultDacl);
1907 ok(Size2 == sizeof(TOKEN_DEFAULT_DACL) || broken(Size2 == 2*sizeof(TOKEN_DEFAULT_DACL)), /* WoW64 */
1908 "got %u expected sizeof(TOKEN_DEFAULT_DACL)\n", Size2);
1909
1910 Dacl->DefaultDacl = acl;
1911 ret = SetTokenInformation(Token, TokenDefaultDacl, Dacl, Size);
1912 ok(ret, "SetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1913
1914 if (Size2 == sizeof(TOKEN_DEFAULT_DACL)) {
1915 ret = GetTokenInformation(Token, TokenDefaultDacl, Dacl, Size, &Size2);
1916 ok(ret, "GetTokenInformation(TokenDefaultDacl) failed with error %u\n", GetLastError());
1917 } else
1918 win_skip("TOKEN_DEFAULT_DACL size too small on WoW64\n");
1919
1920 HeapFree(GetProcessHeap(), 0, Dacl);
1921 CloseHandle(Token);
1922 }
1923
1924 static void test_GetTokenInformation(void)
1925 {
1926 DWORD is_app_container, size;
1927 HANDLE token;
1928 BOOL ret;
1929
1930 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
1931 ok(ret, "OpenProcessToken failed: %u\n", GetLastError());
1932
1933 size = 0;
1934 is_app_container = 0xdeadbeef;
1935 ret = GetTokenInformation(token, TokenIsAppContainer, &is_app_container,
1936 sizeof(is_app_container), &size);
1937 ok(ret || broken(GetLastError() == ERROR_INVALID_PARAMETER ||
1938 GetLastError() == ERROR_INVALID_FUNCTION), /* pre-win8 */
1939 "GetTokenInformation failed: %u\n", GetLastError());
1940 if(ret) {
1941 ok(size == sizeof(is_app_container), "size = %u\n", size);
1942 ok(!is_app_container, "is_app_container = %x\n", is_app_container);
1943 }
1944
1945 CloseHandle(token);
1946 }
1947
1948 typedef union _MAX_SID
1949 {
1950 SID sid;
1951 char max[SECURITY_MAX_SID_SIZE];
1952 } MAX_SID;
1953
1954 static void test_sid_str(PSID * sid)
1955 {
1956 char *str_sid;
1957 BOOL ret = pConvertSidToStringSidA(sid, &str_sid);
1958 ok(ret, "ConvertSidToStringSidA() failed: %d\n", GetLastError());
1959 if (ret)
1960 {
1961 char account[MAX_PATH], domain[MAX_PATH];
1962 SID_NAME_USE use;
1963 DWORD acc_size = MAX_PATH;
1964 DWORD dom_size = MAX_PATH;
1965 ret = LookupAccountSidA (NULL, sid, account, &acc_size, domain, &dom_size, &use);
1966 ok(ret || GetLastError() == ERROR_NONE_MAPPED,
1967 "LookupAccountSid(%s) failed: %d\n", str_sid, GetLastError());
1968 if (ret)
1969 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
1970 else if (GetLastError() == ERROR_NONE_MAPPED)
1971 trace(" %s couldn't be mapped\n", str_sid);
1972 LocalFree(str_sid);
1973 }
1974 }
1975
1976 static const struct well_known_sid_value
1977 {
1978 BOOL without_domain;
1979 const char *sid_string;
1980 } well_known_sid_values[] = {
1981 /* 0 */ {TRUE, "S-1-0-0"}, {TRUE, "S-1-1-0"}, {TRUE, "S-1-2-0"}, {TRUE, "S-1-3-0"},
1982 /* 4 */ {TRUE, "S-1-3-1"}, {TRUE, "S-1-3-2"}, {TRUE, "S-1-3-3"}, {TRUE, "S-1-5"},
1983 /* 8 */ {FALSE, "S-1-5-1"}, {TRUE, "S-1-5-2"}, {TRUE, "S-1-5-3"}, {TRUE, "S-1-5-4"},
1984 /* 12 */ {TRUE, "S-1-5-6"}, {TRUE, "S-1-5-7"}, {TRUE, "S-1-5-8"}, {TRUE, "S-1-5-9"},
1985 /* 16 */ {TRUE, "S-1-5-10"}, {TRUE, "S-1-5-11"}, {TRUE, "S-1-5-12"}, {TRUE, "S-1-5-13"},
1986 /* 20 */ {TRUE, "S-1-5-14"}, {FALSE, NULL}, {TRUE, "S-1-5-18"}, {TRUE, "S-1-5-19"},
1987 /* 24 */ {TRUE, "S-1-5-20"}, {TRUE, "S-1-5-32"},
1988 /* 26 */ {FALSE, "S-1-5-32-544"}, {TRUE, "S-1-5-32-545"}, {TRUE, "S-1-5-32-546"},
1989 /* 29 */ {TRUE, "S-1-5-32-547"}, {TRUE, "S-1-5-32-548"}, {TRUE, "S-1-5-32-549"},
1990 /* 32 */ {TRUE, "S-1-5-32-550"}, {TRUE, "S-1-5-32-551"}, {TRUE, "S-1-5-32-552"},
1991 /* 35 */ {TRUE, "S-1-5-32-554"}, {TRUE, "S-1-5-32-555"}, {TRUE, "S-1-5-32-556"},
1992 /* 38 */ {FALSE, "S-1-5-21-12-23-34-45-56-500"}, {FALSE, "S-1-5-21-12-23-34-45-56-501"},
1993 /* 40 */ {FALSE, "S-1-5-21-12-23-34-45-56-502"}, {FALSE, "S-1-5-21-12-23-34-45-56-512"},
1994 /* 42 */ {FALSE, "S-1-5-21-12-23-34-45-56-513"}, {FALSE, "S-1-5-21-12-23-34-45-56-514"},
1995 /* 44 */ {FALSE, "S-1-5-21-12-23-34-45-56-515"}, {FALSE, "S-1-5-21-12-23-34-45-56-516"},
1996 /* 46 */ {FALSE, "S-1-5-21-12-23-34-45-56-517"}, {FALSE, "S-1-5-21-12-23-34-45-56-518"},
1997 /* 48 */ {FALSE, "S-1-5-21-12-23-34-45-56-519"}, {FALSE, "S-1-5-21-12-23-34-45-56-520"},
1998 /* 50 */ {FALSE, "S-1-5-21-12-23-34-45-56-553"},
1999 /* Added in Windows Server 2003 */
2000 /* 51 */ {TRUE, "S-1-5-64-10"}, {TRUE, "S-1-5-64-21"}, {TRUE, "S-1-5-64-14"},
2001 /* 54 */ {TRUE, "S-1-5-15"}, {TRUE, "S-1-5-1000"}, {FALSE, "S-1-5-32-557"},
2002 /* 57 */ {TRUE, "S-1-5-32-558"}, {TRUE, "S-1-5-32-559"}, {TRUE, "S-1-5-32-560"},
2003 /* 60 */ {TRUE, "S-1-5-32-561"}, {TRUE, "S-1-5-32-562"},
2004 /* Added in Windows Vista: */
2005 /* 62 */ {TRUE, "S-1-5-32-568"},
2006 /* 63 */ {TRUE, "S-1-5-17"}, {FALSE, "S-1-5-32-569"}, {TRUE, "S-1-16-0"},
2007 /* 66 */ {TRUE, "S-1-16-4096"}, {TRUE, "S-1-16-8192"}, {TRUE, "S-1-16-12288"},
2008 /* 69 */ {TRUE, "S-1-16-16384"}, {TRUE, "S-1-5-33"}, {TRUE, "S-1-3-4"},
2009 /* 72 */ {FALSE, "S-1-5-21-12-23-34-45-56-571"}, {FALSE, "S-1-5-21-12-23-34-45-56-572"},
2010 /* 74 */ {TRUE, "S-1-5-22"}, {FALSE, "S-1-5-21-12-23-34-45-56-521"}, {TRUE, "S-1-5-32-573"},
2011 /* 77 */ {FALSE, "S-1-5-21-12-23-34-45-56-498"}, {TRUE, "S-1-5-32-574"}, {TRUE, "S-1-16-8448"},
2012 /* 80 */ {FALSE, NULL}, {TRUE, "S-1-2-1"}, {TRUE, "S-1-5-65-1"}, {FALSE, NULL},
2013 /* 84 */ {TRUE, "S-1-15-2-1"},
2014 };
2015
2016 static void test_CreateWellKnownSid(void)
2017 {
2018 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2019 PSID domainsid, sid;
2020 DWORD size, error;
2021 BOOL ret;
2022 unsigned int i;
2023
2024 if (!pCreateWellKnownSid)
2025 {
2026 win_skip("CreateWellKnownSid not available\n");
2027 return;
2028 }
2029
2030 size = 0;
2031 SetLastError(0xdeadbeef);
2032 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2033 error = GetLastError();
2034 ok(!ret, "CreateWellKnownSid succeeded\n");
2035 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2036 ok(size, "expected size > 0\n");
2037
2038 SetLastError(0xdeadbeef);
2039 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, NULL, &size);
2040 error = GetLastError();
2041 ok(!ret, "CreateWellKnownSid succeeded\n");
2042 ok(error == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %u\n", error);
2043
2044 sid = HeapAlloc(GetProcessHeap(), 0, size);
2045 ret = pCreateWellKnownSid(WinInteractiveSid, NULL, sid, &size);
2046 ok(ret, "CreateWellKnownSid failed %u\n", GetLastError());
2047 HeapFree(GetProcessHeap(), 0, sid);
2048
2049 /* a domain sid usually have three subauthorities but we test that CreateWellKnownSid doesn't check it */
2050 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2051
2052 for (i = 0; i < sizeof(well_known_sid_values)/sizeof(well_known_sid_values[0]); i++)
2053 {
2054 const struct well_known_sid_value *value = &well_known_sid_values[i];
2055 char sid_buffer[SECURITY_MAX_SID_SIZE];
2056 LPSTR str;
2057 DWORD cb;
2058
2059 if (value->sid_string == NULL)
2060 continue;
2061
2062 /* some SIDs aren't implemented by all Windows versions - detect it */
2063 cb = sizeof(sid_buffer);
2064 if (!pCreateWellKnownSid(i, NULL, sid_buffer, &cb))
2065 {
2066 skip("Well known SID %u not implemented\n", i);
2067 continue;
2068 }
2069
2070 cb = sizeof(sid_buffer);
2071 ok(pCreateWellKnownSid(i, value->without_domain ? NULL : domainsid, sid_buffer, &cb), "Couldn't create well known sid %u\n", i);
2072 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2073 ok(IsValidSid(sid_buffer), "The sid is not valid\n");
2074 ok(pConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
2075 ok(strcmp(str, value->sid_string) == 0, "%d: SID mismatch - expected %s, got %s\n", i,
2076 value->sid_string, str);
2077 LocalFree(str);
2078
2079 if (value->without_domain)
2080 {
2081 char buf2[SECURITY_MAX_SID_SIZE];
2082 cb = sizeof(buf2);
2083 ok(pCreateWellKnownSid(i, domainsid, buf2, &cb), "Couldn't create well known sid %u with optional domain\n", i);
2084 expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
2085 ok(memcmp(buf2, sid_buffer, cb) == 0, "SID create with domain is different than without (%u)\n", i);
2086 }
2087 }
2088
2089 FreeSid(domainsid);
2090 }
2091
2092 static void test_LookupAccountSid(void)
2093 {
2094 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
2095 CHAR accountA[MAX_PATH], domainA[MAX_PATH], usernameA[MAX_PATH];
2096 DWORD acc_sizeA, dom_sizeA, user_sizeA;
2097 DWORD real_acc_sizeA, real_dom_sizeA;
2098 WCHAR accountW[MAX_PATH], domainW[MAX_PATH];
2099 DWORD acc_sizeW, dom_sizeW;
2100 DWORD real_acc_sizeW, real_dom_sizeW;
2101 PSID pUsersSid = NULL;
2102 SID_NAME_USE use;
2103 BOOL ret;
2104 DWORD error, size, cbti = 0;
2105 MAX_SID max_sid;
2106 CHAR *str_sidA;
2107 int i;
2108 HANDLE hToken;
2109 PTOKEN_USER ptiUser = NULL;
2110
2111 /* native windows crashes if account size, domain size, or name use is NULL */
2112
2113 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
2114 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
2115 ok(ret || (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED),
2116 "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2117
2118 /* not running on NT so give up */
2119 if (!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2120 return;
2121
2122 real_acc_sizeA = MAX_PATH;
2123 real_dom_sizeA = MAX_PATH;
2124 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2125 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2126
2127 /* try NULL account */
2128 acc_sizeA = MAX_PATH;
2129 dom_sizeA = MAX_PATH;
2130 ret = LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2131 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2132
2133 /* try NULL domain */
2134 acc_sizeA = MAX_PATH;
2135 dom_sizeA = MAX_PATH;
2136 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2137 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2138
2139 /* try a small account buffer */
2140 acc_sizeA = 1;
2141 dom_sizeA = MAX_PATH;
2142 accountA[0] = 0;
2143 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2144 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2145 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2146 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2147
2148 /* try a 0 sized account buffer */
2149 acc_sizeA = 0;
2150 dom_sizeA = MAX_PATH;
2151 accountA[0] = 0;
2152 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2153 /* this can fail or succeed depending on OS version but the size will always be returned */
2154 ok(acc_sizeA == real_acc_sizeA + 1,
2155 "LookupAccountSidA() Expected acc_size = %u, got %u\n",
2156 real_acc_sizeA + 1, acc_sizeA);
2157
2158 /* try a 0 sized account buffer */
2159 acc_sizeA = 0;
2160 dom_sizeA = MAX_PATH;
2161 LookupAccountSidA(NULL, pUsersSid, NULL, &acc_sizeA, domainA, &dom_sizeA, &use);
2162 /* this can fail or succeed depending on OS version but the size will always be returned */
2163 ok(acc_sizeA == real_acc_sizeA + 1,
2164 "LookupAccountSid() Expected acc_size = %u, got %u\n",
2165 real_acc_sizeA + 1, acc_sizeA);
2166
2167 /* try a small domain buffer */
2168 dom_sizeA = 1;
2169 acc_sizeA = MAX_PATH;
2170 accountA[0] = 0;
2171 ret = LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2172 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2173 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2174 "LookupAccountSidA() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2175
2176 /* try a 0 sized domain buffer */
2177 dom_sizeA = 0;
2178 acc_sizeA = MAX_PATH;
2179 accountA[0] = 0;
2180 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2181 /* this can fail or succeed depending on OS version but the size will always be returned */
2182 ok(dom_sizeA == real_dom_sizeA + 1,
2183 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2184 real_dom_sizeA + 1, dom_sizeA);
2185
2186 /* try a 0 sized domain buffer */
2187 dom_sizeA = 0;
2188 acc_sizeA = MAX_PATH;
2189 LookupAccountSidA(NULL, pUsersSid, accountA, &acc_sizeA, NULL, &dom_sizeA, &use);
2190 /* this can fail or succeed depending on OS version but the size will always be returned */
2191 ok(dom_sizeA == real_dom_sizeA + 1,
2192 "LookupAccountSidA() Expected dom_size = %u, got %u\n",
2193 real_dom_sizeA + 1, dom_sizeA);
2194
2195 real_acc_sizeW = MAX_PATH;
2196 real_dom_sizeW = MAX_PATH;
2197 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &real_acc_sizeW, domainW, &real_dom_sizeW, &use);
2198 ok(ret, "LookupAccountSidW() Expected TRUE, got FALSE\n");
2199
2200 /* try an invalid system name */
2201 real_acc_sizeA = MAX_PATH;
2202 real_dom_sizeA = MAX_PATH;
2203 ret = LookupAccountSidA("deepthought", pUsersSid, accountA, &real_acc_sizeA, domainA, &real_dom_sizeA, &use);
2204 ok(!ret, "LookupAccountSidA() Expected FALSE got TRUE\n");
2205 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2206 "LookupAccountSidA() Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %u\n", GetLastError());
2207
2208 /* native windows crashes if domainW or accountW is NULL */
2209
2210 /* try a small account buffer */
2211 acc_sizeW = 1;
2212 dom_sizeW = MAX_PATH;
2213 accountW[0] = 0;
2214 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2215 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2216 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2217 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2218
2219 /* try a 0 sized account buffer */
2220 acc_sizeW = 0;
2221 dom_sizeW = MAX_PATH;
2222 accountW[0] = 0;
2223 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2224 /* this can fail or succeed depending on OS version but the size will always be returned */
2225 ok(acc_sizeW == real_acc_sizeW + 1,
2226 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2227 real_acc_sizeW + 1, acc_sizeW);
2228
2229 /* try a 0 sized account buffer */
2230 acc_sizeW = 0;
2231 dom_sizeW = MAX_PATH;
2232 LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, domainW, &dom_sizeW, &use);
2233 /* this can fail or succeed depending on OS version but the size will always be returned */
2234 ok(acc_sizeW == real_acc_sizeW + 1,
2235 "LookupAccountSidW() Expected acc_size = %u, got %u\n",
2236 real_acc_sizeW + 1, acc_sizeW);
2237
2238 /* try a small domain buffer */
2239 dom_sizeW = 1;
2240 acc_sizeW = MAX_PATH;
2241 accountW[0] = 0;
2242 ret = LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2243 ok(!ret, "LookupAccountSidW() Expected FALSE got TRUE\n");
2244 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2245 "LookupAccountSidW() Expected ERROR_NOT_ENOUGH_MEMORY, got %u\n", GetLastError());
2246
2247 /* try a 0 sized domain buffer */
2248 dom_sizeW = 0;
2249 acc_sizeW = MAX_PATH;
2250 accountW[0] = 0;
2251 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, domainW, &dom_sizeW, &use);
2252 /* this can fail or succeed depending on OS version but the size will always be returned */
2253 ok(dom_sizeW == real_dom_sizeW + 1,
2254 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2255 real_dom_sizeW + 1, dom_sizeW);
2256
2257 /* try a 0 sized domain buffer */
2258 dom_sizeW = 0;
2259 acc_sizeW = MAX_PATH;
2260 LookupAccountSidW(NULL, pUsersSid, accountW, &acc_sizeW, NULL, &dom_sizeW, &use);
2261 /* this can fail or succeed depending on OS version but the size will always be returned */
2262 ok(dom_sizeW == real_dom_sizeW + 1,
2263 "LookupAccountSidW() Expected dom_size = %u, got %u\n",
2264 real_dom_sizeW + 1, dom_sizeW);
2265
2266 acc_sizeW = dom_sizeW = use = 0;
2267 SetLastError(0xdeadbeef);
2268 ret = LookupAccountSidW(NULL, pUsersSid, NULL, &acc_sizeW, NULL, &dom_sizeW, &use);
2269 error = GetLastError();
2270 ok(!ret, "LookupAccountSidW failed %u\n", GetLastError());
2271 ok(error == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %u\n", error);
2272 ok(acc_sizeW, "expected non-zero account size\n");
2273 ok(dom_sizeW, "expected non-zero domain size\n");
2274 ok(!use, "expected zero use %u\n", use);
2275
2276 FreeSid(pUsersSid);
2277
2278 /* Test LookupAccountSid with Sid retrieved from token information.
2279 This assumes this process is running under the account of the current user.*/
2280 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY|TOKEN_DUPLICATE, &hToken);
2281 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
2282 ret = GetTokenInformation(hToken, TokenUser, NULL, 0, &cbti);
2283 ok(!ret, "GetTokenInformation failed with error %d\n", GetLastError());
2284 ptiUser = HeapAlloc(GetProcessHeap(), 0, cbti);
2285 if (GetTokenInformation(hToken, TokenUser, ptiUser, cbti, &cbti))
2286 {
2287 acc_sizeA = dom_sizeA = MAX_PATH;
2288 ret = LookupAccountSidA(NULL, ptiUser->User.Sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use);
2289 ok(ret, "LookupAccountSidA() Expected TRUE, got FALSE\n");
2290 user_sizeA = MAX_PATH;
2291 ret = GetUserNameA(usernameA , &user_sizeA);
2292 ok(ret, "GetUserNameA() Expected TRUE, got FALSE\n");
2293 ok(lstrcmpA(usernameA, accountA) == 0, "LookupAccountSidA() Expected account name: %s got: %s\n", usernameA, accountA );
2294 }
2295 HeapFree(GetProcessHeap(), 0, ptiUser);
2296
2297 if (pCreateWellKnownSid && pConvertSidToStringSidA)
2298 {
2299 trace("Well Known SIDs:\n");
2300 for (i = 0; i <= 60; i++)
2301 {
2302 size = SECURITY_MAX_SID_SIZE;
2303 if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
2304 {
2305 if (pConvertSidToStringSidA(&max_sid.sid, &str_sidA))
2306 {
2307 acc_sizeA = MAX_PATH;
2308 dom_sizeA = MAX_PATH;
2309 if (LookupAccountSidA(NULL, &max_sid.sid, accountA, &acc_sizeA, domainA, &dom_sizeA, &use))
2310 trace(" %d: %s %s\\%s %d\n", i, str_sidA, domainA, accountA, use);
2311 LocalFree(str_sidA);
2312 }
2313 }
2314 else
2315 {
2316 if (GetLastError() != ERROR_INVALID_PARAMETER)
2317 trace(" CreateWellKnownSid(%d) failed: %d\n", i, GetLastError());
2318 else
2319 trace(" %d: not supported\n", i);
2320 }
2321 }
2322
2323 pLsaQueryInformationPolicy = (void *)GetProcAddress( hmod, "LsaQueryInformationPolicy");
2324 pLsaOpenPolicy = (void *)GetProcAddress( hmod, "LsaOpenPolicy");
2325 pLsaFreeMemory = (void *)GetProcAddress( hmod, "LsaFreeMemory");
2326 pLsaClose = (void *)GetProcAddress( hmod, "LsaClose");
2327
2328 if (pLsaQueryInformationPolicy && pLsaOpenPolicy && pLsaFreeMemory && pLsaClose)
2329 {
2330 NTSTATUS status;
2331 LSA_HANDLE handle;
2332 LSA_OBJECT_ATTRIBUTES object_attributes;
2333
2334 ZeroMemory(&object_attributes, sizeof(object_attributes));
2335 object_attributes.Length = sizeof(object_attributes);
2336
2337 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
2338 ok(status == STATUS_SUCCESS || status == STATUS_ACCESS_DENIED,
2339 "LsaOpenPolicy(POLICY_ALL_ACCESS) returned 0x%08x\n", status);
2340
2341 /* try a more restricted access mask if necessary */
2342 if (status == STATUS_ACCESS_DENIED) {
2343 trace("LsaOpenPolicy(POLICY_ALL_ACCESS) failed, trying POLICY_VIEW_LOCAL_INFORMATION\n");
2344 status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_VIEW_LOCAL_INFORMATION, &handle);
2345 ok(status == STATUS_SUCCESS, "LsaOpenPolicy(POLICY_VIEW_LOCAL_INFORMATION) returned 0x%08x\n", status);
2346 }
2347
2348 if (status == STATUS_SUCCESS)
2349 {
2350 PPOLICY_ACCOUNT_DOMAIN_INFO info;
2351 status = pLsaQueryInformationPolicy(handle, PolicyAccountDomainInformation, (PVOID*)&info);
2352 ok(status == STATUS_SUCCESS, "LsaQueryInformationPolicy() failed, returned 0x%08x\n", status);
2353 if (status == STATUS_SUCCESS)
2354 {
2355 ok(info->DomainSid!=0, "LsaQueryInformationPolicy(PolicyAccountDomainInformation) missing SID\n");
2356 if (info->DomainSid)
2357 {
2358 int count = *GetSidSubAuthorityCount(info->DomainSid);
2359 CopySid(GetSidLengthRequired(count), &max_sid, info->DomainSid);
2360 test_sid_str((PSID)&max_sid.sid);
2361 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_ADMIN;
2362 max_sid.sid.SubAuthorityCount = count + 1;
2363 test_sid_str((PSID)&max_sid.sid);
2364 max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_GUEST;
2365 test_sid_str((PSID)&max_sid.sid);
2366 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ADMINS;
2367 test_sid_str((PSID)&max_sid.sid);
2368 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_USERS;
2369 test_sid_str((PSID)&max_sid.sid);
2370 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_GUESTS;
2371 test_sid_str((PSID)&max_sid.sid);
2372 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_COMPUTERS;
2373 test_sid_str((PSID)&max_sid.sid);
2374 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CONTROLLERS;
2375 test_sid_str((PSID)&max_sid.sid);
2376 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_CERT_ADMINS;
2377 test_sid_str((PSID)&max_sid.sid);
2378 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_SCHEMA_ADMINS;
2379 test_sid_str((PSID)&max_sid.sid);
2380 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_ENTERPRISE_ADMINS;
2381 test_sid_str((PSID)&max_sid.sid);
2382 max_sid.sid.SubAuthority[count] = DOMAIN_GROUP_RID_POLICY_ADMINS;
2383 test_sid_str((PSID)&max_sid.sid);
2384 max_sid.sid.SubAuthority[count] = DOMAIN_ALIAS_RID_RAS_SERVERS;
2385 test_sid_str((PSID)&max_sid.sid);
2386 max_sid.sid.SubAuthority[count] = 1000; /* first user account */
2387 test_sid_str((PSID)&max_sid.sid);
2388 }
2389
2390 pLsaFreeMemory((LPVOID)info);
2391 }
2392
2393 status = pLsaClose(handle);
2394 ok(status == STATUS_SUCCESS, "LsaClose() failed, returned 0x%08x\n", status);
2395 }
2396 }
2397 }
2398 }
2399
2400 static BOOL get_sid_info(PSID psid, LPSTR *user, LPSTR *dom)
2401 {
2402 static CHAR account[UNLEN + 1];
2403 static CHAR domain[UNLEN + 1];
2404 DWORD size, dom_size;
2405 SID_NAME_USE use;
2406
2407 *user = account;
2408 *dom = domain;
2409
2410 size = dom_size = UNLEN + 1;
2411 account[0] = '\0';
2412 domain[0] = '\0';
2413 SetLastError(0xdeadbeef);
2414 return LookupAccountSidA(NULL, psid, account, &size, domain, &dom_size, &use);
2415 }
2416
2417 static void check_wellknown_name(const char* name, WELL_KNOWN_SID_TYPE result)
2418 {
2419 SID_IDENTIFIER_AUTHORITY ident = { SECURITY_NT_AUTHORITY };
2420 PSID domainsid = NULL;
2421 char wk_sid[SECURITY_MAX_SID_SIZE];
2422 DWORD cb;
2423
2424 DWORD sid_size, domain_size;
2425 SID_NAME_USE sid_use;
2426 LPSTR domain, account, sid_domain, wk_domain, wk_account;
2427 PSID psid;
2428 BOOL ret ,ret2;
2429
2430 sid_size = 0;
2431 domain_size = 0;
2432 ret = LookupAccountNameA(NULL, name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2433 ok(!ret, " %s Should have failed to lookup account name\n", name);
2434 psid = HeapAlloc(GetProcessHeap(),0,sid_size);
2435 domain = HeapAlloc(GetProcessHeap(),0,domain_size);
2436 ret = LookupAccountNameA(NULL, name, psid, &sid_size, domain, &domain_size, &sid_use);
2437
2438 if (!result)
2439 {
2440 ok(!ret, " %s Should have failed to lookup account name\n",name);
2441 goto cleanup;
2442 }
2443
2444 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2445 cb = sizeof(wk_sid);
2446 if (!pCreateWellKnownSid(result, domainsid, wk_sid, &cb))
2447 {
2448 win_skip("SID %i is not available on the system\n",result);
2449 goto cleanup;
2450 }
2451
2452 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2453 if (!ret2 && GetLastError() == ERROR_NONE_MAPPED)
2454 {
2455 win_skip("CreateWellKnownSid() succeeded but the account '%s' is not present (W2K)\n", name);
2456 goto cleanup;
2457 }
2458
2459 get_sid_info(psid, &account, &sid_domain);
2460
2461 ok(ret, "Failed to lookup account name %s\n",name);
2462 ok(sid_size != 0, "sid_size was zero\n");
2463
2464 ok(EqualSid(psid,wk_sid),"%s Sid %s fails to match well known sid %s!\n",
2465 name, debugstr_sid(psid), debugstr_sid(wk_sid));
2466
2467 ok(!lstrcmpA(account, wk_account), "Expected %s , got %s\n", account, wk_account);
2468 ok(!lstrcmpA(domain, wk_domain), "Expected %s, got %s\n", wk_domain, domain);
2469 ok(sid_use == SidTypeWellKnownGroup , "Expected Use (5), got %d\n", sid_use);
2470
2471 cleanup:
2472 FreeSid(domainsid);
2473 HeapFree(GetProcessHeap(),0,psid);
2474 HeapFree(GetProcessHeap(),0,domain);
2475 }
2476
2477 static void test_LookupAccountName(void)
2478 {
2479 DWORD sid_size, domain_size, user_size;
2480 DWORD sid_save, domain_save;
2481 CHAR user_name[UNLEN + 1];
2482 CHAR computer_name[UNLEN + 1];
2483 SID_NAME_USE sid_use;
2484 LPSTR domain, account, sid_dom;
2485 PSID psid;
2486 BOOL ret;
2487
2488 /* native crashes if (assuming all other parameters correct):
2489 * - peUse is NULL
2490 * - Sid is NULL and cbSid is > 0
2491 * - cbSid or cchReferencedDomainName are NULL
2492 * - ReferencedDomainName is NULL and cchReferencedDomainName is the correct size
2493 */
2494
2495 user_size = UNLEN + 1;
2496 SetLastError(0xdeadbeef);
2497 ret = GetUserNameA(user_name, &user_size);
2498 ok(ret, "Failed to get user name : %d\n", GetLastError());
2499
2500 /* get sizes */
2501 sid_size = 0;
2502 domain_size = 0;
2503 sid_use = 0xcafebabe;
2504 SetLastError(0xdeadbeef);
2505 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2506 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
2507 {
2508 win_skip("LookupAccountNameA is not implemented\n");
2509 return;
2510 }
2511 ok(!ret, "Expected 0, got %d\n", ret);
2512 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2513 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2514 ok(sid_size != 0, "Expected non-zero sid size\n");
2515 ok(domain_size != 0, "Expected non-zero domain size\n");
2516 ok(sid_use == 0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2517
2518 sid_save = sid_size;
2519 domain_save = domain_size;
2520
2521 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2522 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2523
2524 /* try valid account name */
2525 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, domain, &domain_size, &sid_use);
2526 get_sid_info(psid, &account, &sid_dom);
2527 ok(ret, "Failed to lookup account name\n");
2528 ok(sid_size == GetLengthSid(psid), "Expected %d, got %d\n", GetLengthSid(psid), sid_size);
2529 ok(!lstrcmpA(account, user_name), "Expected %s, got %s\n", user_name, account);
2530 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2531 ok(domain_size == domain_save - 1, "Expected %d, got %d\n", domain_save - 1, domain_size);
2532 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2533 ok(sid_use == SidTypeUser, "Expected SidTypeUser (%d), got %d\n", SidTypeUser, sid_use);
2534 domain_size = domain_save;
2535 sid_size = sid_save;
2536
2537 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2538 {
2539 skip("Non-English locale (test with hardcoded 'Everyone')\n");
2540 }
2541 else
2542 {
2543 ret = LookupAccountNameA(NULL, "Everyone", psid, &sid_size, domain, &domain_size, &sid_use);
2544 get_sid_info(psid, &account, &sid_dom);
2545 ok(ret, "Failed to lookup account name\n");
2546 ok(sid_size != 0, "sid_size was zero\n");
2547 ok(!lstrcmpA(account, "Everyone"), "Expected Everyone, got %s\n", account);
2548 ok(!lstrcmpiA(domain, sid_dom), "Expected %s, got %s\n", sid_dom, domain);
2549 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2550 ok(strlen(domain) == domain_size, "Expected %d, got %d\n", lstrlenA(domain), domain_size);
2551 ok(sid_use == SidTypeWellKnownGroup, "Expected SidTypeWellKnownGroup (%d), got %d\n", SidTypeWellKnownGroup, sid_use);
2552 domain_size = domain_save;
2553 }
2554
2555 /* NULL Sid with zero sid size */
2556 SetLastError(0xdeadbeef);
2557 sid_size = 0;
2558 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2559 ok(!ret, "Expected 0, got %d\n", ret);
2560 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2561 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2562 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2563 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2564
2565 /* try cchReferencedDomainName - 1 */
2566 SetLastError(0xdeadbeef);
2567 domain_size--;
2568 ret = LookupAccountNameA(NULL, user_name, NULL, &sid_size, domain, &domain_size, &sid_use);
2569 ok(!ret, "Expected 0, got %d\n", ret);
2570 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2571 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2572 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2573 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2574
2575 /* NULL ReferencedDomainName with zero domain name size */
2576 SetLastError(0xdeadbeef);
2577 domain_size = 0;
2578 ret = LookupAccountNameA(NULL, user_name, psid, &sid_size, NULL, &domain_size, &sid_use);
2579 ok(!ret, "Expected 0, got %d\n", ret);
2580 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2581 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2582 ok(sid_size == sid_save, "Expected %d, got %d\n", sid_save, sid_size);
2583 ok(domain_size == domain_save, "Expected %d, got %d\n", domain_save, domain_size);
2584
2585 HeapFree(GetProcessHeap(), 0, psid);
2586 HeapFree(GetProcessHeap(), 0, domain);
2587
2588 /* get sizes for NULL account name */
2589 sid_size = 0;
2590 domain_size = 0;
2591 sid_use = 0xcafebabe;
2592 SetLastError(0xdeadbeef);
2593 ret = LookupAccountNameA(NULL, NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2594 if (!ret && GetLastError() == ERROR_NONE_MAPPED)
2595 win_skip("NULL account name doesn't work on NT4\n");
2596 else
2597 {
2598 ok(!ret, "Expected 0, got %d\n", ret);
2599 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2600 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2601 ok(sid_size != 0, "Expected non-zero sid size\n");
2602 ok(domain_size != 0, "Expected non-zero domain size\n");
2603 ok(sid_use == 0xcafebabe, "Expected 0xcafebabe, got %d\n", sid_use);
2604
2605 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2606 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2607
2608 /* try NULL account name */
2609 ret = LookupAccountNameA(NULL, NULL, psid, &sid_size, domain, &domain_size, &sid_use);
2610 get_sid_info(psid, &account, &sid_dom);
2611 ok(ret, "Failed to lookup account name\n");
2612 /* Using a fixed string will not work on different locales */
2613 ok(!lstrcmpiA(account, domain),
2614 "Got %s for account and %s for domain, these should be the same\n", account, domain);
2615 ok(sid_use == SidTypeDomain, "Expected SidTypeDomain (%d), got %d\n", SidTypeDomain, sid_use);
2616
2617 HeapFree(GetProcessHeap(), 0, psid);
2618 HeapFree(GetProcessHeap(), 0, domain);
2619 }
2620
2621 /* try an invalid account name */
2622 SetLastError(0xdeadbeef);
2623 sid_size = 0;
2624 domain_size = 0;
2625 ret = LookupAccountNameA(NULL, "oogabooga", NULL, &sid_size, NULL, &domain_size, &sid_use);
2626 ok(!ret, "Expected 0, got %d\n", ret);
2627 ok(GetLastError() == ERROR_NONE_MAPPED ||
2628 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE),
2629 "Expected ERROR_NONE_MAPPED, got %d\n", GetLastError());
2630 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2631 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2632
2633 /* try an invalid system name */
2634 SetLastError(0xdeadbeef);
2635 sid_size = 0;
2636 domain_size = 0;
2637 ret = LookupAccountNameA("deepthought", NULL, NULL, &sid_size, NULL, &domain_size, &sid_use);
2638 ok(!ret, "Expected 0, got %d\n", ret);
2639 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR /* Vista */,
2640 "Expected RPC_S_SERVER_UNAVAILABLE or RPC_S_INVALID_NET_ADDR, got %d\n", GetLastError());
2641 ok(sid_size == 0, "Expected 0, got %d\n", sid_size);
2642 ok(domain_size == 0, "Expected 0, got %d\n", domain_size);
2643
2644 /* try with the computer name as the account name */
2645 domain_size = sizeof(computer_name);
2646 GetComputerNameA(computer_name, &domain_size);
2647 sid_size = 0;
2648 domain_size = 0;
2649 ret = LookupAccountNameA(NULL, computer_name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2650 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER ||
2651 GetLastError() == ERROR_NONE_MAPPED /* in a domain */ ||
2652 broken(GetLastError() == ERROR_TRUSTED_DOMAIN_FAILURE) ||
2653 broken(GetLastError() == ERROR_TRUSTED_RELATIONSHIP_FAILURE)),
2654 "LookupAccountNameA failed: %d\n", GetLastError());
2655 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
2656 {
2657 psid = HeapAlloc(GetProcessHeap(), 0, sid_size);
2658 domain = HeapAlloc(GetProcessHeap(), 0, domain_size);
2659 ret = LookupAccountNameA(NULL, computer_name, psid, &sid_size, domain, &domain_size, &sid_use);
2660 ok(ret, "LookupAccountNameA failed: %d\n", GetLastError());
2661 ok(sid_use == SidTypeDomain ||
2662 (sid_use == SidTypeUser && ! strcmp(computer_name, user_name)), "expected SidTypeDomain for %s, got %d\n", computer_name, sid_use);
2663 HeapFree(GetProcessHeap(), 0, domain);
2664 HeapFree(GetProcessHeap(), 0, psid);
2665 }
2666
2667 /* Well Known names */
2668 if (!pCreateWellKnownSid)
2669 {
2670 win_skip("CreateWellKnownSid not available\n");
2671 return;
2672 }
2673
2674 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
2675 {
2676 skip("Non-English locale (skipping well known name creation tests)\n");
2677 return;
2678 }
2679
2680 check_wellknown_name("LocalService", WinLocalServiceSid);
2681 check_wellknown_name("Local Service", WinLocalServiceSid);
2682 /* 2 spaces */
2683 check_wellknown_name("Local Service", 0);
2684 check_wellknown_name("NetworkService", WinNetworkServiceSid);
2685 check_wellknown_name("Network Service", WinNetworkServiceSid);
2686
2687 /* example of some names where the spaces are not optional */
2688 check_wellknown_name("Terminal Server User", WinTerminalServerSid);
2689 check_wellknown_name("TerminalServer User", 0);
2690 check_wellknown_name("TerminalServerUser", 0);
2691 check_wellknown_name("Terminal ServerUser", 0);
2692
2693 check_wellknown_name("enterprise domain controllers",WinEnterpriseControllersSid);
2694 check_wellknown_name("enterprisedomain controllers", 0);
2695 check_wellknown_name("enterprise domaincontrollers", 0);
2696 check_wellknown_name("enterprisedomaincontrollers", 0);
2697
2698 /* case insensitivity */
2699 check_wellknown_name("lOCAlServICE", WinLocalServiceSid);
2700
2701 /* fully qualified account names */
2702 check_wellknown_name("NT AUTHORITY\\LocalService", WinLocalServiceSid);
2703 check_wellknown_name("nt authority\\Network Service", WinNetworkServiceSid);
2704 check_wellknown_name("nt authority test\\Network Service", 0);
2705 check_wellknown_name("Dummy\\Network Service", 0);
2706 check_wellknown_name("ntauthority\\Network Service", 0);
2707 }
2708
2709 static void test_security_descriptor(void)
2710 {
2711 SECURITY_DESCRIPTOR sd;
2712 char buf[8192];
2713 DWORD size;
2714 BOOL isDefault, isPresent, ret;
2715 PACL pacl;
2716 PSID psid;
2717
2718 SetLastError(0xdeadbeef);
2719 ret = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
2720 if (ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2721 {
2722 win_skip("InitializeSecurityDescriptor is not implemented\n");
2723 return;
2724 }
2725
2726 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2727 expect_eq(psid, NULL, PSID, "%p");
2728 expect_eq(isDefault, FALSE, BOOL, "%d");
2729 sd.Control |= SE_DACL_PRESENT | SE_SACL_PRESENT;
2730
2731 SetLastError(0xdeadbeef);
2732 size = 5;
2733 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), FALSE, BOOL, "%d");
2734 expect_eq(GetLastError(), ERROR_INSUFFICIENT_BUFFER, DWORD, "%u");
2735 ok(size > 5, "Size not increased\n");
2736 if (size <= 8192)
2737 {
2738 expect_eq(MakeSelfRelativeSD(&sd, buf, &size), TRUE, BOOL, "%d");
2739 ok(GetSecurityDescriptorOwner(&sd, &psid, &isDefault), "GetSecurityDescriptorOwner failed\n");
2740 expect_eq(psid, NULL, PSID, "%p");
2741 expect_eq(isDefault, FALSE, BOOL, "%d");
2742 ok(GetSecurityDescriptorGroup(&sd, &psid, &isDefault), "GetSecurityDescriptorGroup failed\n");
2743 expect_eq(psid, NULL, PSID, "%p");
2744 expect_eq(isDefault, FALSE, BOOL, "%d");
2745 ok(GetSecurityDescriptorDacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorDacl failed\n");
2746 expect_eq(isPresent, TRUE, BOOL, "%d");
2747 expect_eq(psid, NULL, PSID, "%p");
2748 expect_eq(isDefault, FALSE, BOOL, "%d");
2749 ok(GetSecurityDescriptorSacl(&sd, &isPresent, &pacl, &isDefault), "GetSecurityDescriptorSacl failed\n");
2750 expect_eq(isPresent, TRUE, BOOL, "%d");
2751 expect_eq(psid, NULL, PSID, "%p");
2752 expect_eq(isDefault, FALSE, BOOL, "%d");
2753 }
2754 }
2755
2756 #define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,0,__LINE__)
2757 #define TEST_GRANTED_ACCESS2(a,b,c) test_granted_access(a,b,c,__LINE__)
2758 static void test_granted_access(HANDLE handle, ACCESS_MASK access,
2759 ACCESS_MASK alt, int line)
2760 {
2761 OBJECT_BASIC_INFORMATION obj_info;
2762 NTSTATUS status;
2763
2764 if (!pNtQueryObject)
2765 {
2766 skip_(__FILE__, line)("Not NT platform - skipping tests\n");
2767 return;
2768 }
2769
2770 status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
2771 sizeof(obj_info), NULL );
2772 ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
2773 if (alt)
2774 ok_(__FILE__, line)(obj_info.GrantedAccess == access ||
2775 obj_info.GrantedAccess == alt, "Granted access should be 0x%08x "
2776 "or 0x%08x, instead of 0x%08x\n", access, alt, obj_info.GrantedAccess);
2777 else
2778 ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Granted access should "
2779 "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
2780 }
2781
2782 #define CHECK_SET_SECURITY(o,i,e) \
2783 do{ \
2784 BOOL res_; \
2785 DWORD err; \
2786 SetLastError( 0xdeadbeef ); \
2787 res_ = SetKernelObjectSecurity( o, i, SecurityDescriptor ); \
2788 err = GetLastError(); \
2789 if (e == ERROR_SUCCESS) \
2790 ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
2791 else \
2792 ok(!res_ && err == e, "SetKernelObjectSecurity should have failed " \
2793 "with %s, instead of %d\n", #e, err); \
2794 }while(0)
2795
2796 static void test_process_security(void)
2797 {
2798 BOOL res;
2799 PTOKEN_OWNER owner;
2800 PTOKEN_PRIMARY_GROUP group;
2801 PSID AdminSid = NULL, UsersSid = NULL;
2802 PACL Acl = NULL;
2803 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
2804 char buffer[MAX_PATH];
2805 PROCESS_INFORMATION info;
2806 STARTUPINFOA startup;
2807 SECURITY_ATTRIBUTES psa;
2808 HANDLE token, event;
2809 DWORD size;
2810 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
2811 PSID EveryoneSid = NULL;
2812
2813 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
2814 res = InitializeAcl(Acl, 256, ACL_REVISION);
2815 if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
2816 {
2817 win_skip("ACLs not implemented - skipping tests\n");
2818 HeapFree(GetProcessHeap(), 0, Acl);
2819 return;
2820 }
2821 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
2822
2823 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
2824 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
2825
2826 /* get owner from the token we might be running as a user not admin */
2827 res = OpenProcessToken( GetCurrentProcess(), MAXIMUM_ALLOWED, &token );
2828 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
2829 if (!res)
2830 {
2831 HeapFree(GetProcessHeap(), 0, Acl);
2832 return;
2833 }
2834
2835 res = GetTokenInformation( token, TokenOwner, NULL, 0, &size );
2836 ok(!res, "Expected failure, got %d\n", res);
2837 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2838 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2839
2840 owner = HeapAlloc(GetProcessHeap(), 0, size);
2841 res = GetTokenInformation( token, TokenOwner, owner, size, &size );
2842 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2843 AdminSid = ((TOKEN_OWNER*)owner)->Owner;
2844
2845 res = GetTokenInformation( token, TokenPrimaryGroup, NULL, 0, &size );
2846 ok(!res, "Expected failure, got %d\n", res);
2847 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
2848 "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
2849
2850 group = HeapAlloc(GetProcessHeap(), 0, size);
2851 res = GetTokenInformation( token, TokenPrimaryGroup, group, size, &size );
2852 ok(res, "GetTokenInformation failed with error %d\n", GetLastError());
2853 UsersSid = ((TOKEN_PRIMARY_GROUP*)group)->PrimaryGroup;
2854
2855 CloseHandle( token );
2856 if (!res)
2857 {
2858 HeapFree(GetProcessHeap(), 0, group);
2859 HeapFree(GetProcessHeap(), 0, owner);
2860 HeapFree(GetProcessHeap(), 0, Acl);
2861 return;
2862 }
2863
2864 res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
2865 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
2866 res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
2867 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
2868
2869 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
2870 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
2871 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
2872
2873 event = CreateEventA( NULL, TRUE, TRUE, "test_event" );
2874 ok(event != NULL, "CreateEvent %d\n", GetLastError());
2875
2876 SecurityDescriptor->Revision = 0;
2877 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_UNKNOWN_REVISION );
2878 SecurityDescriptor->Revision = SECURITY_DESCRIPTOR_REVISION;
2879
2880 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2881 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_INVALID_SECURITY_DESCR );
2882 CHECK_SET_SECURITY( event, SACL_SECURITY_INFORMATION, ERROR_ACCESS_DENIED );
2883 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2884 /* NULL DACL is valid and means that everyone has access */
2885 SecurityDescriptor->Control |= SE_DACL_PRESENT;
2886 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2887
2888 /* Set owner and group and dacl */
2889 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
2890 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
2891 CHECK_SET_SECURITY( event, OWNER_SECURITY_INFORMATION, ERROR_SUCCESS );
2892 test_owner_equal( event, AdminSid, __LINE__ );
2893
2894 res = SetSecurityDescriptorGroup(SecurityDescriptor, EveryoneSid, FALSE);
2895 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2896 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2897 test_group_equal( event, EveryoneSid, __LINE__ );
2898
2899 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2900 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2901 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2902 /* setting a dacl should not change the owner or group */
2903 test_owner_equal( event, AdminSid, __LINE__ );
2904 test_group_equal( event, EveryoneSid, __LINE__ );
2905
2906 /* Test again with a different SID in case the previous SID also happens to
2907 * be the one that is incorrectly replacing the group. */
2908 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, FALSE);
2909 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
2910 CHECK_SET_SECURITY( event, GROUP_SECURITY_INFORMATION, ERROR_SUCCESS );
2911 test_group_equal( event, UsersSid, __LINE__ );
2912
2913 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
2914 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
2915 CHECK_SET_SECURITY( event, DACL_SECURITY_INFORMATION, ERROR_SUCCESS );
2916 test_group_equal( event, UsersSid, __LINE__ );
2917
2918 sprintf(buffer, "%s tests/security.c test", myARGV[0]);
2919 memset(&startup, 0, sizeof(startup));
2920 startup.cb = sizeof(startup);
2921 startup.dwFlags = STARTF_USESHOWWINDOW;
2922 startup.wShowWindow = SW_SHOWNORMAL;
2923
2924 psa.nLength = sizeof(psa);
2925 psa.lpSecurityDescriptor = SecurityDescriptor;
2926 psa.bInheritHandle = TRUE;
2927
2928 /* Doesn't matter what ACL say we should get full access for ourselves */
2929 res = CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info );
2930 ok(res, "CreateProcess with err:%d\n", GetLastError());
2931 TEST_GRANTED_ACCESS2( info.hProcess, PROCESS_ALL_ACCESS_NT4,
2932 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
2933 winetest_wait_child_process( info.hProcess );
2934
2935 FreeSid(EveryoneSid);
2936 CloseHandle( info.hProcess );
2937 CloseHandle( info.hThread );
2938 CloseHandle( event );
2939 HeapFree(GetProcessHeap(), 0, group);
2940 HeapFree(GetProcessHeap(), 0, owner);
2941 HeapFree(GetProcessHeap(), 0, Acl);
2942 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
2943 }
2944
2945 static void test_process_security_child(void)
2946 {
2947 HANDLE handle, handle1;
2948 BOOL ret;
2949 DWORD err;
2950
2951 handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
2952 ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
2953 TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
2954
2955 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2956 &handle1, 0, TRUE, DUPLICATE_SAME_ACCESS );
2957 ok(ret, "duplicating handle err:%d\n", GetLastError());
2958 TEST_GRANTED_ACCESS( handle1, PROCESS_TERMINATE );
2959
2960 CloseHandle( handle1 );
2961
2962 SetLastError( 0xdeadbeef );
2963 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2964 &handle1, PROCESS_ALL_ACCESS, TRUE, 0 );
2965 err = GetLastError();
2966 todo_wine
2967 ok(!ret && err == ERROR_ACCESS_DENIED, "duplicating handle should have failed "
2968 "with STATUS_ACCESS_DENIED, instead of err:%d\n", err);
2969
2970 CloseHandle( handle );
2971
2972 /* These two should fail - they are denied by ACL */
2973 handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
2974 todo_wine
2975 ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
2976 handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
2977 todo_wine
2978 ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
2979
2980 /* Documented privilege elevation */
2981 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
2982 &handle, 0, TRUE, DUPLICATE_SAME_ACCESS );
2983 ok(ret, "duplicating handle err:%d\n", GetLastError());
2984 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
2985 STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL );
2986
2987 CloseHandle( handle );
2988
2989 /* Same only explicitly asking for all access rights */
2990 ret = DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
2991 &handle, PROCESS_ALL_ACCESS, TRUE, 0 );
2992 ok(ret, "duplicating handle err:%d\n", GetLastError());
2993 TEST_GRANTED_ACCESS2( handle, PROCESS_ALL_ACCESS_NT4,
2994 PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION );
2995 ret = DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
2996 &handle1, PROCESS_VM_READ, TRUE, 0 );
2997 ok(ret, "duplicating handle err:%d\n", GetLastError());
2998 TEST_GRANTED_ACCESS( handle1, PROCESS_VM_READ );
2999 CloseHandle( handle1 );
3000 CloseHandle( handle );
3001 }
3002
3003 static void test_impersonation_level(void)
3004 {
3005 HANDLE Token, ProcessToken;
3006 HANDLE Token2;
3007 DWORD Size;
3008 TOKEN_PRIVILEGES *Privileges;
3009 TOKEN_USER *User;
3010 PRIVILEGE_SET *PrivilegeSet;
3011 BOOL AccessGranted;
3012 BOOL ret;
3013 HKEY hkey;
3014 DWORD error;
3015
3016 if( !pDuplicateTokenEx ) {
3017 win_skip("DuplicateTokenEx is not available\n");
3018 return;
3019 }
3020 SetLastError(0xdeadbeef);
3021 ret = ImpersonateSelf(SecurityAnonymous);
3022 if(!ret && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3023 {
3024 win_skip("ImpersonateSelf is not implemented\n");
3025 return;
3026 }
3027 ok(ret, "ImpersonateSelf(SecurityAnonymous) failed with error %d\n", GetLastError());
3028 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3029 ok(!ret, "OpenThreadToken should have failed\n");
3030 error = GetLastError();
3031 ok(error == ERROR_CANT_OPEN_ANONYMOUS, "OpenThreadToken on anonymous token should have returned ERROR_CANT_OPEN_ANONYMOUS instead of %d\n", error);
3032 /* can't perform access check when opening object against an anonymous impersonation token */
3033 todo_wine {
3034 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3035 ok(error == ERROR_INVALID_HANDLE || error == ERROR_CANT_OPEN_ANONYMOUS || error == ERROR_BAD_IMPERSONATION_LEVEL,
3036 "RegOpenKeyEx failed with %d\n", error);
3037 }
3038 RevertToSelf();
3039
3040 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &ProcessToken);
3041 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
3042
3043 ret = pDuplicateTokenEx(ProcessToken,
3044 TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, NULL,
3045 SecurityAnonymous, TokenImpersonation, &Token);
3046 ok(ret, "DuplicateTokenEx failed with error %d\n", GetLastError());
3047 /* can't increase the impersonation level */
3048 ret = DuplicateToken(Token, SecurityIdentification, &Token2);
3049 error = GetLastError();
3050 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL,
3051 "Duplicating a token and increasing the impersonation level should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3052 /* we can query anything from an anonymous token, including the user */
3053 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
3054 error = GetLastError();
3055 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenUser) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3056 User = HeapAlloc(GetProcessHeap(), 0, Size);
3057 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
3058 ok(ret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3059 HeapFree(GetProcessHeap(), 0, User);
3060
3061 /* PrivilegeCheck fails with SecurityAnonymous level */
3062 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
3063 error = GetLastError();
3064 ok(!ret && error == ERROR_INSUFFICIENT_BUFFER, "GetTokenInformation(TokenPrivileges) should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", error);
3065 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
3066 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
3067 ok(ret, "GetTokenInformation(TokenPrivileges) failed with error %d\n", GetLastError());
3068
3069 PrivilegeSet = HeapAlloc(GetProcessHeap(), 0, FIELD_OFFSET(PRIVILEGE_SET, Privilege[Privileges->PrivilegeCount]));
3070 PrivilegeSet->PrivilegeCount = Privileges->PrivilegeCount;
3071 memcpy(PrivilegeSet->Privilege, Privileges->Privileges, PrivilegeSet->PrivilegeCount * sizeof(PrivilegeSet->Privilege[0]));
3072 PrivilegeSet->Control = PRIVILEGE_SET_ALL_NECESSARY;
3073 HeapFree(GetProcessHeap(), 0, Privileges);
3074
3075 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3076 error = GetLastError();
3077 ok(!ret && error == ERROR_BAD_IMPERSONATION_LEVEL, "PrivilegeCheck for SecurityAnonymous token should have failed with ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3078
3079 CloseHandle(Token);
3080
3081 ret = ImpersonateSelf(SecurityIdentification);
3082 ok(ret, "ImpersonateSelf(SecurityIdentification) failed with error %d\n", GetLastError());
3083 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3084 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3085
3086 /* can't perform access check when opening object against an identification impersonation token */
3087 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3088 todo_wine {
3089 ok(error == ERROR_INVALID_HANDLE || error == ERROR_BAD_IMPERSONATION_LEVEL,
3090 "RegOpenKeyEx should have failed with ERROR_INVALID_HANDLE or ERROR_BAD_IMPERSONATION_LEVEL instead of %d\n", error);
3091 }
3092 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3093 ok(ret, "PrivilegeCheck for SecurityIdentification failed with error %d\n", GetLastError());
3094 CloseHandle(Token);
3095 RevertToSelf();
3096
3097 ret = ImpersonateSelf(SecurityImpersonation);
3098 ok(ret, "ImpersonateSelf(SecurityImpersonation) failed with error %d\n", GetLastError());
3099 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY_SOURCE | TOKEN_IMPERSONATE | TOKEN_ADJUST_DEFAULT, TRUE, &Token);
3100 ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
3101 error = RegOpenKeyExA(HKEY_CURRENT_USER, "Software", 0, KEY_READ, &hkey);
3102 ok(error == ERROR_SUCCESS, "RegOpenKeyEx should have succeeded instead of failing with %d\n", error);
3103 RegCloseKey(hkey);
3104 ret = PrivilegeCheck(Token, PrivilegeSet, &AccessGranted);
3105 ok(ret, "PrivilegeCheck for SecurityImpersonation failed with error %d\n", GetLastError());
3106 RevertToSelf();
3107
3108 CloseHandle(Token);
3109 CloseHandle(ProcessToken);
3110
3111 HeapFree(GetProcessHeap(), 0, PrivilegeSet);
3112 }
3113
3114 static void test_SetEntriesInAclW(void)
3115 {
3116 DWORD res;
3117 PSID EveryoneSid = NULL, UsersSid = NULL;
3118 PACL OldAcl = NULL, NewAcl;
3119 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3120 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3121 EXPLICIT_ACCESSW ExplicitAccess;
3122 static const WCHAR wszEveryone[] = {'E','v','e','r','y','o','n','e',0};
3123 static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3124
3125 if (!pSetEntriesInAclW)
3126 {
3127 win_skip("SetEntriesInAclW is not available\n");
3128 return;
3129 }
3130
3131 NewAcl = (PACL)0xdeadbeef;
3132 res = pSetEntriesInAclW(0, NULL, NULL, &NewAcl);
3133 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3134 {
3135 win_skip("SetEntriesInAclW is not implemented\n");
3136 return;
3137 }
3138 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3139 ok(NewAcl == NULL ||
3140 broken(NewAcl != NULL), /* NT4 */
3141 "NewAcl=%p, expected NULL\n", NewAcl);
3142 LocalFree(NewAcl);
3143
3144 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3145 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3146 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3147 {
3148 win_skip("ACLs not implemented - skipping tests\n");
3149 HeapFree(GetProcessHeap(), 0, OldAcl);
3150 return;
3151 }
3152 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3153
3154 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3155 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3156
3157 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3158 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3159 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3160
3161 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3162 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3163
3164 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3165 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3166 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3167 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3168 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3169 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3170 ExplicitAccess.Trustee.MultipleTrusteeOperation = 0xDEADBEEF;
3171 ExplicitAccess.Trustee.pMultipleTrustee = (PVOID)0xDEADBEEF;
3172 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3173 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3174 ok(NewAcl != NULL, "returned acl was NULL\n");
3175 LocalFree(NewAcl);
3176
3177 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3178 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3179 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3180 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3181 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3182 ok(NewAcl != NULL, "returned acl was NULL\n");
3183 LocalFree(NewAcl);
3184
3185 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3186 {
3187 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3188 }
3189 else
3190 {
3191 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3192 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszEveryone;
3193 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3194 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3195 ok(NewAcl != NULL, "returned acl was NULL\n");
3196 LocalFree(NewAcl);
3197
3198 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3199 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3200 ok(res == ERROR_INVALID_PARAMETER ||
3201 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3202 "SetEntriesInAclW failed: %u\n", res);
3203 ok(NewAcl == NULL ||
3204 broken(NewAcl != NULL), /* NT4 */
3205 "returned acl wasn't NULL: %p\n", NewAcl);
3206
3207 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3208 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3209 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3210 ok(res == ERROR_INVALID_PARAMETER ||
3211 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3212 "SetEntriesInAclW failed: %u\n", res);
3213 ok(NewAcl == NULL ||
3214 broken(NewAcl != NULL), /* NT4 */
3215 "returned acl wasn't NULL: %p\n", NewAcl);
3216
3217 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3218 ExplicitAccess.grfAccessMode = SET_ACCESS;
3219 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3220 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3221 ok(NewAcl != NULL, "returned acl was NULL\n");
3222 LocalFree(NewAcl);
3223 }
3224
3225 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3226 ExplicitAccess.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
3227 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3228 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3229 ok(NewAcl != NULL, "returned acl was NULL\n");
3230 LocalFree(NewAcl);
3231
3232 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3233 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3234 ExplicitAccess.Trustee.ptstrName = UsersSid;
3235 res = pSetEntriesInAclW(1, &ExplicitAccess, OldAcl, &NewAcl);
3236 ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
3237 ok(NewAcl != NULL, "returned acl was NULL\n");
3238 LocalFree(NewAcl);
3239
3240 FreeSid(UsersSid);
3241 FreeSid(EveryoneSid);
3242 HeapFree(GetProcessHeap(), 0, OldAcl);
3243 }
3244
3245 static void test_SetEntriesInAclA(void)
3246 {
3247 DWORD res;
3248 PSID EveryoneSid = NULL, UsersSid = NULL;
3249 PACL OldAcl = NULL, NewAcl;
3250 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
3251 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3252 EXPLICIT_ACCESSA ExplicitAccess;
3253 static const CHAR szEveryone[] = {'E','v','e','r','y','o','n','e',0};
3254 static const CHAR szCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
3255
3256 if (!pSetEntriesInAclA)
3257 {
3258 win_skip("SetEntriesInAclA is not available\n");
3259 return;
3260 }
3261
3262 NewAcl = (PACL)0xdeadbeef;
3263 res = pSetEntriesInAclA(0, NULL, NULL, &NewAcl);
3264 if(res == ERROR_CALL_NOT_IMPLEMENTED)
3265 {
3266 win_skip("SetEntriesInAclA is not implemented\n");
3267 return;
3268 }
3269 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3270 ok(NewAcl == NULL ||
3271 broken(NewAcl != NULL), /* NT4 */
3272 "NewAcl=%p, expected NULL\n", NewAcl);
3273 LocalFree(NewAcl);
3274
3275 OldAcl = HeapAlloc(GetProcessHeap(), 0, 256);
3276 res = InitializeAcl(OldAcl, 256, ACL_REVISION);
3277 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
3278 {
3279 win_skip("ACLs not implemented - skipping tests\n");
3280 HeapFree(GetProcessHeap(), 0, OldAcl);
3281 return;
3282 }
3283 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
3284
3285 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
3286 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3287
3288 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
3289 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
3290 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3291
3292 res = AddAccessAllowedAce(OldAcl, ACL_REVISION, KEY_READ, UsersSid);
3293 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
3294
3295 ExplicitAccess.grfAccessPermissions = KEY_WRITE;
3296 ExplicitAccess.grfAccessMode = GRANT_ACCESS;
3297 ExplicitAccess.grfInheritance = NO_INHERITANCE;
3298 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
3299 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3300 ExplicitAccess.Trustee.ptstrName = EveryoneSid;
3301 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3302 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3303 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3304 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3305 ok(NewAcl != NULL, "returned acl was NULL\n");
3306 LocalFree(NewAcl);
3307
3308 ExplicitAccess.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
3309 ExplicitAccess.Trustee.pMultipleTrustee = NULL;
3310 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3311 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3312 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3313 ok(NewAcl != NULL, "returned acl was NULL\n");
3314 LocalFree(NewAcl);
3315
3316 if (PRIMARYLANGID(GetSystemDefaultLangID()) != LANG_ENGLISH)
3317 {
3318 skip("Non-English locale (test with hardcoded 'Everyone')\n");
3319 }
3320 else
3321 {
3322 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3323 ExplicitAccess.Trustee.ptstrName = (LPSTR)szEveryone;
3324 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3325 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3326 ok(NewAcl != NULL, "returned acl was NULL\n");
3327 LocalFree(NewAcl);
3328
3329 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_BAD_FORM;
3330 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3331 ok(res == ERROR_INVALID_PARAMETER ||
3332 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3333 "SetEntriesInAclA failed: %u\n", res);
3334 ok(NewAcl == NULL ||
3335 broken(NewAcl != NULL), /* NT4 */
3336 "returned acl wasn't NULL: %p\n", NewAcl);
3337
3338 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3339 ExplicitAccess.Trustee.MultipleTrusteeOperation = TRUSTEE_IS_IMPERSONATE;
3340 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3341 ok(res == ERROR_INVALID_PARAMETER ||
3342 broken(res == ERROR_NOT_SUPPORTED), /* NT4 */
3343 "SetEntriesInAclA failed: %u\n", res);
3344 ok(NewAcl == NULL ||
3345 broken(NewAcl != NULL), /* NT4 */
3346 "returned acl wasn't NULL: %p\n", NewAcl);
3347
3348 ExplicitAccess.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
3349 ExplicitAccess.grfAccessMode = SET_ACCESS;
3350 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3351 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3352 ok(NewAcl != NULL, "returned acl was NULL\n");
3353 LocalFree(NewAcl);
3354 }
3355
3356 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
3357 ExplicitAccess.Trustee.ptstrName = (LPSTR)szCurrentUser;
3358 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3359 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3360 ok(NewAcl != NULL, "returned acl was NULL\n");
3361 LocalFree(NewAcl);
3362
3363 ExplicitAccess.grfAccessMode = REVOKE_ACCESS;
3364 ExplicitAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
3365 ExplicitAccess.Trustee.ptstrName = UsersSid;
3366 res = pSetEntriesInAclA(1, &ExplicitAccess, OldAcl, &NewAcl);
3367 ok(res == ERROR_SUCCESS, "SetEntriesInAclA failed: %u\n", res);
3368 ok(NewAcl != NULL, "returned acl was NULL\n");
3369 LocalFree(NewAcl);
3370
3371 FreeSid(UsersSid);
3372 FreeSid(EveryoneSid);
3373 HeapFree(GetProcessHeap(), 0, OldAcl);
3374 }
3375
3376 /* helper function for test_CreateDirectoryA */
3377 static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
3378 {
3379 UNICODE_STRING strW;
3380 ANSI_STRING str;
3381 NTSTATUS status;
3382 BOOLEAN ret;
3383
3384 pRtlInitAnsiString(&str, name);
3385
3386 status = pRtlAnsiStringToUnicodeString(&strW, &str, TRUE);
3387 ok(!status, "RtlAnsiStringToUnicodeString failed with %08x\n", status);
3388
3389 ret = pRtlDosPathNameToNtPathName_U(strW.Buffer, nameW, NULL, NULL);
3390 ok(ret, "RtlDosPathNameToNtPathName_U failed\n");
3391
3392 pRtlFreeUnicodeString(&strW);
3393 }
3394
3395 static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask,
3396 BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
3397 {
3398 ACL_SIZE_INFORMATION acl_size;
3399 ACCESS_ALLOWED_ACE *ace;
3400 BOOL bret;
3401
3402 bret = pGetAclInformation(dacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3403 ok_(__FILE__, line)(bret, "GetAclInformation failed\n");
3404
3405 todo_wine_if (todo_count)
3406 ok_(__FILE__, line)(acl_size.AceCount == 2,
3407 "GetAclInformation returned unexpected entry count (%d != 2)\n",
3408 acl_size.AceCount);
3409
3410 if (acl_size.AceCount > 0)
3411 {
3412 bret = pGetAce(dacl, 0, (VOID **)&ace);
3413 ok_(__FILE__, line)(bret, "Failed to get Current User ACE\n");
3414
3415 bret = EqualSid(&ace->SidStart, user_sid);
3416 todo_wine_if (todo_sid)
3417 ok_(__FILE__, line)(bret, "Current User ACE (%s) != Current User SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3418
3419 todo_wine_if (todo_flags)
3420 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3421 "Current User ACE has unexpected flags (0x%x != 0x%x)\n",
3422 ((ACE_HEADER *)ace)->AceFlags, flags);
3423
3424 ok_(__FILE__, line)(ace->Mask == mask,
3425 "Current User ACE has unexpected mask (0x%x != 0x%x)\n",
3426 ace->Mask, mask);
3427 }
3428 if (acl_size.AceCount > 1)
3429 {
3430 bret = pGetAce(dacl, 1, (VOID **)&ace);
3431 ok_(__FILE__, line)(bret, "Failed to get Administators Group ACE\n");
3432
3433 bret = EqualSid(&ace->SidStart, admin_sid);
3434 todo_wine_if (todo_sid)
3435 ok_(__FILE__, line)(bret, "Administators Group ACE (%s) != Administators Group SID (%s)\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3436
3437 todo_wine_if (todo_flags)
3438 ok_(__FILE__, line)(((ACE_HEADER *)ace)->AceFlags == flags,
3439 "Administators Group ACE has unexpected flags (0x%x != 0x%x)\n",
3440 ((ACE_HEADER *)ace)->AceFlags, flags);
3441
3442 ok_(__FILE__, line)(ace->Mask == mask,
3443 "Administators Group ACE has unexpected mask (0x%x != 0x%x)\n",
3444 ace->Mask, mask);
3445 }
3446 }
3447
3448 static void test_CreateDirectoryA(void)
3449 {
3450 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3451 DWORD sid_size = sizeof(admin_ptr), user_size;
3452 PSID admin_sid = (PSID) admin_ptr, user_sid;
3453 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
3454 PSECURITY_DESCRIPTOR pSD = &sd;
3455 ACL_SIZE_INFORMATION acl_size;
3456 UNICODE_STRING tmpfileW;
3457 SECURITY_ATTRIBUTES sa;
3458 OBJECT_ATTRIBUTES attr;
3459 char tmpfile[MAX_PATH];
3460 char tmpdir[MAX_PATH];
3461 HANDLE token, hTemp;
3462 IO_STATUS_BLOCK io;
3463 struct _SID *owner;
3464 BOOL bret = TRUE;
3465 NTSTATUS status;
3466 DWORD error;
3467 PACL pDacl;
3468
3469 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3470 {
3471 win_skip("Required functions are not available\n");
3472 return;
3473 }
3474
3475 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3476 {
3477 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3478 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3479 }
3480 if (!bret)
3481 {
3482 win_skip("Failed to get current user token\n");
3483 return;
3484 }
3485 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3486 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3487 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3488 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3489 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3490 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3491 CloseHandle( token );
3492 user_sid = ((TOKEN_USER *)user)->User.Sid;
3493
3494 sa.nLength = sizeof(sa);
3495 sa.lpSecurityDescriptor = pSD;
3496 sa.bInheritHandle = TRUE;
3497 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3498 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3499 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3500 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3501 ok(bret, "Failed to initialize ACL.\n");
3502 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3503 GENERIC_ALL, user_sid);
3504 ok(bret, "Failed to add Current User to ACL.\n");
3505 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3506 GENERIC_ALL, admin_sid);
3507 ok(bret, "Failed to add Administrator Group to ACL.\n");
3508 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3509 ok(bret, "Failed to add ACL to security descriptor.\n");
3510
3511 GetTempPathA(MAX_PATH, tmpdir);
3512 lstrcatA(tmpdir, "Please Remove Me");
3513 bret = CreateDirectoryA(tmpdir, &sa);
3514 ok(bret == TRUE, "CreateDirectoryA(%s) failed err=%d\n", tmpdir, GetLastError());
3515 HeapFree(GetProcessHeap(), 0, pDacl);
3516
3517 SetLastError(0xdeadbeef);
3518 error = pGetNamedSecurityInfoA(tmpdir, SE_FILE_OBJECT,
3519 OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, (PSID*)&owner,
3520 NULL, &pDacl, NULL, &pSD);
3521 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3522 {
3523 win_skip("GetNamedSecurityInfoA is not implemented\n");
3524 goto done;
3525 }
3526 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3527 test_inherited_dacl(pDacl, admin_sid, user_sid, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3528 0x1f01ff, FALSE, TRUE, FALSE, __LINE__);
3529 LocalFree(pSD);
3530
3531 /* Test inheritance of ACLs in CreateFile without security descriptor */
3532 strcpy(tmpfile, tmpdir);
3533 lstrcatA(tmpfile, "/tmpfile");
3534
3535 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, NULL,
3536 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3537 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3538
3539 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3540 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3541 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3542 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3543 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3544 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3545 LocalFree(pSD);
3546 CloseHandle(hTemp);
3547
3548 /* Test inheritance of ACLs in CreateFile with security descriptor -
3549 * When a security descriptor is set, then inheritance doesn't take effect */
3550 pSD = &sd;
3551 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3552 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3553 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3554 ok(bret, "Failed to initialize ACL\n");
3555 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3556 ok(bret, "Failed to add ACL to security descriptor\n");
3557
3558 strcpy(tmpfile, tmpdir);
3559 lstrcatA(tmpfile, "/tmpfile");
3560
3561 sa.nLength = sizeof(sa);
3562 sa.lpSecurityDescriptor = pSD;
3563 sa.bInheritHandle = TRUE;
3564 hTemp = CreateFileA(tmpfile, GENERIC_WRITE, FILE_SHARE_READ, &sa,
3565 CREATE_NEW, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3566 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3567 HeapFree(GetProcessHeap(), 0, pDacl);
3568
3569 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3570 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3571 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3572 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3573 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3574 ok(bret, "GetAclInformation failed\n");
3575 todo_wine
3576 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3577 acl_size.AceCount);
3578 LocalFree(pSD);
3579
3580 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3581 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3582 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3583 todo_wine
3584 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3585 if (error == ERROR_SUCCESS)
3586 {
3587 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3588 ok(bret, "GetAclInformation failed\n");
3589 todo_wine
3590 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3591 acl_size.AceCount);
3592 LocalFree(pSD);
3593 }
3594 CloseHandle(hTemp);
3595
3596 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3597 strcpy(tmpfile, tmpdir);
3598 lstrcatA(tmpfile, "/tmpfile");
3599 get_nt_pathW(tmpfile, &tmpfileW);
3600
3601 attr.Length = sizeof(attr);
3602 attr.RootDirectory = 0;
3603 attr.ObjectName = &tmpfileW;
3604 attr.Attributes = OBJ_CASE_INSENSITIVE;
3605 attr.SecurityDescriptor = NULL;
3606 attr.SecurityQualityOfService = NULL;
3607
3608 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3609 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3610 ok(!status, "NtCreateFile failed with %08x\n", status);
3611 pRtlFreeUnicodeString(&tmpfileW);
3612
3613 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3614 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3615 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3616 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3617 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3618 0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
3619 LocalFree(pSD);
3620 CloseHandle(hTemp);
3621
3622 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3623 * When a security descriptor is set, then inheritance doesn't take effect */
3624 pSD = &sd;
3625 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3626 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3627 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3628 ok(bret, "Failed to initialize ACL\n");
3629 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3630 ok(bret, "Failed to add ACL to security descriptor\n");
3631
3632 strcpy(tmpfile, tmpdir);
3633 lstrcatA(tmpfile, "/tmpfile");
3634 get_nt_pathW(tmpfile, &tmpfileW);
3635
3636 attr.Length = sizeof(attr);
3637 attr.RootDirectory = 0;
3638 attr.ObjectName = &tmpfileW;
3639 attr.Attributes = OBJ_CASE_INSENSITIVE;
3640 attr.SecurityDescriptor = pSD;
3641 attr.SecurityQualityOfService = NULL;
3642
3643 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3644 FILE_SHARE_READ, FILE_CREATE, FILE_DELETE_ON_CLOSE, NULL, 0);
3645 ok(!status, "NtCreateFile failed with %08x\n", status);
3646 pRtlFreeUnicodeString(&tmpfileW);
3647 HeapFree(GetProcessHeap(), 0, pDacl);
3648
3649 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3650 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3651 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3652 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3653 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3654 ok(bret, "GetAclInformation failed\n");
3655 todo_wine
3656 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3657 acl_size.AceCount);
3658 LocalFree(pSD);
3659
3660 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3661 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
3662 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3663 todo_wine
3664 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3665 if (error == ERROR_SUCCESS)
3666 {
3667 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3668 ok(bret, "GetAclInformation failed\n");
3669 todo_wine
3670 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3671 acl_size.AceCount);
3672 LocalFree(pSD);
3673 }
3674 CloseHandle(hTemp);
3675
3676 done:
3677 HeapFree(GetProcessHeap(), 0, user);
3678 bret = RemoveDirectoryA(tmpdir);
3679 ok(bret == TRUE, "RemoveDirectoryA should always succeed\n");
3680 }
3681
3682 static void test_GetNamedSecurityInfoA(void)
3683 {
3684 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3685 char system_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3686 char users_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
3687 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
3688 PSID admin_sid = (PSID) admin_ptr, users_sid = (PSID) users_ptr;
3689 PSID system_sid = (PSID) system_ptr, user_sid, localsys_sid;
3690 DWORD sid_size = sizeof(admin_ptr), user_size;
3691 char invalid_path[] = "/an invalid file path";
3692 int users_ace_id = -1, admins_ace_id = -1, i;
3693 char software_key[] = "MACHINE\\Software";
3694 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH+sizeof(void*)];
3695 SECURITY_DESCRIPTOR_CONTROL control;
3696 ACL_SIZE_INFORMATION acl_size;
3697 CHAR windows_dir[MAX_PATH];
3698 PSECURITY_DESCRIPTOR pSD;
3699 ACCESS_ALLOWED_ACE *ace;
3700 BOOL bret = TRUE, isNT4;
3701 char tmpfile[MAX_PATH];
3702 DWORD error, revision;
3703 BOOL owner_defaulted;
3704 BOOL group_defaulted;
3705 BOOL dacl_defaulted;
3706 HANDLE token, hTemp, h;
3707 PSID owner, group;
3708 BOOL dacl_present;
3709 PACL pDacl;
3710 BYTE flags;
3711 NTSTATUS status;
3712
3713 if (!pSetNamedSecurityInfoA || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3714 {
3715 win_skip("Required functions are not available\n");
3716 return;
3717 }
3718
3719 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
3720 {
3721 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3722 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
3723 }
3724 if (!bret)
3725 {
3726 win_skip("Failed to get current user token\n");
3727 return;
3728 }
3729 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3730 ok(!bret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
3731 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3732 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3733 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3734 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3735 CloseHandle( token );
3736 user_sid = ((TOKEN_USER *)user)->User.Sid;
3737
3738 bret = GetWindowsDirectoryA(windows_dir, MAX_PATH);
3739 ok(bret, "GetWindowsDirectory failed with error %d\n", GetLastError());
3740
3741 SetLastError(0xdeadbeef);
3742 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,
3743 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION,
3744 NULL, NULL, NULL, NULL, &pSD);
3745 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3746 {
3747 win_skip("GetNamedSecurityInfoA is not implemented\n");
3748 HeapFree(GetProcessHeap(), 0, user);
3749 return;
3750 }
3751 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3752
3753 bret = GetSecurityDescriptorControl(pSD, &control, &revision);
3754 ok(bret, "GetSecurityDescriptorControl failed with error %d\n", GetLastError());
3755 ok((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == (SE_SELF_RELATIVE|SE_DACL_PRESENT) ||
3756 broken((control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT), /* NT4 */
3757 "control (0x%x) doesn't have (SE_SELF_RELATIVE|SE_DACL_PRESENT) flags set\n", control);
3758 ok(revision == SECURITY_DESCRIPTOR_REVISION1, "revision was %d instead of 1\n", revision);
3759
3760 isNT4 = (control & (SE_SELF_RELATIVE|SE_DACL_PRESENT)) == SE_DACL_PRESENT;
3761
3762 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3763 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3764 ok(owner != NULL, "owner should not be NULL\n");
3765
3766 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
3767 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
3768 ok(group != NULL, "group should not be NULL\n");
3769 LocalFree(pSD);
3770
3771
3772 /* NULL descriptor tests */
3773 if(isNT4)
3774 {
3775 win_skip("NT4 does not support GetNamedSecutityInfo with a NULL descriptor\n");
3776 HeapFree(GetProcessHeap(), 0, user);
3777 return;
3778 }
3779
3780 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3781 NULL, NULL, NULL, NULL, NULL);
3782 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3783
3784 pDacl = NULL;
3785 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
3786 NULL, NULL, &pDacl, NULL, &pSD);
3787 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3788 ok(pDacl != NULL, "DACL should not be NULL\n");
3789 LocalFree(pSD);
3790
3791 error = pGetNamedSecurityInfoA(windows_dir, SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,
3792 NULL, NULL, &pDacl, NULL, NULL);
3793 ok(error==ERROR_INVALID_PARAMETER, "GetNamedSecurityInfo failed with error %d\n", error);
3794
3795 /* Test behavior of SetNamedSecurityInfo with an invalid path */
3796 SetLastError(0xdeadbeef);
3797 error = pSetNamedSecurityInfoA(invalid_path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3798 NULL, NULL, NULL);
3799 ok(error == ERROR_FILE_NOT_FOUND, "Unexpected error returned: 0x%x\n", error);
3800 ok(GetLastError() == 0xdeadbeef, "Expected last error to remain unchanged.\n");
3801
3802 /* Create security descriptor information and test that it comes back the same */
3803 pSD = &sd;
3804 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3805 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3806 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3807 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3808 ok(bret, "Failed to initialize ACL.\n");
3809 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3810 ok(bret, "Failed to add Current User to ACL.\n");
3811 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
3812 ok(bret, "Failed to add Administrator Group to ACL.\n");
3813 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3814 ok(bret, "Failed to add ACL to security descriptor.\n");
3815 GetTempFileNameA(".", "foo", 0, tmpfile);
3816 hTemp = CreateFileA(tmpfile, WRITE_DAC|GENERIC_WRITE, FILE_SHARE_DELETE|FILE_SHARE_READ,
3817 NULL, OPEN_EXISTING, FILE_FLAG_DELETE_ON_CLOSE, NULL);
3818 SetLastError(0xdeadbeef);
3819 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3820 NULL, pDacl, NULL);
3821 HeapFree(GetProcessHeap(), 0, pDacl);
3822 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3823 {
3824 win_skip("SetNamedSecurityInfoA is not implemented\n");
3825 HeapFree(GetProcessHeap(), 0, user);
3826 CloseHandle(hTemp);
3827 return;
3828 }
3829 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3830 SetLastError(0xdeadbeef);
3831 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3832 NULL, NULL, &pDacl, NULL, &pSD);
3833 if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
3834 {
3835 win_skip("GetNamedSecurityInfoA is not implemented\n");
3836 HeapFree(GetProcessHeap(), 0, user);
3837 CloseHandle(hTemp);
3838 return;
3839 }
3840 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3841
3842 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3843 ok(bret, "GetAclInformation failed\n");
3844 if (acl_size.AceCount > 0)
3845 {
3846 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3847 ok(bret, "Failed to get Current User ACE.\n");
3848 bret = EqualSid(&ace->SidStart, user_sid);
3849 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
3850 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
3851 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3852 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3853 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
3854 ace->Mask);
3855 }
3856 if (acl_size.AceCount > 1)
3857 {
3858 bret = pGetAce(pDacl, 1, (VOID **)&ace);
3859 ok(bret, "Failed to get Administators Group ACE.\n");
3860 bret = EqualSid(&ace->SidStart, admin_sid);
3861 todo_wine ok(bret || broken(!bret) /* win2k */,
3862 "Administators Group ACE (%s) != Administators Group SID (%s).\n",
3863 debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
3864 ok(((ACE_HEADER *)ace)->AceFlags == 0,
3865 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
3866 ok(ace->Mask == 0x1f01ff || broken(ace->Mask == GENERIC_ALL) /* win2k */,
3867 "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n", ace->Mask);
3868 }
3869 LocalFree(pSD);
3870
3871 /* show that setting empty DACL is not removing all file permissions */
3872 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3873 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3874 ok(bret, "Failed to initialize ACL.\n");
3875 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3876 NULL, NULL, pDacl, NULL);
3877 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3878 HeapFree(GetProcessHeap(), 0, pDacl);
3879
3880 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3881 NULL, NULL, &pDacl, NULL, &pSD);
3882 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3883
3884 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3885 ok(bret, "GetAclInformation failed\n");
3886 if (acl_size.AceCount > 0)
3887 {
3888 bret = pGetAce(pDacl, 0, (VOID **)&ace);
3889 ok(bret, "Failed to get ACE.\n");
3890 todo_wine ok(((ACE_HEADER *)ace)->AceFlags & INHERITED_ACE,
3891 "ACE has unexpected flags: 0x%x\n", ((ACE_HEADER *)ace)->AceFlags);
3892 }
3893 LocalFree(pSD);
3894
3895 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3896 NULL, OPEN_EXISTING, 0, NULL);
3897 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3898 CloseHandle(h);
3899
3900 /* test setting NULL DACL */
3901 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3902 DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL);
3903 ok(!error, "SetNamedSecurityInfoA failed with error %d\n", error);
3904
3905 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
3906 NULL, NULL, &pDacl, NULL, &pSD);
3907 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3908 todo_wine ok(!pDacl, "pDacl != NULL\n");
3909 LocalFree(pSD);
3910
3911 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3912 NULL, OPEN_EXISTING, 0, NULL);
3913 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3914 CloseHandle(h);
3915
3916 /* NtSetSecurityObject doesn't inherit DACL entries */
3917 pSD = sd+sizeof(void*)-((ULONG_PTR)sd)%sizeof(void*);
3918 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
3919 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3920 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3921 ok(bret, "Failed to initialize ACL.\n");
3922 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3923 ok(bret, "Failed to add ACL to security descriptor.\n");
3924 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3925 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3926
3927 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3928 NULL, OPEN_EXISTING, 0, NULL);
3929 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3930 CloseHandle(h);
3931
3932 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ, SE_DACL_AUTO_INHERIT_REQ);
3933 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3934 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3935
3936 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3937 NULL, OPEN_EXISTING, 0, NULL);
3938 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3939 CloseHandle(h);
3940
3941 pSetSecurityDescriptorControl(pSD, SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED,
3942 SE_DACL_AUTO_INHERIT_REQ|SE_DACL_AUTO_INHERITED);
3943 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3944 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3945
3946 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3947 NULL, OPEN_EXISTING, 0, NULL);
3948 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3949 CloseHandle(h);
3950
3951 /* test if DACL is properly mapped to permission */
3952 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3953 ok(bret, "Failed to initialize ACL.\n");
3954 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3955 ok(bret, "Failed to add Current User to ACL.\n");
3956 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3957 ok(bret, "Failed to add Current User to ACL.\n");
3958 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3959 ok(bret, "Failed to add ACL to security descriptor.\n");
3960 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3961 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3962
3963 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3964 NULL, OPEN_EXISTING, 0, NULL);
3965 ok(h != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3966 CloseHandle(h);
3967
3968 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3969 ok(bret, "Failed to initialize ACL.\n");
3970 bret = pAddAccessDeniedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3971 ok(bret, "Failed to add Current User to ACL.\n");
3972 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3973 ok(bret, "Failed to add Current User to ACL.\n");
3974 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3975 ok(bret, "Failed to add ACL to security descriptor.\n");
3976 status = pNtSetSecurityObject(hTemp, DACL_SECURITY_INFORMATION, pSD);
3977 ok(status == ERROR_SUCCESS, "NtSetSecurityObject returned %x\n", status);
3978
3979 h = CreateFileA(tmpfile, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,
3980 NULL, OPEN_EXISTING, 0, NULL);
3981 ok(h == INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
3982 HeapFree(GetProcessHeap(), 0, pDacl);
3983 HeapFree(GetProcessHeap(), 0, user);
3984 CloseHandle(hTemp);
3985
3986 /* Test querying the ownership of a built-in registry key */
3987 sid_size = sizeof(system_ptr);
3988 pCreateWellKnownSid(WinLocalSystemSid, NULL, system_sid, &sid_size);
3989 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY,
3990 OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
3991 NULL, NULL, NULL, NULL, &pSD);
3992 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3993
3994 bret = AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &localsys_sid);
3995 ok(bret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
3996
3997 bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
3998 ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
3999 ok(owner != NULL, "owner should not be NULL\n");
4000 ok(EqualSid(owner, admin_sid) || EqualSid(owner, localsys_sid),
4001 "MACHINE\\Software owner SID (%s) != Administrators SID (%s) or Local System Sid (%s).\n",
4002 debugstr_sid(owner), debugstr_sid(admin_sid), debugstr_sid(localsys_sid));
4003
4004 bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
4005 ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
4006 ok(group != NULL, "group should not be NULL\n");
4007 ok(EqualSid(group, admin_sid) || broken(EqualSid(group, system_sid)) /* before Win7 */
4008 || broken(((SID*)group)->SubAuthority[0] == SECURITY_NT_NON_UNIQUE) /* Vista */,
4009 "MACHINE\\Software group SID (%s) != Local System SID (%s or %s)\n",
4010 debugstr_sid(group), debugstr_sid(admin_sid), debugstr_sid(system_sid));
4011 LocalFree(pSD);
4012
4013 /* Test querying the DACL of a built-in registry key */
4014 sid_size = sizeof(users_ptr);
4015 pCreateWellKnownSid(WinBuiltinUsersSid, NULL, users_sid, &sid_size);
4016 error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
4017 NULL, NULL, NULL, NULL, &pSD);
4018 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
4019
4020 bret = GetSecurityDescriptorDacl(pSD, &dacl_present, &pDacl, &dacl_defaulted);
4021 ok(bret, "GetSecurityDescriptorDacl failed with error %d\n", GetLastError());
4022 ok(dacl_present, "DACL should be present\n");
4023 ok(pDacl && IsValidAcl(pDacl), "GetSecurityDescriptorDacl returned invalid DACL.\n");
4024 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4025 ok(bret, "GetAclInformation failed\n");
4026 ok(acl_size.AceCount != 0, "GetAclInformation returned no ACLs\n");
4027 for (i=0; i<acl_size.AceCount; i++)
4028 {
4029 bret = pGetAce(pDacl, i, (VOID **)&ace);
4030 ok(bret, "Failed to get ACE %d.\n", i);
4031 bret = EqualSid(&ace->SidStart, users_sid);
4032 if (bret) users_ace_id = i;
4033 bret = EqualSid(&ace->SidStart, admin_sid);
4034 if (bret) admins_ace_id = i;
4035 }
4036 ok(users_ace_id != -1 || broken(users_ace_id == -1) /* win2k */,
4037 "Builtin Users ACE not found.\n");
4038 if (users_ace_id != -1)
4039 {
4040 bret = pGetAce(pDacl, users_ace_id, (VOID **)&ace);
4041 ok(bret, "Failed to get Builtin Users ACE.\n");
4042 flags = ((ACE_HEADER *)ace)->AceFlags;
4043 ok(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)
4044 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4045 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4046 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4047 "Builtin Users ACE has unexpected flags (0x%x != 0x%x)\n", flags,
4048 INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE);
4049 ok(ace->Mask == GENERIC_READ
4050 || broken(ace->Mask == KEY_READ), /* win 10 */
4051 "Builtin Users ACE has unexpected mask (0x%x != 0x%x)\n",
4052 ace->Mask, GENERIC_READ);
4053 }
4054 ok(admins_ace_id != -1, "Builtin Admins ACE not found.\n");
4055 if (admins_ace_id != -1)
4056 {
4057 bret = pGetAce(pDacl, admins_ace_id, (VOID **)&ace);
4058 ok(bret, "Failed to get Builtin Admins ACE.\n");
4059 flags = ((ACE_HEADER *)ace)->AceFlags;
4060 ok(flags == 0x0
4061 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* w2k8 */
4062 || broken(flags == (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) /* win7 */
4063 || broken(flags == (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE)) /* win8+ */
4064 || broken(flags == (CONTAINER_INHERIT_ACE|INHERITED_ACE)) /* win 10 wow64 */
4065 || broken(flags == CONTAINER_INHERIT_ACE), /* win 10 */
4066 "Builtin Admins ACE has unexpected flags (0x%x != 0x0)\n", flags);
4067 ok(ace->Mask == KEY_ALL_ACCESS || broken(ace->Mask == GENERIC_ALL) /* w2k8 */,
4068 "Builtin Admins ACE has unexpected mask (0x%x != 0x%x)\n", ace->Mask, KEY_ALL_ACCESS);
4069 }
4070
4071 FreeSid(localsys_sid);
4072 LocalFree(pSD);
4073 }
4074
4075 static void test_ConvertStringSecurityDescriptor(void)
4076 {
4077 BOOL ret;
4078 PSECURITY_DESCRIPTOR pSD;
4079 static const WCHAR Blank[] = { 0 };
4080 unsigned int i;
4081 static const struct
4082 {
4083 const char *sidstring;
4084 DWORD revision;
4085 BOOL ret;
4086 DWORD GLE;
4087 DWORD altGLE;
4088 } cssd[] =
4089 {
4090 { "D:(A;;GA;;;WD)", 0xdeadbeef, FALSE, ERROR_UNKNOWN_REVISION },
4091 /* test ACE string type */
4092 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4093 { "D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4094 { "ERROR:(D;;GA;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_PARAMETER },
4095 /* test ACE string with spaces */
4096 { " D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4097 { "D: (D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4098 { "D:( D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4099 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4100 { "D:(D; ;GA;;;WD)", SDDL_REVISION_1, TRUE },
4101 { "D:(D;; GA;;;WD)", SDDL_REVISION_1, TRUE },
4102 { "D:(D;;GA ;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4103 { "D:(D;;GA; ;;WD)", SDDL_REVISION_1, TRUE },
4104 { "D:(D;;GA;; ;WD)", SDDL_REVISION_1, TRUE },
4105 { "D:(D;;GA;;; WD)", SDDL_REVISION_1, TRUE },
4106 { "D:(D;;GA;;;WD )", SDDL_REVISION_1, TRUE },
4107 /* test ACE string access rights */
4108 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4109 { "D:(A;;GRGWGX;;;WD)", SDDL_REVISION_1, TRUE },
4110 { "D:(A;;RCSDWDWO;;;WD)", SDDL_REVISION_1, TRUE },
4111 { "D:(A;;RPWPCCDCLCSWLODTCR;;;WD)", SDDL_REVISION_1, TRUE },
4112 { "D:(A;;FAFRFWFX;;;WD)", SDDL_REVISION_1, TRUE },
4113 { "D:(A;;KAKRKWKX;;;WD)", SDDL_REVISION_1, TRUE },
4114 { "D:(A;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4115 { "S:(AU;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4116 /* test ACE string access right error case */
4117 { "D:(A;;ROB;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4118 /* test behaviour with empty strings */
4119 { "", SDDL_REVISION_1, TRUE },
4120 /* test ACE string SID */
4121 { "D:(D;;GA;;;S-1-0-0)", SDDL_REVISION_1, TRUE },
4122 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4123 };
4124
4125 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4126 {
4127 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4128 return;
4129 }
4130
4131 for (i = 0; i < sizeof(cssd)/sizeof(cssd[0]); i++)
4132 {
4133 DWORD GLE;
4134
4135 SetLastError(0xdeadbeef);
4136 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4137 cssd[i].sidstring, cssd[i].revision, &pSD, NULL);
4138 GLE = GetLastError();
4139 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4140 if (!cssd[i].ret)
4141 ok(GLE == cssd[i].GLE ||
4142 (cssd[i].altGLE && GLE == cssd[i].altGLE),
4143 "(%02u) Unexpected last error %d\n", i, GLE);
4144 if (ret)
4145 LocalFree(pSD);
4146 }
4147
4148 /* test behaviour with NULL parameters */
4149 SetLastError(0xdeadbeef);
4150 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4151 NULL, 0xdeadbeef, &pSD, NULL);
4152 todo_wine
4153 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4154 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4155 GetLastError());
4156
4157 SetLastError(0xdeadbeef);
4158 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4159 NULL, 0xdeadbeef, &pSD, NULL);
4160 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4161 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4162 GetLastError());
4163
4164 SetLastError(0xdeadbeef);
4165 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4166 "D:(A;;ROB;;;WD)", 0xdeadbeef, NULL, NULL);
4167 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4168 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4169 GetLastError());
4170
4171 SetLastError(0xdeadbeef);
4172 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4173 "D:(A;;ROB;;;WD)", SDDL_REVISION_1, NULL, NULL);
4174 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
4175 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4176 GetLastError());
4177
4178 /* test behaviour with empty strings */
4179 SetLastError(0xdeadbeef);
4180 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4181 Blank, SDDL_REVISION_1, &pSD, NULL);
4182 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4183 LocalFree(pSD);
4184
4185 SetLastError(0xdeadbeef);
4186 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4187 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4188 ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
4189 "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
4190 if (ret) LocalFree(pSD);
4191 }
4192
4193 static void test_ConvertSecurityDescriptorToString(void)
4194 {
4195 SECURITY_DESCRIPTOR desc;
4196 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4197 LPSTR string;
4198 DWORD size;
4199 PSID psid, psid2;
4200 PACL pacl;
4201 char sid_buf[256];
4202 char acl_buf[8192];
4203 ULONG len;
4204
4205 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4206 {
4207 win_skip("ConvertSecurityDescriptorToStringSecurityDescriptor is not available\n");
4208 return;
4209 }
4210 if (!pCreateWellKnownSid)
4211 {
4212 win_skip("CreateWellKnownSid is not available\n");
4213 return;
4214 }
4215
4216 /* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4217 * don't replicate this feature so we only test len >= strlen+1. */
4218 #define CHECK_RESULT_AND_FREE(exp_str) \
4219 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4220 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4221 LocalFree(string);
4222
4223 #define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4224 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4225 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4226 LocalFree(string);
4227
4228 InitializeSecurityDescriptor(&desc, SECURITY_DESCRIPTOR_REVISION);
4229 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4230 CHECK_RESULT_AND_FREE("");
4231
4232 size = 4096;
4233 pCreateWellKnownSid(WinLocalSid, NULL, sid_buf, &size);
4234 SetSecurityDescriptorOwner(&desc, sid_buf, FALSE);
4235 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4236 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4237
4238 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4239 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4240 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4241
4242 size = sizeof(sid_buf);
4243 pCreateWellKnownSid(WinLocalSystemSid, NULL, sid_buf, &size);
4244 SetSecurityDescriptorOwner(&desc, sid_buf, TRUE);
4245 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4246 CHECK_RESULT_AND_FREE("O:SY");
4247
4248 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4249 SetSecurityDescriptorGroup(&desc, psid, TRUE);
4250 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4251 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576");
4252
4253 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4254 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4255
4256 pacl = (PACL)acl_buf;
4257 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4258 SetSecurityDescriptorDacl(&desc, TRUE, pacl, TRUE);
4259 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4260 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4261
4262 SetSecurityDescriptorDacl(&desc, TRUE, pacl, FALSE);
4263 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4264 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4265
4266 pConvertStringSidToSidA("S-1-5-6", &psid2);
4267 pAddAccessAllowedAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, 0xf0000000, psid2);
4268 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4269 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)");
4270
4271 pAddAccessAllowedAceEx(pacl, ACL_REVISION, INHERIT_ONLY_ACE|INHERITED_ACE, 0x00000003, psid2);
4272 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4273 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4274
4275 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4276 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4277 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4278
4279
4280 pacl = (PACL)acl_buf;
4281 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4282 SetSecurityDescriptorSacl(&desc, TRUE, pacl, FALSE);
4283 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4284 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:");
4285
4286 /* fails in win2k */
4287 SetSecurityDescriptorDacl(&desc, TRUE, NULL, FALSE);
4288 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4289 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4290 {
4291 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4292 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4293 }
4294
4295 /* fails in win2k */
4296 pAddAuditAccessAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, FILE_GENERIC_READ|FILE_GENERIC_WRITE, psid2, TRUE, FALSE);
4297 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4298 {
4299 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4300 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4301 }
4302
4303 LocalFree(psid2);
4304 LocalFree(psid);
4305 }
4306
4307 static void test_SetSecurityDescriptorControl (PSECURITY_DESCRIPTOR sec)
4308 {
4309 SECURITY_DESCRIPTOR_CONTROL ref;
4310 SECURITY_DESCRIPTOR_CONTROL test;
4311
4312 SECURITY_DESCRIPTOR_CONTROL const mutable
4313 = SE_DACL_AUTO_INHERIT_REQ | SE_SACL_AUTO_INHERIT_REQ
4314 | SE_DACL_AUTO_INHERITED | SE_SACL_AUTO_INHERITED
4315 | SE_DACL_PROTECTED | SE_SACL_PROTECTED
4316 | 0x00000040 | 0x00000080 /* not defined in winnt.h */
4317 ;
4318 SECURITY_DESCRIPTOR_CONTROL const immutable
4319 = SE_OWNER_DEFAULTED | SE_GROUP_DEFAULTED
4320 | SE_DACL_PRESENT | SE_DACL_DEFAULTED
4321 | SE_SACL_PRESENT | SE_SACL_DEFAULTED
4322 | SE_RM_CONTROL_VALID | SE_SELF_RELATIVE
4323 ;
4324
4325 int bit;
4326 DWORD dwRevision;
4327 LPCSTR fmt = "Expected error %s, got %u\n";
4328
4329 GetSecurityDescriptorControl (sec, &ref, &dwRevision);
4330
4331 /* The mutable bits are mutable regardless of the truth of
4332 SE_DACL_PRESENT and/or SE_SACL_PRESENT */
4333
4334 /* Check call barfs if any bit-of-interest is immutable */
4335 for (bit = 0; bit < 16; ++bit)
4336 {
4337 SECURITY_DESCRIPTOR_CONTROL const bitOfInterest = 1 << bit;
4338 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitOfInterest;
4339
4340 SECURITY_DESCRIPTOR_CONTROL ctrl;
4341
4342 DWORD dwExpect = (bitOfInterest & immutable)
4343 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4344 LPCSTR strExpect = (bitOfInterest & immutable)
4345 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4346
4347 ctrl = (bitOfInterest & mutable) ? ref + bitOfInterest : ref;
4348 setOrClear ^= bitOfInterest;
4349 SetLastError (0xbebecaca);
4350 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4351 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4352 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4353 expect_eq(test, ctrl, int, "%x");
4354
4355 setOrClear ^= bitOfInterest;
4356 SetLastError (0xbebecaca);
4357 pSetSecurityDescriptorControl (sec, bitOfInterest, setOrClear);
4358 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4359 GetSecurityDescriptorControl (sec, &test, &dwRevision);
4360 expect_eq(test, ref, int, "%x");
4361 }
4362
4363 /* Check call barfs if any bit-to-set is immutable
4364 even when not a bit-of-interest */
4365 for (bit = 0; bit < 16; ++bit)
4366 {
4367 SECURITY_DESCRIPTOR_CONTROL const bitsOfInterest = mutable;
4368 SECURITY_DESCRIPTOR_CONTROL setOrClear = ref & bitsOfInterest;
4369
4370 SECURITY_DESCRIPTOR_CONTROL ctrl;
4371
4372 DWORD dwExpect = ((1 << bit) & immutable)
4373 ? ERROR_INVALID_PARAMETER : 0xbebecaca;
4374 LPCSTR strExpect = ((1 << bit) & immutable)
4375 ? "ERROR_INVALID_PARAMETER" : "0xbebecaca";
4376
4377 ctrl = ((1 << bit) & immutable) ? test : ref | mutable;
4378 setOrClear ^= bitsOfInterest;
4379 SetLastError (0xbebecaca);
4380 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4381 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4382 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4383 expect_eq(test, ctrl, int, "%x");
4384
4385 ctrl = ((1 << bit) & immutable) ? test : ref | (1 << bit);
4386 setOrClear ^= bitsOfInterest;
4387 SetLastError (0xbebecaca);
4388 pSetSecurityDescriptorControl (sec, bitsOfInterest, setOrClear | (1 << bit));
4389 ok (GetLastError () == dwExpect, fmt, strExpect, GetLastError ());
4390 GetSecurityDescriptorControl(sec, &test, &dwRevision);
4391 expect_eq(test, ctrl, int, "%x");
4392 }
4393 }
4394
4395 static void test_PrivateObjectSecurity(void)
4396 {
4397 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4398 SECURITY_DESCRIPTOR_CONTROL ctrl;
4399 PSECURITY_DESCRIPTOR sec;
4400 DWORD dwDescSize;
4401 DWORD dwRevision;
4402 DWORD retSize;
4403 LPSTR string;
4404 ULONG len;
4405 PSECURITY_DESCRIPTOR buf;
4406 BOOL ret;
4407
4408 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4409 {
4410 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4411 return;
4412 }
4413
4414 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4415 "O:SY"
4416 "G:S-1-5-21-93476-23408-4576"
4417 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)"
4418 "(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4419 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4420 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4421
4422 test_SetSecurityDescriptorControl(sec);
4423
4424 LocalFree(sec);
4425
4426 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4427 "O:SY"
4428 "G:S-1-5-21-93476-23408-4576",
4429 SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4430
4431 test_SetSecurityDescriptorControl(sec);
4432
4433 LocalFree(sec);
4434
4435 ok(pConvertStringSecurityDescriptorToSecurityDescriptorA(
4436 "O:SY"
4437 "G:S-1-5-21-93476-23408-4576"
4438 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4439 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", SDDL_REVISION_1, &sec, &dwDescSize), "Creating descriptor failed\n");
4440 buf = HeapAlloc(GetProcessHeap(), 0, dwDescSize);
4441 pSetSecurityDescriptorControl(sec, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
4442 GetSecurityDescriptorControl(sec, &ctrl, &dwRevision);
4443 expect_eq(ctrl, 0x9014, int, "%x");
4444
4445 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4446 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4447 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4448 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4449 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4450 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4451 expect_eq(ctrl, 0x8000, int, "%x");
4452
4453 ret = GetPrivateObjectSecurity(sec, GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, buf, dwDescSize, &retSize);
4454 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4455 ok(retSize <= dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4456 ret = pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len);
4457 ok(ret, "Conversion failed err=%u\n", GetLastError());
4458 CHECK_ONE_OF_AND_FREE("G:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)",
4459 "G:S-1-5-21-93476-23408-4576D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"); /* Win7 */
4460 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4461 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8004, int, "%x");
4462
4463 ret = GetPrivateObjectSecurity(sec, sec_info, buf, dwDescSize, &retSize);
4464 ok(ret, "GetPrivateObjectSecurity failed (err=%u)\n", GetLastError());
4465 ok(retSize == dwDescSize, "Buffer too small (%d vs %d)\n", retSize, dwDescSize);
4466 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(buf, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4467 CHECK_ONE_OF_AND_FREE("O:SY"
4468 "G:S-1-5-21-93476-23408-4576"
4469 "D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4470 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)",
4471 "O:SY"
4472 "G:S-1-5-21-93476-23408-4576"
4473 "D:P(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)"
4474 "S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)"); /* Win7 */
4475 GetSecurityDescriptorControl(buf, &ctrl, &dwRevision);
4476 expect_eq(ctrl & (~ SE_DACL_PROTECTED), 0x8014, int, "%x");
4477
4478 SetLastError(0xdeadbeef);
4479 ok(GetPrivateObjectSecurity(sec, sec_info, buf, 5, &retSize) == FALSE, "GetPrivateObjectSecurity should have failed\n");
4480 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected error ERROR_INSUFFICIENT_BUFFER, got %u\n", GetLastError());
4481
4482 LocalFree(sec);
4483 HeapFree(GetProcessHeap(), 0, buf);
4484 }
4485 #undef CHECK_RESULT_AND_FREE
4486 #undef CHECK_ONE_OF_AND_FREE
4487
4488 static void test_acls(void)
4489 {
4490 char buffer[256];
4491 PACL pAcl = (PACL)buffer;
4492 BOOL ret;
4493
4494 SetLastError(0xdeadbeef);
4495 ret = InitializeAcl(pAcl, sizeof(ACL) - 1, ACL_REVISION);
4496 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4497 {
4498 win_skip("InitializeAcl is not implemented\n");
4499 return;
4500 }
4501
4502 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4503
4504 SetLastError(0xdeadbeef);
4505 ret = InitializeAcl(pAcl, 0xffffffff, ACL_REVISION);
4506 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4507
4508 SetLastError(0xdeadbeef);
4509 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION1);
4510 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4511
4512 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION2);
4513 ok(ret, "InitializeAcl(ACL_REVISION2) failed with error %d\n", GetLastError());
4514
4515 ret = IsValidAcl(pAcl);
4516 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4517
4518 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION3);
4519 ok(ret, "InitializeAcl(ACL_REVISION3) failed with error %d\n", GetLastError());
4520
4521 ret = IsValidAcl(pAcl);
4522 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4523
4524 SetLastError(0xdeadbeef);
4525 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION4);
4526 if (GetLastError() != ERROR_INVALID_PARAMETER)
4527 {
4528 ok(ret, "InitializeAcl(ACL_REVISION4) failed with error %d\n", GetLastError());
4529
4530 ret = IsValidAcl(pAcl);
4531 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4532 }
4533 else
4534 win_skip("ACL_REVISION4 is not implemented on NT4\n");
4535
4536 SetLastError(0xdeadbeef);
4537 ret = InitializeAcl(pAcl, sizeof(buffer), -1);
4538 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4539 }
4540
4541 static void test_GetSecurityInfo(void)
4542 {
4543 char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
4544 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
4545 DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
4546 PSID admin_sid = (PSID) admin_ptr, user_sid;
4547 char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
4548 ACL_SIZE_INFORMATION acl_size;
4549 PSECURITY_DESCRIPTOR pSD;
4550 ACCESS_ALLOWED_ACE *ace;
4551 HANDLE token, obj;
4552 PSID owner, group;
4553 BOOL bret = TRUE;
4554 PACL pDacl;
4555 DWORD ret;
4556
4557 if (!pGetSecurityInfo || !pSetSecurityInfo)
4558 {
4559 win_skip("[Get|Set]SecurityInfo is not available\n");
4560 return;
4561 }
4562
4563 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
4564 {
4565 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
4566 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
4567 }
4568 if (!bret)
4569 {
4570 win_skip("Failed to get current user token\n");
4571 return;
4572 }
4573 bret = GetTokenInformation(token, TokenUser, b, l, &l);
4574 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
4575 CloseHandle( token );
4576 user_sid = ((TOKEN_USER *)b)->User.Sid;
4577
4578 /* Create something. Files have lots of associated security info. */
4579 obj = CreateFileA(myARGV[0], GENERIC_READ|WRITE_DAC, FILE_SHARE_READ, NULL,
4580 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4581 if (obj == INVALID_HANDLE_VALUE)
4582 {
4583 skip("Couldn't create an object for GetSecurityInfo test\n");
4584 return;
4585 }
4586
4587 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4588 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4589 &owner, &group, &pDacl, NULL, &pSD);
4590 if (ret == ERROR_CALL_NOT_IMPLEMENTED)
4591 {
4592 win_skip("GetSecurityInfo is not implemented\n");
4593 CloseHandle(obj);
4594 return;
4595 }
4596 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4597 ok(pSD != NULL, "GetSecurityInfo\n");
4598 ok(owner != NULL, "GetSecurityInfo\n");
4599 ok(group != NULL, "GetSecurityInfo\n");
4600 if (pDacl != NULL)
4601 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4602 else
4603 win_skip("No ACL information returned\n");
4604
4605 LocalFree(pSD);
4606
4607 if (!pCreateWellKnownSid)
4608 {
4609 win_skip("NULL parameter test would crash on NT4\n");
4610 CloseHandle(obj);
4611 return;
4612 }
4613
4614 /* If we don't ask for the security descriptor, Windows will still give us
4615 the other stuff, leaving us no way to free it. */
4616 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT,
4617 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
4618 &owner, &group, &pDacl, NULL, NULL);
4619 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4620 ok(owner != NULL, "GetSecurityInfo\n");
4621 ok(group != NULL, "GetSecurityInfo\n");
4622 if (pDacl != NULL)
4623 ok(IsValidAcl(pDacl), "GetSecurityInfo\n");
4624 else
4625 win_skip("No ACL information returned\n");
4626
4627 /* Create security descriptor information and test that it comes back the same */
4628 pSD = &sd;
4629 pDacl = (PACL)&dacl;
4630 InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
4631 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
4632 bret = InitializeAcl(pDacl, sizeof(dacl), ACL_REVISION);
4633 ok(bret, "Failed to initialize ACL.\n");
4634 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
4635 ok(bret, "Failed to add Current User to ACL.\n");
4636 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, admin_sid);
4637 ok(bret, "Failed to add Administrator Group to ACL.\n");
4638 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
4639 ok(bret, "Failed to add ACL to security descriptor.\n");
4640 ret = pSetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4641 NULL, NULL, pDacl, NULL);
4642 ok(ret == ERROR_SUCCESS, "SetSecurityInfo returned %d\n", ret);
4643 ret = pGetSecurityInfo(obj, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
4644 NULL, NULL, &pDacl, NULL, &pSD);
4645 ok(ret == ERROR_SUCCESS, "GetSecurityInfo returned %d\n", ret);
4646 ok(pDacl && IsValidAcl(pDacl), "GetSecurityInfo returned invalid DACL.\n");
4647 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
4648 ok(bret, "GetAclInformation failed\n");
4649 if (acl_size.AceCount > 0)
4650 {
4651 bret = pGetAce(pDacl, 0, (VOID **)&ace);
4652 ok(bret, "Failed to get Current User ACE.\n");
4653 bret = EqualSid(&ace->SidStart, user_sid);
4654 todo_wine ok(bret, "Current User ACE (%s) != Current User SID (%s).\n",
4655 debugstr_sid(&ace->SidStart), debugstr_sid(user_sid));
4656 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4657 "Current User ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4658 ok(ace->Mask == 0x1f01ff, "Current User ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4659 ace->Mask);
4660 }
4661 if (acl_size.AceCount > 1)
4662 {
4663 bret = pGetAce(pDacl, 1, (VOID **)&ace);
4664 ok(bret, "Failed to get Administators Group ACE.\n");
4665 bret = EqualSid(&ace->SidStart, admin_sid);
4666 todo_wine ok(bret, "Administators Group ACE (%s) != Administators Group SID (%s).\n", debugstr_sid(&ace->SidStart), debugstr_sid(admin_sid));
4667 ok(((ACE_HEADER *)ace)->AceFlags == 0,
4668 "Administators Group ACE has unexpected flags (0x%x != 0x0)\n", ((ACE_HEADER *)ace)->AceFlags);
4669 ok(ace->Mask == 0x1f01ff, "Administators Group ACE has unexpected mask (0x%x != 0x1f01ff)\n",
4670 ace->Mask);
4671 }
4672 LocalFree(pSD);
4673 CloseHandle(obj);
4674 }
4675
4676 static void test_GetSidSubAuthority(void)
4677 {
4678 PSID psid = NULL;
4679
4680 if (!pGetSidSubAuthority || !pConvertStringSidToSidA || !pIsValidSid || !pGetSidSubAuthorityCount)
4681 {
4682 win_skip("Some functions not available\n");
4683 return;
4684 }
4685 /* Note: on windows passing in an invalid index like -1, lets GetSidSubAuthority return 0x05000000 but
4686 still GetLastError returns ERROR_SUCCESS then. We don't test these unlikely cornercases here for now */
4687 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576",&psid),"ConvertStringSidToSidA failed\n");
4688 ok(pIsValidSid(psid),"Sid is not valid\n");
4689 SetLastError(0xbebecaca);
4690 ok(*pGetSidSubAuthorityCount(psid) == 4,"GetSidSubAuthorityCount gave %d expected 4\n",*pGetSidSubAuthorityCount(psid));
4691 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4692 SetLastError(0xbebecaca);
4693 ok(*pGetSidSubAuthority(psid,0) == 21,"GetSidSubAuthority gave %d expected 21\n",*pGetSidSubAuthority(psid,0));
4694 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4695 SetLastError(0xbebecaca);
4696 ok(*pGetSidSubAuthority(psid,1) == 93476,"GetSidSubAuthority gave %d expected 93476\n",*pGetSidSubAuthority(psid,1));
4697 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4698 SetLastError(0xbebecaca);
4699 ok(pGetSidSubAuthority(psid,4) != NULL,"Expected out of bounds GetSidSubAuthority to return a non-NULL pointer\n");
4700 ok(GetLastError() == 0,"GetLastError returned %d instead of 0\n",GetLastError());
4701 LocalFree(psid);
4702 }
4703
4704 static void test_CheckTokenMembership(void)
4705 {
4706 PTOKEN_GROUPS token_groups;
4707 DWORD size;
4708 HANDLE process_token, token;
4709 BOOL is_member;
4710 BOOL ret;
4711 DWORD i;
4712
4713 if (!pCheckTokenMembership)
4714 {
4715 win_skip("CheckTokenMembership is not available\n");
4716 return;
4717 }
4718 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4719 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
4720
4721 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
4722 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
4723
4724 /* groups */
4725 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
4726 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
4727 "GetTokenInformation(TokenGroups) %s with error %d\n",
4728 ret ? "succeeded" : "failed", GetLastError());
4729 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
4730 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
4731 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
4732
4733 for (i = 0; i < token_groups->GroupCount; i++)
4734 {
4735 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
4736 break;
4737 }
4738
4739 if (i == token_groups->GroupCount)
4740 {
4741 HeapFree(GetProcessHeap(), 0, token_groups);
4742 CloseHandle(token);
4743 skip("user not a member of any group\n");
4744 return;
4745 }
4746
4747 is_member = FALSE;
4748 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
4749 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4750 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4751
4752 is_member = FALSE;
4753 ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
4754 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
4755 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
4756
4757 is_member = TRUE;
4758 SetLastError(0xdeadbeef);
4759 ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
4760 ok(!ret && GetLastError() == ERROR_NO_IMPERSONATION_TOKEN,
4761 "CheckTokenMembership with process token %s with error %d\n",
4762 ret ? "succeeded" : "failed", GetLastError());
4763 ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
4764
4765 HeapFree(GetProcessHeap(), 0, token_groups);
4766 CloseHandle(token);
4767 CloseHandle(process_token);
4768 }
4769
4770 static void test_EqualSid(void)
4771 {
4772 PSID sid1, sid2;
4773 BOOL ret;
4774 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
4775 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
4776
4777 SetLastError(0xdeadbeef);
4778 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4779 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid1);
4780 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
4781 {
4782 win_skip("AllocateAndInitializeSid is not implemented\n");
4783 return;
4784 }
4785 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4786 ok(GetLastError() == 0xdeadbeef,
4787 "AllocateAndInitializeSid shouldn't have set last error to %d\n",
4788 GetLastError());
4789
4790 ret = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID,
4791 0, 0, 0, 0, 0, 0, 0, &sid2);
4792 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4793
4794 SetLastError(0xdeadbeef);
4795 ret = EqualSid(sid1, sid2);
4796 ok(!ret, "World and domain admins sids shouldn't have been equal\n");
4797 ok(GetLastError() == ERROR_SUCCESS ||
4798 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4799 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4800 GetLastError());
4801
4802 SetLastError(0xdeadbeef);
4803 sid2 = FreeSid(sid2);
4804 ok(!sid2, "FreeSid should have returned NULL instead of %p\n", sid2);
4805 ok(GetLastError() == 0xdeadbeef,
4806 "FreeSid shouldn't have set last error to %d\n",
4807 GetLastError());
4808
4809 ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
4810 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &sid2);
4811 ok(ret, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
4812
4813 SetLastError(0xdeadbeef);
4814 ret = EqualSid(sid1, sid2);
4815 ok(ret, "Same sids should have been equal %s != %s\n",
4816 debugstr_sid(sid1), debugstr_sid(sid2));
4817 ok(GetLastError() == ERROR_SUCCESS ||
4818 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4819 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4820 GetLastError());
4821
4822 ((SID *)sid2)->Revision = 2;
4823 SetLastError(0xdeadbeef);
4824 ret = EqualSid(sid1, sid2);
4825 ok(!ret, "EqualSid with invalid sid should have returned FALSE\n");
4826 ok(GetLastError() == ERROR_SUCCESS ||
4827 broken(GetLastError() == 0xdeadbeef), /* NT4 */
4828 "EqualSid should have set last error to ERROR_SUCCESS instead of %d\n",
4829 GetLastError());
4830 ((SID *)sid2)->Revision = SID_REVISION;
4831
4832 FreeSid(sid1);
4833 FreeSid(sid2);
4834 }
4835
4836 static void test_GetUserNameA(void)
4837 {
4838 char buffer[UNLEN + 1], filler[UNLEN + 1];
4839 DWORD required_len, buffer_len;
4840 BOOL ret;
4841
4842 /* Test crashes on Windows. */
4843 if (0)
4844 {
4845 SetLastError(0xdeadbeef);
4846 GetUserNameA(NULL, NULL);
4847 }
4848
4849 SetLastError(0xdeadbeef);
4850 required_len = 0;
4851 ret = GetUserNameA(NULL, &required_len);
4852 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4853 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4854 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4855
4856 SetLastError(0xdeadbeef);
4857 required_len = 1;
4858 ret = GetUserNameA(NULL, &required_len);
4859 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4860 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4861 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4862
4863 /* Tests crashes on Windows. */
4864 if (0)
4865 {
4866 SetLastError(0xdeadbeef);
4867 required_len = UNLEN + 1;
4868 GetUserNameA(NULL, &required_len);
4869
4870 SetLastError(0xdeadbeef);
4871 GetUserNameA(buffer, NULL);
4872 }
4873
4874 memset(filler, 'x', sizeof(filler));
4875
4876 /* Note that GetUserNameA on XP and newer outputs the number of bytes
4877 * required for a Unicode string, which affects a test in the next block. */
4878 SetLastError(0xdeadbeef);
4879 memcpy(buffer, filler, sizeof(filler));
4880 required_len = 0;
4881 ret = GetUserNameA(buffer, &required_len);
4882 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4883 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
4884 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4885 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4886
4887 SetLastError(0xdeadbeef);
4888 memcpy(buffer, filler, sizeof(filler));
4889 buffer_len = required_len;
4890 ret = GetUserNameA(buffer, &buffer_len);
4891 ok(ret == TRUE, "GetUserNameA returned %d, last error %u\n", ret, GetLastError());
4892 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
4893 ok(buffer_len == required_len ||
4894 broken(buffer_len == required_len / sizeof(WCHAR)), /* XP+ */
4895 "Outputted buffer length was %u\n", buffer_len);
4896
4897 /* Use the reported buffer size from the last GetUserNameA call and pass
4898 * a length that is one less than the required value. */
4899 SetLastError(0xdeadbeef);
4900 memcpy(buffer, filler, sizeof(filler));
4901 buffer_len--;
4902 ret = GetUserNameA(buffer, &buffer_len);
4903 ok(ret == FALSE, "GetUserNameA returned %d\n", ret);
4904 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was untouched\n");
4905 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4906 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4907 }
4908
4909 static void test_GetUserNameW(void)
4910 {
4911 WCHAR buffer[UNLEN + 1], filler[UNLEN + 1];
4912 DWORD required_len, buffer_len;
4913 BOOL ret;
4914
4915 /* Test crashes on Windows. */
4916 if (0)
4917 {
4918 SetLastError(0xdeadbeef);
4919 GetUserNameW(NULL, NULL);
4920 }
4921
4922 SetLastError(0xdeadbeef);
4923 required_len = 0;
4924 ret = GetUserNameW(NULL, &required_len);
4925 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4926 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4927 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4928
4929 SetLastError(0xdeadbeef);
4930 required_len = 1;
4931 ret = GetUserNameW(NULL, &required_len);
4932 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4933 ok(required_len != 0 && required_len != 1, "Outputted buffer length was %u\n", required_len);
4934 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4935
4936 /* Tests crash on Windows. */
4937 if (0)
4938 {
4939 SetLastError(0xdeadbeef);
4940 required_len = UNLEN + 1;
4941 GetUserNameW(NULL, &required_len);
4942
4943 SetLastError(0xdeadbeef);
4944 GetUserNameW(buffer, NULL);
4945 }
4946
4947 memset(filler, 'x', sizeof(filler));
4948
4949 SetLastError(0xdeadbeef);
4950 memcpy(buffer, filler, sizeof(filler));
4951 required_len = 0;
4952 ret = GetUserNameW(buffer, &required_len);
4953 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4954 ok(!memcmp(buffer, filler, sizeof(filler)), "Output buffer was altered\n");
4955 ok(required_len != 0, "Outputted buffer length was %u\n", required_len);
4956 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4957
4958 SetLastError(0xdeadbeef);
4959 memcpy(buffer, filler, sizeof(filler));
4960 buffer_len = required_len;
4961 ret = GetUserNameW(buffer, &buffer_len);
4962 ok(ret == TRUE, "GetUserNameW returned %d, last error %u\n", ret, GetLastError());
4963 ok(memcmp(buffer, filler, sizeof(filler)) != 0, "Output buffer was untouched\n");
4964 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4965
4966 /* GetUserNameW on XP and newer writes a truncated portion of the username string to the buffer. */
4967 SetLastError(0xdeadbeef);
4968 memcpy(buffer, filler, sizeof(filler));
4969 buffer_len--;
4970 ret = GetUserNameW(buffer, &buffer_len);
4971 ok(ret == FALSE, "GetUserNameW returned %d\n", ret);
4972 ok(!memcmp(buffer, filler, sizeof(filler)) ||
4973 broken(memcmp(buffer, filler, sizeof(filler)) != 0), /* XP+ */
4974 "Output buffer was altered\n");
4975 ok(buffer_len == required_len, "Outputted buffer length was %u\n", buffer_len);
4976 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Last error was %u\n", GetLastError());
4977 }
4978
4979 static void test_CreateRestrictedToken(void)
4980 {
4981 HANDLE process_token, token, r_token;
4982 PTOKEN_GROUPS token_groups, groups2;
4983 SID_AND_ATTRIBUTES sattr;
4984 SECURITY_IMPERSONATION_LEVEL level;
4985 TOKEN_TYPE type;
4986 BOOL is_member;
4987 DWORD size;
4988 BOOL ret;
4989 DWORD i, j;
4990
4991 if (!pCreateRestrictedToken)
4992 {
4993 win_skip("CreateRestrictedToken is not available\n");
4994 return;
4995 }
4996
4997 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
4998 ok(ret, "got error %d\n", GetLastError());
4999
5000 ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
5001 NULL, SecurityImpersonation, TokenImpersonation, &token);
5002 ok(ret, "got error %d\n", GetLastError());
5003
5004 /* groups */
5005 ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
5006 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
5007 "got %d with error %d\n", ret, GetLastError());
5008 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5009 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5010 ok(ret, "got error %d\n", GetLastError());
5011
5012 for (i = 0; i < token_groups->GroupCount; i++)
5013 {
5014 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5015 break;
5016 }
5017
5018 if (i == token_groups->GroupCount)
5019 {
5020 HeapFree(GetProcessHeap(), 0, token_groups);
5021 CloseHandle(token);
5022 skip("User not a member of any group\n");
5023 return;
5024 }
5025
5026 is_member = FALSE;
5027 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5028 ok(ret, "got error %d\n", GetLastError());
5029 ok(is_member, "not a member\n");
5030
5031 /* disable a SID in new token */
5032 sattr.Sid = token_groups->Groups[i].Sid;
5033 sattr.Attributes = 0;
5034 r_token = NULL;
5035 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
5036 ok(ret, "got error %d\n", GetLastError());
5037
5038 if (ret)
5039 {
5040 /* check if a SID is enabled */
5041 is_member = TRUE;
5042 ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
5043 ok(ret, "got error %d\n", GetLastError());
5044 todo_wine ok(!is_member, "not a member\n");
5045
5046 ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
5047 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
5048 ret, GetLastError());
5049 groups2 = HeapAlloc(GetProcessHeap(), 0, size);
5050 ret = GetTokenInformation(r_token, TokenGroups, groups2, size, &size);
5051 ok(ret, "got error %d\n", GetLastError());
5052
5053 for (j = 0; j < groups2->GroupCount; j++)
5054 {
5055 if (EqualSid(groups2->Groups[j].Sid, token_groups->Groups[i].Sid))
5056 break;
5057 }
5058
5059 todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
5060 "got wrong attributes\n");
5061 todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
5062 "got wrong attributes\n");
5063
5064 HeapFree(GetProcessHeap(), 0, groups2);
5065
5066 size = sizeof(type);
5067 ret = GetTokenInformation(r_token, TokenType, &type, size, &size);
5068 ok(ret, "got error %d\n", GetLastError());
5069 ok(type == TokenImpersonation, "got type %u\n", type);
5070
5071 size = sizeof(level);
5072 ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
5073 ok(ret, "got error %d\n", GetLastError());
5074 ok(level == SecurityImpersonation, "got level %u\n", type);
5075 }
5076
5077 HeapFree(GetProcessHeap(), 0, token_groups);
5078 CloseHandle(r_token);
5079 CloseHandle(token);
5080 CloseHandle(process_token);
5081 }
5082
5083 static void validate_default_security_descriptor(SECURITY_DESCRIPTOR *sd)
5084 {
5085 BOOL ret, present, defaulted;
5086 ACL *acl;
5087 void *sid;
5088
5089 ret = IsValidSecurityDescriptor(sd);
5090 ok(ret, "security descriptor is not valid\n");
5091
5092 present = -1;
5093 defaulted = -1;
5094 acl = (void *)0xdeadbeef;
5095 SetLastError(0xdeadbeef);
5096 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
5097 ok(ret, "GetSecurityDescriptorDacl error %d\n", GetLastError());
5098 todo_wine
5099 ok(present == 1, "acl is not present\n");
5100 todo_wine
5101 ok(acl != (void *)0xdeadbeef && acl != NULL, "acl pointer is not set\n");
5102 ok(defaulted == 0, "defaulted is set to TRUE\n");
5103
5104 defaulted = -1;
5105 sid = (void *)0xdeadbeef;
5106 SetLastError(0xdeadbeef);
5107 ret = GetSecurityDescriptorOwner(sd, &sid, &defaulted);
5108 ok(ret, "GetSecurityDescriptorOwner error %d\n", GetLastError());
5109 todo_wine
5110 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5111 ok(defaulted == 0, "defaulted is set to TRUE\n");
5112
5113 defaulted = -1;
5114 sid = (void *)0xdeadbeef;
5115 SetLastError(0xdeadbeef);
5116 ret = GetSecurityDescriptorGroup(sd, &sid, &defaulted);
5117 ok(ret, "GetSecurityDescriptorGroup error %d\n", GetLastError());
5118 todo_wine
5119 ok(sid != (void *)0xdeadbeef && sid != NULL, "sid pointer is not set\n");
5120 ok(defaulted == 0, "defaulted is set to TRUE\n");
5121 }
5122
5123 static void test_default_handle_security(HANDLE token, HANDLE handle, GENERIC_MAPPING *mapping)
5124 {
5125 DWORD ret, granted, priv_set_len;
5126 BOOL status;
5127 PRIVILEGE_SET priv_set;
5128 SECURITY_DESCRIPTOR *sd;
5129
5130 sd = test_get_security_descriptor(handle, __LINE__);
5131 validate_default_security_descriptor(sd);
5132
5133 priv_set_len = sizeof(priv_set);
5134 granted = 0xdeadbeef;
5135 status = 0xdeadbeef;
5136 SetLastError(0xdeadbeef);
5137 ret = AccessCheck(sd, token, MAXIMUM_ALLOWED, mapping, &priv_set, &priv_set_len, &granted, &status);
5138 todo_wine {
5139 ok(ret, "AccessCheck error %d\n", GetLastError());
5140 ok(status == 1, "expected 1, got %d\n", status);
5141 ok(granted == mapping->GenericAll, "expected all access %#x, got %#x\n", mapping->GenericAll, granted);
5142 }
5143 priv_set_len = sizeof(priv_set);
5144 granted = 0xdeadbeef;
5145 status = 0xdeadbeef;
5146 SetLastError(0xdeadbeef);
5147 ret = AccessCheck(sd, token, 0, mapping, &priv_set, &priv_set_len, &granted, &status);
5148 todo_wine {
5149 ok(ret, "AccessCheck error %d\n", GetLastError());
5150 ok(status == 0 || broken(status == 1) /* NT4 */, "expected 0, got %d\n", status);
5151 ok(granted == 0 || broken(granted == mapping->GenericRead) /* NT4 */, "expected 0, got %#x\n", granted);
5152 }
5153 priv_set_len = sizeof(priv_set);
5154 granted = 0xdeadbeef;
5155 status = 0xdeadbeef;
5156 SetLastError(0xdeadbeef);
5157 ret = AccessCheck(sd, token, ACCESS_SYSTEM_SECURITY, mapping, &priv_set, &priv_set_len, &granted, &status);
5158 todo_wine {
5159 ok(ret, "AccessCheck error %d\n", GetLastError());
5160 ok(status == 0, "expected 0, got %d\n", status);
5161 ok(granted == 0, "expected 0, got %#x\n", granted);
5162 }
5163 priv_set_len = sizeof(priv_set);
5164 granted = 0xdeadbeef;
5165 status = 0xdeadbeef;
5166 SetLastError(0xdeadbeef);
5167 ret = AccessCheck(sd, token, mapping->GenericRead, mapping, &priv_set, &priv_set_len, &granted, &status);
5168 todo_wine {
5169 ok(ret, "AccessCheck error %d\n", GetLastError());
5170 ok(status == 1, "expected 1, got %d\n", status);
5171 ok(granted == mapping->GenericRead, "expected read access %#x, got %#x\n", mapping->GenericRead, granted);
5172 }
5173 priv_set_len = sizeof(priv_set);
5174 granted = 0xdeadbeef;
5175 status = 0xdeadbeef;
5176 SetLastError(0xdeadbeef);
5177 ret = AccessCheck(sd, token, mapping->GenericWrite, mapping, &priv_set, &priv_set_len, &granted, &status);
5178 todo_wine {
5179 ok(ret, "AccessCheck error %d\n", GetLastError());
5180 ok(status == 1, "expected 1, got %d\n", status);
5181 ok(granted == mapping->GenericWrite, "expected write access %#x, got %#x\n", mapping->GenericWrite, granted);
5182 }
5183 priv_set_len = sizeof(priv_set);
5184 granted = 0xdeadbeef;
5185 status = 0xdeadbeef;
5186 SetLastError(0xdeadbeef);
5187 ret = AccessCheck(sd, token, mapping->GenericExecute, mapping, &priv_set, &priv_set_len, &granted, &status);
5188 todo_wine {
5189 ok(ret, "AccessCheck error %d\n", GetLastError());
5190 ok(status == 1, "expected 1, got %d\n", status);
5191 ok(granted == mapping->GenericExecute, "expected execute access %#x, got %#x\n", mapping->GenericExecute, granted);
5192 }
5193 HeapFree(GetProcessHeap(), 0, sd);
5194 }
5195
5196 static ACCESS_MASK get_obj_access(HANDLE obj)
5197 {
5198 OBJECT_BASIC_INFORMATION info;
5199 NTSTATUS status;
5200
5201 if (!pNtQueryObject) return 0;
5202
5203 status = pNtQueryObject(obj, ObjectBasicInformation, &info, sizeof(info), NULL);
5204 ok(!status, "NtQueryObject error %#x\n", status);
5205
5206 return info.GrantedAccess;
5207 }
5208
5209 static void test_mutex_security(HANDLE token)
5210 {
5211 DWORD ret, i, access;
5212 HANDLE mutex, dup;
5213 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE | SYNCHRONIZE,
5214 STANDARD_RIGHTS_WRITE | MUTEX_MODIFY_STATE | SYNCHRONIZE,
5215 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5216 STANDARD_RIGHTS_ALL | MUTEX_ALL_ACCESS };
5217 static const struct
5218 {
5219 int generic, mapped;
5220 } map[] =
5221 {
5222 { 0, 0 },
5223 { GENERIC_READ, STANDARD_RIGHTS_READ | MUTANT_QUERY_STATE },
5224 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE },
5225 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5226 { GENERIC_ALL, STANDARD_RIGHTS_ALL | MUTANT_QUERY_STATE }
5227 };
5228
5229 SetLastError(0xdeadbeef);
5230 mutex = OpenMutexA(0, FALSE, "WineTestMutex");
5231 ok(!mutex, "mutex should not exist\n");
5232 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5233
5234 SetLastError(0xdeadbeef);
5235 mutex = CreateMutexA(NULL, FALSE, "WineTestMutex");
5236 ok(mutex != 0, "CreateMutex error %d\n", GetLastError());
5237
5238 access = get_obj_access(mutex);
5239 ok(access == MUTANT_ALL_ACCESS, "expected MUTANT_ALL_ACCESS, got %#x\n", access);
5240
5241 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5242 {
5243 SetLastError( 0xdeadbeef );
5244 ret = DuplicateHandle(GetCurrentProcess(), mutex, GetCurrentProcess(), &dup,
5245 map[i].generic, FALSE, 0);
5246 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5247
5248 access = get_obj_access(dup);
5249 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5250
5251 CloseHandle(dup);
5252
5253 SetLastError(0xdeadbeef);
5254 dup = OpenMutexA(0, FALSE, "WineTestMutex");
5255 todo_wine
5256 ok(!dup, "OpenMutex should fail\n");
5257 todo_wine
5258 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5259 }
5260
5261 test_default_handle_security(token, mutex, &mapping);
5262
5263 CloseHandle (mutex);
5264 }
5265
5266 static void test_event_security(HANDLE token)
5267 {
5268 DWORD ret, i, access;
5269 HANDLE event, dup;
5270 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | EVENT_QUERY_STATE | SYNCHRONIZE,
5271 STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE | SYNCHRONIZE,
5272 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5273 STANDARD_RIGHTS_ALL | EVENT_ALL_ACCESS };
5274 static const struct
5275 {
5276 int generic, mapped;
5277 } map[] =
5278 {
5279 { 0, 0 },
5280 { GENERIC_READ, STANDARD_RIGHTS_READ | EVENT_QUERY_STATE },
5281 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | EVENT_MODIFY_STATE },
5282 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5283 { GENERIC_ALL, STANDARD_RIGHTS_ALL | EVENT_QUERY_STATE | EVENT_MODIFY_STATE }
5284 };
5285
5286 SetLastError(0xdeadbeef);
5287 event = OpenEventA(0, FALSE, "WineTestEvent");
5288 ok(!event, "event should not exist\n");
5289 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5290
5291 SetLastError(0xdeadbeef);
5292 event = CreateEventA(NULL, FALSE, FALSE, "WineTestEvent");
5293 ok(event != 0, "CreateEvent error %d\n", GetLastError());
5294
5295 access = get_obj_access(event);
5296 ok(access == EVENT_ALL_ACCESS, "expected EVENT_ALL_ACCESS, got %#x\n", access);
5297
5298 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5299 {
5300 SetLastError( 0xdeadbeef );
5301 ret = DuplicateHandle(GetCurrentProcess(), event, GetCurrentProcess(), &dup,
5302 map[i].generic, FALSE, 0);
5303 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5304
5305 access = get_obj_access(dup);
5306 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5307
5308 CloseHandle(dup);
5309
5310 SetLastError(0xdeadbeef);
5311 dup = OpenEventA(0, FALSE, "WineTestEvent");
5312 todo_wine
5313 ok(!dup, "OpenEvent should fail\n");
5314 todo_wine
5315 ok(GetLastError() == ERROR_ACCESS_DENIED, "wrong error %u\n", GetLastError());
5316 }
5317
5318 test_default_handle_security(token, event, &mapping);
5319
5320 CloseHandle(event);
5321 }
5322
5323 static void test_semaphore_security(HANDLE token)
5324 {
5325 DWORD ret, i, access;
5326 HANDLE sem, dup;
5327 GENERIC_MAPPING mapping = { STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE,
5328 STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE,
5329 STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE,
5330 STANDARD_RIGHTS_ALL | SEMAPHORE_ALL_ACCESS };
5331 static const struct
5332 {
5333 int generic, mapped;
5334 } map[] =
5335 {
5336 { 0, 0 },
5337 { GENERIC_READ, STANDARD_RIGHTS_READ | SEMAPHORE_QUERY_STATE },
5338 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SEMAPHORE_MODIFY_STATE },
5339 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5340 { GENERIC_ALL, STANDARD_RIGHTS_ALL | SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE }
5341 };
5342
5343 SetLastError(0xdeadbeef);
5344 sem = OpenSemaphoreA(0, FALSE, "WineTestSemaphore");
5345 ok(!sem, "semaphore should not exist\n");
5346 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "wrong error %u\n", GetLastError());
5347
5348 SetLastError(0xdeadbeef);
5349 sem = CreateSemaphoreA(NULL, 0, 10, "WineTestSemaphore");
5350 ok(sem != 0, "CreateSemaphore error %d\n", GetLastError());
5351
5352 access = get_obj_access(sem);
5353 ok(access == SEMAPHORE_ALL_ACCESS, "expected SEMAPHORE_ALL_ACCESS, got %#x\n", access);
5354
5355 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5356 {
5357 SetLastError( 0xdeadbeef );
5358 ret = DuplicateHandle(GetCurrentProcess(), sem, GetCurrentProcess(), &dup,
5359 map[i].generic, FALSE, 0);
5360 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5361
5362 access = get_obj_access(dup);
5363 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5364
5365 CloseHandle(dup);
5366 }
5367
5368 test_default_handle_security(token, sem, &mapping);
5369
5370 CloseHandle(sem);
5371 }
5372
5373 #define WINE_TEST_PIPE "\\\\.\\pipe\\WineTestPipe"
5374 static void test_named_pipe_security(HANDLE token)
5375 {
5376 DWORD ret, i, access;
5377 HANDLE pipe, file, dup;
5378 GENERIC_MAPPING mapping = { FILE_GENERIC_READ,
5379 FILE_GENERIC_WRITE,
5380 FILE_GENERIC_EXECUTE,
5381 STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS };
5382 static const struct
5383 {
5384 int todo, generic, mapped;
5385 } map[] =
5386 {
5387 { 0, 0, 0 },
5388 { 1, GENERIC_READ, FILE_GENERIC_READ },
5389 { 1, GENERIC_WRITE, FILE_GENERIC_WRITE },
5390 { 1, GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5391 { 1, GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5392 };
5393 static const struct
5394 {
5395 DWORD open_mode;
5396 DWORD access;
5397 } creation_access[] =
5398 {
5399 { PIPE_ACCESS_INBOUND, FILE_GENERIC_READ },
5400 { PIPE_ACCESS_OUTBOUND, FILE_GENERIC_WRITE },
5401 { PIPE_ACCESS_DUPLEX, FILE_GENERIC_READ|FILE_GENERIC_WRITE },
5402 { PIPE_ACCESS_INBOUND|WRITE_DAC, FILE_GENERIC_READ|WRITE_DAC },
5403 { PIPE_ACCESS_INBOUND|WRITE_OWNER, FILE_GENERIC_READ|WRITE_OWNER }
5404 /* ACCESS_SYSTEM_SECURITY is also valid, but will fail with ERROR_PRIVILEGE_NOT_HELD */
5405 };
5406
5407 /* Test the different security access options for pipes */
5408 for (i = 0; i < sizeof(creation_access)/sizeof(creation_access[0]); i++)
5409 {
5410 SetLastError(0xdeadbeef);
5411 pipe = CreateNamedPipeA(WINE_TEST_PIPE, creation_access[i].open_mode,
5412 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 0, 0,
5413 NMPWAIT_USE_DEFAULT_WAIT, NULL);
5414 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe(0x%x) error %d\n",
5415 creation_access[i].open_mode, GetLastError());
5416 access = get_obj_access(pipe);
5417 ok(access == creation_access[i].access,
5418 "CreateNamedPipeA(0x%x) pipe expected access 0x%x (got 0x%x)\n",
5419 creation_access[i].open_mode, creation_access[i].access, access);
5420 CloseHandle(pipe);
5421 }
5422
5423 SetLastError(0xdeadbeef);
5424 pipe = CreateNamedPipeA(WINE_TEST_PIPE, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE,
5425 PIPE_TYPE_BYTE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES,
5426 0, 0, NMPWAIT_USE_DEFAULT_WAIT, NULL);
5427 ok(pipe != INVALID_HANDLE_VALUE, "CreateNamedPipe error %d\n", GetLastError());
5428
5429 test_default_handle_security(token, pipe, &mapping);
5430
5431 SetLastError(0xdeadbeef);
5432 file = CreateFileA(WINE_TEST_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
5433 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5434
5435 access = get_obj_access(file);
5436 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5437
5438 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5439 {
5440 SetLastError( 0xdeadbeef );
5441 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5442 map[i].generic, FALSE, 0);
5443 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5444
5445 access = get_obj_access(dup);
5446 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5447
5448 CloseHandle(dup);
5449 }
5450
5451 CloseHandle(file);
5452 CloseHandle(pipe);
5453
5454 SetLastError(0xdeadbeef);
5455 file = CreateFileA("\\\\.\\pipe\\", FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0);
5456 ok(file != INVALID_HANDLE_VALUE || broken(file == INVALID_HANDLE_VALUE) /* before Vista */, "CreateFile error %d\n", GetLastError());
5457
5458 if (file != INVALID_HANDLE_VALUE)
5459 {
5460 access = get_obj_access(file);
5461 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5462
5463 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5464 {
5465 SetLastError( 0xdeadbeef );
5466 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5467 map[i].generic, FALSE, 0);
5468 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5469
5470 access = get_obj_access(dup);
5471 todo_wine_if (map[i].todo)
5472 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5473
5474 CloseHandle(dup);
5475 }
5476 }
5477
5478 CloseHandle(file);
5479 }
5480
5481 static void test_file_security(HANDLE token)
5482 {
5483 DWORD ret, i, access, bytes;
5484 HANDLE file, dup;
5485 static const struct
5486 {
5487 int generic, mapped;
5488 } map[] =
5489 {
5490 { 0, 0 },
5491 { GENERIC_READ, FILE_GENERIC_READ },
5492 { GENERIC_WRITE, FILE_GENERIC_WRITE },
5493 { GENERIC_EXECUTE, FILE_GENERIC_EXECUTE },
5494 { GENERIC_ALL, STANDARD_RIGHTS_ALL | FILE_ALL_ACCESS }
5495 };
5496 char temp_path[MAX_PATH];
5497 char file_name[MAX_PATH];
5498 char buf[16];
5499
5500 GetTempPathA(MAX_PATH, temp_path);
5501 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5502
5503 /* file */
5504 SetLastError(0xdeadbeef);
5505 file = CreateFileA(file_name, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
5506 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5507
5508 access = get_obj_access(file);
5509 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5510
5511 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5512 {
5513 SetLastError( 0xdeadbeef );
5514 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5515 map[i].generic, FALSE, 0);
5516 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5517
5518 access = get_obj_access(dup);
5519 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5520
5521 CloseHandle(dup);
5522 }
5523
5524 CloseHandle(file);
5525
5526 SetLastError(0xdeadbeef);
5527 file = CreateFileA(file_name, 0, 0, NULL, OPEN_EXISTING, 0, NULL);
5528 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5529
5530 access = get_obj_access(file);
5531 todo_wine
5532 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5533
5534 bytes = 0xdeadbeef;
5535 SetLastError(0xdeadbeef);
5536 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5537 ok(!ret, "ReadFile should fail\n");
5538 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5539 ok(bytes == 0, "expected 0, got %u\n", bytes);
5540
5541 CloseHandle(file);
5542
5543 SetLastError(0xdeadbeef);
5544 file = CreateFileA(file_name, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0);
5545 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5546
5547 access = get_obj_access(file);
5548 todo_wine
5549 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5550
5551 bytes = 0xdeadbeef;
5552 SetLastError(0xdeadbeef);
5553 ret = ReadFile(file, buf, sizeof(buf), &bytes, NULL);
5554 ok(!ret, "ReadFile should fail\n");
5555 ok(GetLastError() == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %d\n", GetLastError());
5556 ok(bytes == 0, "expected 0, got %u\n", bytes);
5557
5558 CloseHandle(file);
5559 DeleteFileA(file_name);
5560
5561 /* directory */
5562 SetLastError(0xdeadbeef);
5563 file = CreateFileA(temp_path, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5564 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5565
5566 access = get_obj_access(file);
5567 ok(access == FILE_ALL_ACCESS, "expected FILE_ALL_ACCESS, got %#x\n", access);
5568
5569 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5570 {
5571 SetLastError( 0xdeadbeef );
5572 ret = DuplicateHandle(GetCurrentProcess(), file, GetCurrentProcess(), &dup,
5573 map[i].generic, FALSE, 0);
5574 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5575
5576 access = get_obj_access(dup);
5577 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5578
5579 CloseHandle(dup);
5580 }
5581
5582 CloseHandle(file);
5583
5584 SetLastError(0xdeadbeef);
5585 file = CreateFileA(temp_path, 0, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5586 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5587
5588 access = get_obj_access(file);
5589 todo_wine
5590 ok(access == (FILE_READ_ATTRIBUTES | SYNCHRONIZE), "expected FILE_READ_ATTRIBUTES | SYNCHRONIZE, got %#x\n", access);
5591
5592 CloseHandle(file);
5593
5594 SetLastError(0xdeadbeef);
5595 file = CreateFileA(temp_path, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
5596 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5597
5598 access = get_obj_access(file);
5599 todo_wine
5600 ok(access == (FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES), "expected FILE_GENERIC_WRITE | FILE_READ_ATTRIBUTES, got %#x\n", access);
5601
5602 CloseHandle(file);
5603 }
5604
5605 static void test_filemap_security(void)
5606 {
5607 char temp_path[MAX_PATH];
5608 char file_name[MAX_PATH];
5609 DWORD ret, i, access;
5610 HANDLE file, mapping, dup, created_mapping;
5611 static const struct
5612 {
5613 int generic, mapped;
5614 BOOL open_only;
5615 } map[] =
5616 {
5617 { 0, 0 },
5618 { GENERIC_READ, STANDARD_RIGHTS_READ | SECTION_QUERY | SECTION_MAP_READ },
5619 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | SECTION_MAP_WRITE },
5620 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SECTION_MAP_EXECUTE },
5621 { GENERIC_ALL, STANDARD_RIGHTS_REQUIRED | SECTION_ALL_ACCESS },
5622 { SECTION_MAP_READ | SECTION_MAP_WRITE, SECTION_MAP_READ | SECTION_MAP_WRITE },
5623 { SECTION_MAP_WRITE, SECTION_MAP_WRITE },
5624 { SECTION_MAP_READ | SECTION_QUERY, SECTION_MAP_READ | SECTION_QUERY },
5625 { SECTION_QUERY, SECTION_MAP_READ, TRUE },
5626 { SECTION_QUERY | SECTION_MAP_READ, SECTION_QUERY | SECTION_MAP_READ }
5627 };
5628 static const struct
5629 {
5630 int prot, mapped;
5631 } prot_map[] =
5632 {
5633 { 0, 0 },
5634 { PAGE_NOACCESS, 0 },
5635 { PAGE_READONLY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5636 { PAGE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE },
5637 { PAGE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ },
5638 { PAGE_EXECUTE, 0 },
5639 { PAGE_EXECUTE_READ, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE },
5640 { PAGE_EXECUTE_READWRITE, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE },
5641 { PAGE_EXECUTE_WRITECOPY, STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_EXECUTE }
5642 };
5643
5644 GetTempPathA(MAX_PATH, temp_path);
5645 GetTempFileNameA(temp_path, "tmp", 0, file_name);
5646
5647 SetLastError(0xdeadbeef);
5648 file = CreateFileA(file_name, GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE, 0, NULL, CREATE_ALWAYS, 0, 0);
5649 ok(file != INVALID_HANDLE_VALUE, "CreateFile error %d\n", GetLastError());
5650 SetFilePointer(file, 4096, NULL, FILE_BEGIN);
5651 SetEndOfFile(file);
5652
5653 for (i = 0; i < sizeof(prot_map)/sizeof(prot_map[0]); i++)
5654 {
5655 if (map[i].open_only) continue;
5656
5657 SetLastError(0xdeadbeef);
5658 mapping = CreateFileMappingW(file, NULL, prot_map[i].prot, 0, 4096, NULL);
5659 if (prot_map[i].mapped)
5660 {
5661 if (!mapping)
5662 {
5663 /* NT4 and win2k don't support EXEC on file mappings */
5664 if (prot_map[i].prot == PAGE_EXECUTE_READ || prot_map[i].prot == PAGE_EXECUTE_READWRITE || prot_map[i].prot == PAGE_EXECUTE_WRITECOPY)
5665 {
5666 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5667 continue;
5668 }
5669 }
5670 ok(mapping != 0, "CreateFileMapping(%04x) error %d\n", prot_map[i].prot, GetLastError());
5671 }
5672 else
5673 {
5674 ok(!mapping, "CreateFileMapping(%04x) should fail\n", prot_map[i].prot);
5675 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
5676 continue;
5677 }
5678
5679 access = get_obj_access(mapping);
5680 ok(access == prot_map[i].mapped, "%d: expected %#x, got %#x\n", i, prot_map[i].mapped, access);
5681
5682 CloseHandle(mapping);
5683 }
5684
5685 SetLastError(0xdeadbeef);
5686 mapping = CreateFileMappingW(file, NULL, PAGE_EXECUTE_READWRITE, 0, 4096, NULL);
5687 if (!mapping)
5688 {
5689 /* NT4 and win2k don't support EXEC on file mappings */
5690 win_skip("CreateFileMapping doesn't support PAGE_EXECUTE protection\n");
5691 CloseHandle(file);
5692 DeleteFileA(file_name);
5693 return;
5694 }
5695 ok(mapping != 0, "CreateFileMapping error %d\n", GetLastError());
5696
5697 access = get_obj_access(mapping);
5698 ok(access == (STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE),
5699 "expected STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, got %#x\n", access);
5700
5701 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5702 {
5703 if (map[i].open_only) continue;
5704
5705 SetLastError( 0xdeadbeef );
5706 ret = DuplicateHandle(GetCurrentProcess(), mapping, GetCurrentProcess(), &dup,
5707 map[i].generic, FALSE, 0);
5708 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5709
5710 access = get_obj_access(dup);
5711 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5712
5713 CloseHandle(dup);
5714 }
5715
5716 CloseHandle(mapping);
5717 CloseHandle(file);
5718 DeleteFileA(file_name);
5719
5720 created_mapping = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 0x1000,
5721 "Wine Test Open Mapping");
5722 ok(created_mapping != NULL, "CreateFileMapping failed with error %u\n", GetLastError());
5723
5724 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5725 {
5726 if (!map[i].generic) continue;
5727
5728 mapping = OpenFileMappingA(map[i].generic, FALSE, "Wine Test Open Mapping");
5729 ok(mapping != NULL, "OpenFileMapping failed with error %d\n", GetLastError());
5730 access = get_obj_access(mapping);
5731 ok(access == map[i].mapped, "%d: unexpected access flags %#x, expected %#x\n",
5732 i, access, map[i].mapped);
5733 CloseHandle(mapping);
5734 }
5735
5736 CloseHandle(created_mapping);
5737 }
5738
5739 static void test_thread_security(void)
5740 {
5741 DWORD ret, i, access;
5742 HANDLE thread, dup;
5743 static const struct
5744 {
5745 int generic, mapped;
5746 } map[] =
5747 {
5748 { 0, 0 },
5749 { GENERIC_READ, STANDARD_RIGHTS_READ | THREAD_QUERY_INFORMATION | THREAD_GET_CONTEXT },
5750 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | THREAD_SET_INFORMATION | THREAD_SET_CONTEXT | THREAD_TERMINATE | THREAD_SUSPEND_RESUME | 0x4 },
5751 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5752 { GENERIC_ALL, THREAD_ALL_ACCESS_NT4 }
5753 };
5754
5755 SetLastError(0xdeadbeef);
5756 thread = CreateThread(NULL, 0, (void *)0xdeadbeef, NULL, CREATE_SUSPENDED, &ret);
5757 ok(thread != 0, "CreateThread error %d\n", GetLastError());
5758
5759 access = get_obj_access(thread);
5760 ok(access == THREAD_ALL_ACCESS_NT4 || access == THREAD_ALL_ACCESS_VISTA, "expected THREAD_ALL_ACCESS, got %#x\n", access);
5761
5762 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5763 {
5764 SetLastError( 0xdeadbeef );
5765 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5766 map[i].generic, FALSE, 0);
5767 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5768
5769 access = get_obj_access(dup);
5770 switch (map[i].generic)
5771 {
5772 case GENERIC_READ:
5773 case GENERIC_EXECUTE:
5774 ok(access == map[i].mapped ||
5775 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5776 access == (map[i].mapped | THREAD_QUERY_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5777 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5778 break;
5779 case GENERIC_WRITE:
5780 todo_wine
5781 ok(access == map[i].mapped ||
5782 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION) /* Vista+ */ ||
5783 access == (map[i].mapped | THREAD_SET_LIMITED_INFORMATION | THREAD_RESUME) /* win8 */,
5784 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5785 break;
5786 case GENERIC_ALL:
5787 ok(access == map[i].mapped || access == THREAD_ALL_ACCESS_VISTA,
5788 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5789 break;
5790 default:
5791 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5792 break;
5793 }
5794
5795 CloseHandle(dup);
5796 }
5797
5798 SetLastError( 0xdeadbeef );
5799 ret = DuplicateHandle(GetCurrentProcess(), thread, GetCurrentProcess(), &dup,
5800 THREAD_QUERY_INFORMATION, FALSE, 0);
5801 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5802 access = get_obj_access(dup);
5803 ok(access == (THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5804 access == THREAD_QUERY_INFORMATION /* before Vista */,
5805 "expected THREAD_QUERY_INFORMATION|THREAD_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5806 CloseHandle(dup);
5807
5808 TerminateThread(thread, 0);
5809 CloseHandle(thread);
5810 }
5811
5812 static void test_process_access(void)
5813 {
5814 DWORD ret, i, access;
5815 HANDLE process, dup;
5816 STARTUPINFOA sti;
5817 PROCESS_INFORMATION pi;
5818 char cmdline[] = "winver.exe";
5819 static const struct
5820 {
5821 int generic, mapped;
5822 } map[] =
5823 {
5824 { 0, 0 },
5825 { GENERIC_READ, STANDARD_RIGHTS_READ | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ },
5826 { GENERIC_WRITE, STANDARD_RIGHTS_WRITE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME |
5827 PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION },
5828 { GENERIC_EXECUTE, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE },
5829 { GENERIC_ALL, PROCESS_ALL_ACCESS_NT4 }
5830 };
5831
5832 memset(&sti, 0, sizeof(sti));
5833 sti.cb = sizeof(sti);
5834 SetLastError(0xdeadbeef);
5835 ret = CreateProcessA(NULL, cmdline, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sti, &pi);
5836 ok(ret, "CreateProcess() error %d\n", GetLastError());
5837
5838 CloseHandle(pi.hThread);
5839 process = pi.hProcess;
5840
5841 access = get_obj_access(process);
5842 ok(access == PROCESS_ALL_ACCESS_NT4 || access == PROCESS_ALL_ACCESS_VISTA, "expected PROCESS_ALL_ACCESS, got %#x\n", access);
5843
5844 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
5845 {
5846 SetLastError( 0xdeadbeef );
5847 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5848 map[i].generic, FALSE, 0);
5849 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5850
5851 access = get_obj_access(dup);
5852 switch (map[i].generic)
5853 {
5854 case GENERIC_READ:
5855 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */,
5856 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5857 break;
5858 case GENERIC_WRITE:
5859 ok(access == map[i].mapped ||
5860 access == (map[i].mapped | PROCESS_TERMINATE) /* before Vista */ ||
5861 access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */ ||
5862 access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION) /* Win10 Anniversary Update */,
5863 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5864 break;
5865 case GENERIC_EXECUTE:
5866 ok(access == map[i].mapped || access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE) /* Vista+ */,
5867 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5868 break;
5869 case GENERIC_ALL:
5870 ok(access == map[i].mapped || access == PROCESS_ALL_ACCESS_VISTA,
5871 "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5872 break;
5873 default:
5874 ok(access == map[i].mapped, "%d: expected %#x, got %#x\n", i, map[i].mapped, access);
5875 break;
5876 }
5877
5878 CloseHandle(dup);
5879 }
5880
5881 SetLastError( 0xdeadbeef );
5882 ret = DuplicateHandle(GetCurrentProcess(), process, GetCurrentProcess(), &dup,
5883 PROCESS_QUERY_INFORMATION, FALSE, 0);
5884 ok(ret, "DuplicateHandle error %d\n", GetLastError());
5885 access = get_obj_access(dup);
5886 ok(access == (PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* Vista+ */ ||
5887 access == PROCESS_QUERY_INFORMATION /* before Vista */,
5888 "expected PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION, got %#x\n", access);
5889 CloseHandle(dup);
5890
5891 TerminateProcess(process, 0);
5892 CloseHandle(process);
5893 }
5894
5895 static BOOL validate_impersonation_token(HANDLE token, DWORD *token_type)
5896 {
5897 DWORD ret, needed;
5898 TOKEN_TYPE type;
5899 SECURITY_IMPERSONATION_LEVEL sil;
5900
5901 type = 0xdeadbeef;
5902 needed = 0;
5903 SetLastError(0xdeadbeef);
5904 ret = GetTokenInformation(token, TokenType, &type, sizeof(type), &needed);
5905 ok(ret, "GetTokenInformation error %d\n", GetLastError());
5906 ok(needed == sizeof(type), "GetTokenInformation should return required buffer length\n");
5907 ok(type == TokenPrimary || type == TokenImpersonation, "expected TokenPrimary or TokenImpersonation, got %d\n", type);
5908
5909 *token_type = type;
5910 if (type != TokenImpersonation) return FALSE;
5911
5912 needed = 0;
5913 SetLastError(0xdeadbeef);
5914 ret = GetTokenInformation(token, TokenImpersonationLevel, &sil, sizeof(sil), &needed);
5915 ok(ret, "GetTokenInformation error %d\n", GetLastError());
5916 ok(needed == sizeof(sil), "GetTokenInformation should return required buffer length\n");
5917 ok(sil == SecurityImpersonation, "expected SecurityImpersonation, got %d\n", sil);
5918
5919 needed = 0xdeadbeef;
5920 SetLastError(0xdeadbeef);
5921 ret = GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &needed);
5922 ok(!ret, "GetTokenInformation should fail\n");
5923 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5924 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5925 ok(needed > sizeof(TOKEN_DEFAULT_DACL), "GetTokenInformation returned empty default DACL\n");
5926
5927 needed = 0xdeadbeef;
5928 SetLastError(0xdeadbeef);
5929 ret = GetTokenInformation(token, TokenOwner, NULL, 0, &needed);
5930 ok(!ret, "GetTokenInformation should fail\n");
5931 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5932 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5933 ok(needed > sizeof(TOKEN_OWNER), "GetTokenInformation returned empty token owner\n");
5934
5935 needed = 0xdeadbeef;
5936 SetLastError(0xdeadbeef);
5937 ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &needed);
5938 ok(!ret, "GetTokenInformation should fail\n");
5939 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
5940 ok(needed != 0xdeadbeef, "GetTokenInformation should return required buffer length\n");
5941 ok(needed > sizeof(TOKEN_PRIMARY_GROUP), "GetTokenInformation returned empty token primary group\n");
5942
5943 return TRUE;
5944 }
5945
5946 static void test_kernel_objects_security(void)
5947 {
5948 HANDLE token, process_token;
5949 DWORD ret, token_type;
5950
5951 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &process_token);
5952 ok(ret, "OpenProcessToken error %d\n", GetLastError());
5953
5954 ret = validate_impersonation_token(process_token, &token_type);
5955 ok(token_type == TokenPrimary, "expected TokenPrimary, got %d\n", token_type);
5956 ok(!ret, "access token should not be an impersonation token\n");
5957
5958 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
5959 ok(ret, "DuplicateToken error %d\n", GetLastError());
5960
5961 ret = validate_impersonation_token(token, &token_type);
5962 ok(ret, "access token should be a valid impersonation token\n");
5963 ok(token_type == TokenImpersonation, "expected TokenImpersonation, got %d\n", token_type);
5964
5965 test_mutex_security(token);
5966 test_event_security(token);
5967 test_named_pipe_security(token);
5968 test_semaphore_security(token);
5969 test_file_security(token);
5970 test_filemap_security();
5971 test_thread_security();
5972 test_process_access();
5973 /* FIXME: test other kernel object types */
5974
5975 CloseHandle(process_token);
5976 CloseHandle(token);
5977 }
5978
5979 static void test_TokenIntegrityLevel(void)
5980 {
5981 TOKEN_MANDATORY_LABEL *tml;
5982 BYTE buffer[64]; /* using max. 28 byte in win7 x64 */
5983 HANDLE token;
5984 DWORD size;
5985 DWORD res;
5986 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
5987 {SECURITY_MANDATORY_HIGH_RID}};
5988 static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
5989 {SECURITY_MANDATORY_MEDIUM_RID}};
5990
5991 SetLastError(0xdeadbeef);
5992 res = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
5993 ok(res, "got %d with %d (expected TRUE)\n", res, GetLastError());
5994
5995 SetLastError(0xdeadbeef);
5996 res = GetTokenInformation(token, TokenIntegrityLevel, buffer, sizeof(buffer), &size);
5997
5998 /* not supported before Vista */
5999 if (!res && ((GetLastError() == ERROR_INVALID_PARAMETER) || GetLastError() == ERROR_INVALID_FUNCTION))
6000 {
6001 win_skip("TokenIntegrityLevel not supported\n");
6002 CloseHandle(token);
6003 return;
6004 }
6005
6006 ok(res, "got %u with %u (expected TRUE)\n", res, GetLastError());
6007 if (!res)
6008 {
6009 CloseHandle(token);
6010 return;
6011 }
6012
6013 tml = (TOKEN_MANDATORY_LABEL*) buffer;
6014 ok(tml->Label.Attributes == (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED),
6015 "got 0x%x (expected 0x%x)\n", tml->Label.Attributes, (SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED));
6016
6017 ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
6018 "got %s (expected %s or %s)\n", debugstr_sid(tml->Label.Sid),
6019 debugstr_sid(&medium_level), debugstr_sid(&high_level));
6020
6021 CloseHandle(token);
6022 }
6023
6024 static void test_default_dacl_owner_sid(void)
6025 {
6026 HANDLE handle;
6027 BOOL ret, defaulted, present, found;
6028 DWORD size, index;
6029 SECURITY_DESCRIPTOR *sd;
6030 SECURITY_ATTRIBUTES sa;
6031 PSID owner;
6032 ACL *dacl;
6033 ACCESS_ALLOWED_ACE *ace;
6034
6035 sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
6036 ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
6037 ok( ret, "error %u\n", GetLastError() );
6038
6039 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6040 sa.lpSecurityDescriptor = sd;
6041 sa.bInheritHandle = FALSE;
6042 handle = CreateEventA( &sa, TRUE, TRUE, "test_event" );
6043 ok( handle != NULL, "error %u\n", GetLastError() );
6044
6045 size = 0;
6046 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
6047 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
6048
6049 sd = HeapAlloc( GetProcessHeap(), 0, size );
6050 ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
6051 ok( ret, "error %u\n", GetLastError() );
6052
6053 owner = (void *)0xdeadbeef;
6054 defaulted = TRUE;
6055 ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
6056 ok( ret, "error %u\n", GetLastError() );
6057 ok( owner != (void *)0xdeadbeef, "owner not set\n" );
6058 ok( !defaulted, "owner defaulted\n" );
6059
6060 dacl = (void *)0xdeadbeef;
6061 present = FALSE;
6062 defaulted = TRUE;
6063 ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
6064 ok( ret, "error %u\n", GetLastError() );
6065 ok( present, "dacl not present\n" );
6066 ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
6067 ok( !defaulted, "dacl defaulted\n" );
6068
6069 index = 0;
6070 found = FALSE;
6071 while (pGetAce( dacl, index++, (void **)&ace ))
6072 {
6073 if (EqualSid( &ace->SidStart, owner )) found = TRUE;
6074 }
6075 ok( found, "owner sid not found in dacl\n" );
6076
6077 HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
6078 HeapFree( GetProcessHeap(), 0, sd );
6079 CloseHandle( handle );
6080 }
6081
6082 static void test_AdjustTokenPrivileges(void)
6083 {
6084 TOKEN_PRIVILEGES tp;
6085 HANDLE token;
6086 DWORD len;
6087 LUID luid;
6088 BOOL ret;
6089
6090 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token))
6091 return;
6092
6093 if (!LookupPrivilegeValueA(NULL, SE_BACKUP_NAME, &luid))
6094 {
6095 CloseHandle(token);
6096 return;
6097 }
6098
6099 tp.PrivilegeCount = 1;
6100 tp.Privileges[0].Luid = luid;
6101 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6102
6103 len = 0xdeadbeef;
6104 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, &len);
6105 ok(ret, "got %d\n", ret);
6106 ok(len == 0xdeadbeef, "got length %d\n", len);
6107
6108 /* revert */
6109 tp.PrivilegeCount = 1;
6110 tp.Privileges[0].Luid = luid;
6111 tp.Privileges[0].Attributes = 0;
6112 ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
6113 ok(ret, "got %d\n", ret);
6114
6115 CloseHandle(token);
6116 }
6117
6118 static void test_AddAce(void)
6119 {
6120 static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
6121
6122 char acl_buf[1024], ace_buf[256];
6123 ACCESS_ALLOWED_ACE *ace = (ACCESS_ALLOWED_ACE*)ace_buf;
6124 PACL acl = (PACL)acl_buf;
6125 BOOL ret;
6126
6127 memset(ace, 0, sizeof(ace_buf));
6128 ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
6129 ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+sizeof(SID);
6130 memcpy(&ace->SidStart, &sidWorld, sizeof(sidWorld));
6131
6132 ret = InitializeAcl(acl, sizeof(acl_buf), ACL_REVISION2);
6133 ok(ret, "InitializeAcl failed: %d\n", GetLastError());
6134
6135 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6136 ok(ret, "AddAce failed: %d\n", GetLastError());
6137 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6138 ok(ret, "AddAce failed: %d\n", GetLastError());
6139 ret = AddAce(acl, ACL_REVISION3, MAXDWORD, ace, ace->Header.AceSize);
6140 ok(ret, "AddAce failed: %d\n", GetLastError());
6141 ok(acl->AclRevision == ACL_REVISION3, "acl->AclRevision = %d\n", acl->AclRevision);
6142 ret = AddAce(acl, ACL_REVISION4, MAXDWORD, ace, ace->Header.AceSize);
6143 ok(ret, "AddAce failed: %d\n", GetLastError());
6144 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6145 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6146 ok(ret, "AddAce failed: %d\n", GetLastError());
6147 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6148 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6149 ok(ret, "AddAce failed: %d\n", GetLastError());
6150
6151 ret = AddAce(acl, MIN_ACL_REVISION-1, MAXDWORD, ace, ace->Header.AceSize);
6152 ok(ret, "AddAce failed: %d\n", GetLastError());
6153 /* next test succeededs but corrupts ACL */
6154 ret = AddAce(acl, MAX_ACL_REVISION+1, MAXDWORD, ace, ace->Header.AceSize);
6155 ok(ret, "AddAce failed: %d\n", GetLastError());
6156 ok(acl->AclRevision == MAX_ACL_REVISION+1, "acl->AclRevision = %d\n", acl->AclRevision);
6157 SetLastError(0xdeadbeef);
6158 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6159 ok(!ret, "AddAce succeeded\n");
6160 ok(GetLastError() == ERROR_INVALID_PARAMETER, "GetLastError() = %d\n", GetLastError());
6161 }
6162
6163 static void test_AddMandatoryAce(void)
6164 {
6165 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6166 {SECURITY_MANDATORY_LOW_RID}};
6167 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6168 {SECURITY_MANDATORY_MEDIUM_RID}};
6169 static SID_IDENTIFIER_AUTHORITY sia_world = {SECURITY_WORLD_SID_AUTHORITY};
6170 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6171 SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6172 BOOL defaulted, present, ret, found, found2;
6173 ACL_SIZE_INFORMATION acl_size_info;
6174 SYSTEM_MANDATORY_LABEL_ACE *ace;
6175 char buffer_acl[256];
6176 ACL *acl = (ACL *)&buffer_acl;
6177 SECURITY_ATTRIBUTES sa;
6178 DWORD index, size;
6179 HANDLE handle;
6180 SID *everyone;
6181 ACL *sacl;
6182
6183 if (!pAddMandatoryAce)
6184 {
6185 win_skip("AddMandatoryAce not supported, skipping test\n");
6186 return;
6187 }
6188
6189 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6190 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6191
6192 sa.nLength = sizeof(sa);
6193 sa.lpSecurityDescriptor = sd;
6194 sa.bInheritHandle = FALSE;
6195
6196 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6197 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6198
6199 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6200 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6201 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6202
6203 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6204 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6205 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6206
6207 sacl = (void *)0xdeadbeef;
6208 present = TRUE;
6209 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6210 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6211 ok(!present, "SACL is present\n");
6212 ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
6213
6214 HeapFree(GetProcessHeap(), 0, sd2);
6215 CloseHandle(handle);
6216
6217 ret = InitializeAcl(acl, 256, ACL_REVISION);
6218 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6219
6220 SetLastError(0xdeadbeef);
6221 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
6222 ok(!ret, "AddMandatoryAce succeeded\n");
6223 ok(GetLastError() == ERROR_INVALID_PARAMETER,
6224 "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
6225
6226 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6227 ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
6228
6229 index = 0;
6230 found = FALSE;
6231 while (pGetAce(acl, index++, (void **)&ace))
6232 {
6233 if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
6234 ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
6235 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6236 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6237 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6238 found = TRUE;
6239 }
6240 ok(found, "Could not find mandatory label ace\n");
6241
6242 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6243 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6244
6245 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6246 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6247
6248 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6249 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6250 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6251
6252 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6253 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6254 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6255
6256 sacl = (void *)0xdeadbeef;
6257 present = FALSE;
6258 defaulted = TRUE;
6259 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6260 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6261 ok(present, "SACL not present\n");
6262 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6263 ok(!defaulted, "SACL defaulted\n");
6264 ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
6265 ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
6266 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6267
6268 ret = pGetAce(sacl, 0, (void **)&ace);
6269 ok(ret, "GetAce failed with error %u\n", GetLastError());
6270 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6271 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6272 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6273 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6274
6275 HeapFree(GetProcessHeap(), 0, sd2);
6276
6277 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6278 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6279
6280 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6281 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6282
6283 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6284 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6285 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6286
6287 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6288 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6289 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6290
6291 sacl = (void *)0xdeadbeef;
6292 present = FALSE;
6293 defaulted = TRUE;
6294 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6295 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6296 ok(present, "SACL not present\n");
6297 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6298 ok(sacl->AceCount == 2, "Expected 2 ACEs, got %d\n", sacl->AceCount);
6299 ok(!defaulted, "SACL defaulted\n");
6300
6301 index = 0;
6302 found = found2 = FALSE;
6303 while (pGetAce(sacl, index++, (void **)&ace))
6304 {
6305 if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
6306 {
6307 if (EqualSid(&ace->SidStart, &low_level))
6308 {
6309 found = TRUE;
6310 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6311 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
6312 "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
6313 }
6314 if (EqualSid(&ace->SidStart, &medium_level))
6315 {
6316 found2 = TRUE;
6317 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6318 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP,
6319 "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
6320 }
6321 }
6322 }
6323 ok(found, "Could not find low mandatory label\n");
6324 ok(found2, "Could not find medium mandatory label\n");
6325
6326 HeapFree(GetProcessHeap(), 0, sd2);
6327
6328 ret = SetSecurityDescriptorSacl(sd, FALSE, NULL, FALSE);
6329 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6330
6331 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6332 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6333
6334 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6335 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6336 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6337
6338 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6339 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6340 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6341
6342 sacl = (void *)0xdeadbeef;
6343 present = FALSE;
6344 defaulted = TRUE;
6345 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6346 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6347 ok(present, "SACL not present\n");
6348 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6349 ok(!defaulted, "SACL defaulted\n");
6350 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6351
6352 HeapFree(GetProcessHeap(), 0, sd2);
6353
6354 ret = InitializeAcl(acl, 256, ACL_REVISION);
6355 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6356
6357 ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6358 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6359
6360 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6361 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6362
6363 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6364 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6365
6366 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6367 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6368 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6369
6370 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6371 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6372 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6373
6374 sacl = (void *)0xdeadbeef;
6375 present = FALSE;
6376 defaulted = TRUE;
6377 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6378 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6379 ok(present, "SACL not present\n");
6380 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6381 ok(sacl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sacl->AclRevision);
6382 ok(!defaulted, "SACL defaulted\n");
6383
6384 HeapFree(GetProcessHeap(), 0, sd2);
6385
6386 ret = InitializeAcl(acl, 256, ACL_REVISION);
6387 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6388
6389 ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
6390 ok(ret, "AllocateAndInitializeSid failed with error %u\n", GetLastError());
6391
6392 ret = AddAccessAllowedAce(acl, ACL_REVISION, KEY_READ, everyone);
6393 ok(ret, "AddAccessAllowedAce failed with error %u\n", GetLastError());
6394
6395 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6396 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6397
6398 ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
6399 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6400
6401 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6402 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6403 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6404
6405 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6406 ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
6407 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6408
6409 sacl = (void *)0xdeadbeef;
6410 present = FALSE;
6411 defaulted = TRUE;
6412 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6413 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6414 ok(present, "SACL not present\n");
6415 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6416 ok(!defaulted, "SACL defaulted\n");
6417 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6418
6419 FreeSid(everyone);
6420 HeapFree(GetProcessHeap(), 0, sd2);
6421 CloseHandle(handle);
6422 }
6423
6424 static void test_system_security_access(void)
6425 {
6426 static const WCHAR testkeyW[] =
6427 {'S','O','F','T','W','A','R','E','\\','W','i','n','e','\\','S','A','C','L','t','e','s','t',0};
6428 LONG res;
6429 HKEY hkey;
6430 PSECURITY_DESCRIPTOR sd;
6431 ACL *sacl;
6432 DWORD err, len = 128;
6433 TOKEN_PRIVILEGES priv, *priv_prev;
6434 HANDLE token;
6435 LUID luid;
6436 BOOL ret;
6437
6438 if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &token )) return;
6439 if (!LookupPrivilegeValueA( NULL, SE_SECURITY_NAME, &luid ))
6440 {
6441 CloseHandle( token );
6442 return;
6443 }
6444
6445 /* ACCESS_SYSTEM_SECURITY requires special privilege */
6446 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6447 if (res == ERROR_ACCESS_DENIED)
6448 {
6449 skip( "unprivileged user\n" );
6450 CloseHandle( token );
6451 return;
6452 }
6453 todo_wine ok( res == ERROR_PRIVILEGE_NOT_HELD, "got %d\n", res );
6454
6455 priv.PrivilegeCount = 1;
6456 priv.Privileges[0].Luid = luid;
6457 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6458
6459 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6460 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6461 ok( ret, "got %u\n", GetLastError());
6462
6463 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ|ACCESS_SYSTEM_SECURITY, NULL, &hkey, NULL );
6464 if (res == ERROR_PRIVILEGE_NOT_HELD)
6465 {
6466 win_skip( "privilege not held\n" );
6467 HeapFree( GetProcessHeap(), 0, priv_prev );
6468 CloseHandle( token );
6469 return;
6470 }
6471 ok( !res, "got %d\n", res );
6472
6473 /* restore privileges */
6474 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6475 ok( ret, "got %u\n", GetLastError() );
6476 HeapFree( GetProcessHeap(), 0, priv_prev );
6477
6478 /* privilege is checked on access */
6479 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6480 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD, "got %u\n", err );
6481
6482 priv.PrivilegeCount = 1;
6483 priv.Privileges[0].Luid = luid;
6484 priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6485
6486 priv_prev = HeapAlloc( GetProcessHeap(), 0, len );
6487 ret = AdjustTokenPrivileges( token, FALSE, &priv, len, priv_prev, &len );
6488 ok( ret, "got %u\n", GetLastError());
6489
6490 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6491 ok( err == ERROR_SUCCESS, "got %u\n", err );
6492 RegCloseKey( hkey );
6493 LocalFree( sd );
6494
6495 /* handle created without ACCESS_SYSTEM_SECURITY, privilege held */
6496 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6497 ok( res == ERROR_SUCCESS, "got %d\n", res );
6498
6499 sd = NULL;
6500 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6501 todo_wine ok( err == ERROR_SUCCESS, "got %u\n", err );
6502 RegCloseKey( hkey );
6503 LocalFree( sd );
6504
6505 /* restore privileges */
6506 ret = AdjustTokenPrivileges( token, FALSE, priv_prev, 0, NULL, NULL );
6507 ok( ret, "got %u\n", GetLastError() );
6508 HeapFree( GetProcessHeap(), 0, priv_prev );
6509
6510 /* handle created without ACCESS_SYSTEM_SECURITY, privilege not held */
6511 res = RegCreateKeyExW( HKEY_LOCAL_MACHINE, testkeyW, 0, NULL, 0, KEY_READ, NULL, &hkey, NULL );
6512 ok( res == ERROR_SUCCESS, "got %d\n", res );
6513
6514 err = GetSecurityInfo( hkey, SE_REGISTRY_KEY, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &sd );
6515 todo_wine ok( err == ERROR_PRIVILEGE_NOT_HELD, "got %u\n", err );
6516 RegCloseKey( hkey );
6517
6518 res = RegDeleteKeyW( HKEY_LOCAL_MACHINE, testkeyW );
6519 ok( !res, "got %d\n", res );
6520 CloseHandle( token );
6521 }
6522
6523 static void test_GetWindowsAccountDomainSid(void)
6524 {
6525 char *user, buffer1[SECURITY_MAX_SID_SIZE], buffer2[SECURITY_MAX_SID_SIZE];
6526 SID_IDENTIFIER_AUTHORITY domain_ident = { SECURITY_NT_AUTHORITY };
6527 PSID domain_sid = (PSID *)&buffer1;
6528 PSID domain_sid2 = (PSID *)&buffer2;
6529 DWORD sid_size;
6530 PSID user_sid;
6531 HANDLE token;
6532 BOOL bret = TRUE;
6533 int i;
6534
6535 if (!pGetWindowsAccountDomainSid)
6536 {
6537 win_skip("GetWindowsAccountDomainSid not available\n");
6538 return;
6539 }
6540
6541 if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
6542 {
6543 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
6544 else if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) bret = FALSE;
6545 }
6546 if (!bret)
6547 {
6548 win_skip("Failed to get current user token\n");
6549 return;
6550 }
6551
6552 bret = GetTokenInformation(token, TokenUser, NULL, 0, &sid_size);
6553 ok(!bret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6554 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6555 user = HeapAlloc(GetProcessHeap(), 0, sid_size);
6556 bret = GetTokenInformation(token, TokenUser, user, sid_size, &sid_size);
6557 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
6558 CloseHandle(token);
6559 user_sid = ((TOKEN_USER *)user)->User.Sid;
6560
6561 SetLastError(0xdeadbeef);
6562 bret = pGetWindowsAccountDomainSid(0, 0, 0);
6563 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6564 ok(GetLastError() == ERROR_INVALID_SID, "expected ERROR_INVALID_SID, got %d\n", GetLastError());
6565
6566 SetLastError(0xdeadbeef);
6567 bret = pGetWindowsAccountDomainSid(user_sid, 0, 0);
6568 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6569 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6570
6571 sid_size = SECURITY_MAX_SID_SIZE;
6572 SetLastError(0xdeadbeef);
6573 bret = pGetWindowsAccountDomainSid(user_sid, 0, &sid_size);
6574 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6575 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6576 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6577
6578 SetLastError(0xdeadbeef);
6579 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, 0);
6580 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6581 ok(GetLastError() == ERROR_INVALID_PARAMETER, "expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
6582
6583 sid_size = 1;
6584 SetLastError(0xdeadbeef);
6585 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6586 ok(!bret, "GetWindowsAccountDomainSid succeeded\n");
6587 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
6588 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6589
6590 sid_size = SECURITY_MAX_SID_SIZE;
6591 bret = pGetWindowsAccountDomainSid(user_sid, domain_sid, &sid_size);
6592 ok(bret, "GetWindowsAccountDomainSid failed with error %d\n", GetLastError());
6593 ok(sid_size == GetSidLengthRequired(4), "expected size %d, got %d\n", GetSidLengthRequired(4), sid_size);
6594 InitializeSid(domain_sid2, &domain_ident, 4);
6595 for (i = 0; i < 4; i++)
6596 *GetSidSubAuthority(domain_sid2, i) = *GetSidSubAuthority(user_sid, i);
6597 ok(EqualSid(domain_sid, domain_sid2), "unexpected domain sid %s != %s\n",
6598 debugstr_sid(domain_sid), debugstr_sid(domain_sid2));
6599
6600 HeapFree(GetProcessHeap(), 0, user);
6601 }
6602
6603 static void test_GetSidIdentifierAuthority(void)
6604 {
6605 char buffer[SECURITY_MAX_SID_SIZE];
6606 PSID authority_sid = (PSID *)buffer;
6607 PSID_IDENTIFIER_AUTHORITY id;
6608 BOOL ret;
6609
6610 if (!pGetSidIdentifierAuthority)
6611 {
6612 win_skip("GetSidIdentifierAuthority not available\n");
6613 return;
6614 }
6615
6616 memset(buffer, 0xcc, sizeof(buffer));
6617 ret = IsValidSid(authority_sid);
6618 ok(!ret, "expected FALSE, got %u\n", ret);
6619
6620 SetLastError(0xdeadbeef);
6621 id = GetSidIdentifierAuthority(authority_sid);
6622 ok(id != NULL, "got NULL pointer as identifier authority\n");
6623 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6624
6625 SetLastError(0xdeadbeef);
6626 id = GetSidIdentifierAuthority(NULL);
6627 ok(id != NULL, "got NULL pointer as identifier authority\n");
6628 ok(GetLastError() == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %u\n", GetLastError());
6629 }
6630
6631 static void test_pseudo_tokens(void)
6632 {
6633 TOKEN_STATISTICS statistics1, statistics2;
6634 HANDLE token;
6635 DWORD retlen;
6636 BOOL ret;
6637
6638 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
6639 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6640 memset(&statistics1, 0x11, sizeof(statistics1));
6641 ret = GetTokenInformation(token, TokenStatistics, &statistics1, sizeof(statistics1), &retlen);
6642 ok(ret, "GetTokenInformation failed with %u\n", GetLastError());
6643 CloseHandle(token);
6644
6645 /* test GetCurrentProcessToken() */
6646 SetLastError(0xdeadbeef);
6647 memset(&statistics2, 0x22, sizeof(statistics2));
6648 ret = GetTokenInformation(GetCurrentProcessToken(), TokenStatistics,
6649 &statistics2, sizeof(statistics2), &retlen);
6650 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6651 "GetTokenInformation failed with %u\n", GetLastError());
6652 if (ret)
6653 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6654 else
6655 win_skip("CurrentProcessToken not supported, skipping test\n");
6656
6657 /* test GetCurrentThreadEffectiveToken() */
6658 SetLastError(0xdeadbeef);
6659 memset(&statistics2, 0x22, sizeof(statistics2));
6660 ret = GetTokenInformation(GetCurrentThreadEffectiveToken(), TokenStatistics,
6661 &statistics2, sizeof(statistics2), &retlen);
6662 ok(ret || broken(GetLastError() == ERROR_INVALID_HANDLE),
6663 "GetTokenInformation failed with %u\n", GetLastError());
6664 if (ret)
6665 ok(!memcmp(&statistics1, &statistics2, sizeof(statistics1)), "Token statistics do not match\n");
6666 else
6667 win_skip("CurrentThreadEffectiveToken not supported, skipping test\n");
6668
6669 SetLastError(0xdeadbeef);
6670 ret = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token);
6671 ok(!ret, "OpenThreadToken should have failed\n");
6672 ok(GetLastError() == ERROR_NO_TOKEN, "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6673
6674 /* test GetCurrentThreadToken() */
6675 SetLastError(0xdeadbeef);
6676 ret = GetTokenInformation(GetCurrentThreadToken(), TokenStatistics,
6677 &statistics2, sizeof(statistics2), &retlen);
6678 todo_wine ok(GetLastError() == ERROR_NO_TOKEN || broken(GetLastError() == ERROR_INVALID_HANDLE),
6679 "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
6680 }
6681
6682 static void test_maximum_allowed(void)
6683 {
6684 HANDLE (WINAPI *pCreateEventExA)(SECURITY_ATTRIBUTES *, LPCSTR, DWORD, DWORD);
6685 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH], buffer_acl[256];
6686 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6687 SECURITY_ATTRIBUTES sa;
6688 ACL *acl = (ACL *)&buffer_acl;
6689 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
6690 ACCESS_MASK mask;
6691 HANDLE handle;
6692 BOOL ret;
6693
6694 pCreateEventExA = (void *)GetProcAddress(hkernel32, "CreateEventExA");
6695 if (!pCreateEventExA)
6696 {
6697 win_skip("CreateEventExA is not available\n");
6698 return;
6699 }
6700
6701 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6702 ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
6703 ret = InitializeAcl(acl, 256, ACL_REVISION);
6704 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6705 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6706 ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
6707
6708 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6709 sa.lpSecurityDescriptor = sd;
6710 sa.bInheritHandle = FALSE;
6711
6712 handle = pCreateEventExA(&sa, NULL, 0, MAXIMUM_ALLOWED | 0x4);
6713 ok(handle != NULL, "CreateEventExA failed with error %u\n", GetLastError());
6714 mask = get_obj_access(handle);
6715 ok(mask == EVENT_ALL_ACCESS, "Expected %x, got %x\n", EVENT_ALL_ACCESS, mask);
6716 CloseHandle(handle);
6717 }
6718
6719 static void test_token_label(void)
6720 {
6721 static SID medium_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6722 {SECURITY_MANDATORY_MEDIUM_RID}};
6723 static SID high_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6724 {SECURITY_MANDATORY_HIGH_RID}};
6725 SECURITY_DESCRIPTOR_CONTROL control;
6726 SYSTEM_MANDATORY_LABEL_ACE *ace;
6727 BOOL ret, present, defaulted;
6728 SECURITY_DESCRIPTOR *sd;
6729 ACL *sacl = NULL, *dacl;
6730 DWORD size, revision;
6731 HANDLE token;
6732 char *str;
6733 SID *sid;
6734
6735 ret = OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, &token);
6736 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6737
6738 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
6739 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6740 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6741
6742 sd = HeapAlloc(GetProcessHeap(), 0, size);
6743 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
6744 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6745
6746 ret = GetSecurityDescriptorControl(sd, &control, &revision);
6747 ok(ret, "GetSecurityDescriptorControl failed with error %u\n", GetLastError());
6748 todo_wine ok(control == (SE_SELF_RELATIVE | SE_SACL_AUTO_INHERITED | SE_SACL_PRESENT) ||
6749 broken(control == SE_SELF_RELATIVE) /* WinXP, Win2003 */,
6750 "Unexpected security descriptor control %#x\n", control);
6751 ok(revision == 1, "Unexpected security descriptor revision %u\n", revision);
6752
6753 sid = (void *)0xdeadbeef;
6754 defaulted = TRUE;
6755 ret = GetSecurityDescriptorOwner(sd, (void **)&sid, &defaulted);
6756 ok(ret, "GetSecurityDescriptorOwner failed with error %u\n", GetLastError());
6757 ok(!sid, "Owner present\n");
6758 ok(!defaulted, "Owner defaulted\n");
6759
6760 sid = (void *)0xdeadbeef;
6761 defaulted = TRUE;
6762 ret = GetSecurityDescriptorGroup(sd, (void **)&sid, &defaulted);
6763 ok(ret, "GetSecurityDescriptorGroup failed with error %u\n", GetLastError());
6764 ok(!sid, "Group present\n");
6765 ok(!defaulted, "Group defaulted\n");
6766
6767 ret = GetSecurityDescriptorSacl(sd, &present, &sacl, &defaulted);
6768 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6769 ok(present || broken(!present) /* WinXP, Win2003 */, "No SACL in the security descriptor\n");
6770 ok(sacl || broken(!sacl) /* WinXP, Win2003 */, "NULL SACL in the security descriptor\n");
6771
6772 if (present)
6773 {
6774 ok(!defaulted, "SACL defaulted\n");
6775 ok(sacl->AceCount == 1, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6776
6777 ret = pGetAce(sacl, 0, (void **)&ace);
6778 ok(ret, "GetAce failed with error %u\n", GetLastError());
6779
6780 ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
6781 "Unexpected ACE type %#x\n", ace->Header.AceType);
6782 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6783 ok(ace->Header.AceSize, "Unexpected ACE size %u\n", ace->Header.AceSize);
6784 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6785
6786 sid = (SID *)&ace->SidStart;
6787 pConvertSidToStringSidA(sid, &str);
6788 ok(EqualSid(sid, &medium_sid) || EqualSid(sid, &high_sid), "Got unexpected SID %s\n", str);
6789 }
6790
6791 ret = GetSecurityDescriptorDacl(sd, &present, &dacl, &defaulted);
6792 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6793 todo_wine ok(!present, "DACL present\n");
6794
6795 HeapFree(GetProcessHeap(), 0, sd);
6796 CloseHandle(token);
6797 }
6798
6799 static void test_token_security_descriptor(void)
6800 {
6801 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6802 {SECURITY_MANDATORY_LOW_RID}};
6803 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6804 SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
6805 char buffer_acl[256], buffer[MAX_PATH];
6806 ACL *acl = (ACL *)&buffer_acl, *acl2, *acl_child;
6807 BOOL defaulted, present, ret, found;
6808 HANDLE token, token2, token3;
6809 EXPLICIT_ACCESSW exp_access;
6810 PROCESS_INFORMATION info;
6811 DWORD size, index, retd;
6812 ACCESS_ALLOWED_ACE *ace;
6813 SECURITY_ATTRIBUTES sa;
6814 STARTUPINFOA startup;
6815 PSID psid;
6816
6817 if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
6818 || !pSetEntriesInAclW)
6819 {
6820 win_skip("Some functions not available\n");
6821 return;
6822 }
6823
6824 /* Test whether we can create tokens with security descriptors */
6825 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
6826 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
6827
6828 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6829 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6830
6831 ret = InitializeAcl(acl, 256, ACL_REVISION);
6832 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6833
6834 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
6835 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
6836
6837 ret = pAddAccessAllowedAceEx(acl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
6838 ok(ret, "AddAccessAllowedAceEx failed with error %u\n", GetLastError());
6839
6840 ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
6841 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6842
6843 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
6844 sa.lpSecurityDescriptor = sd;
6845 sa.bInheritHandle = FALSE;
6846
6847 ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
6848 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
6849
6850 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6851 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6852 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6853
6854 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6855 ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
6856 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6857
6858 acl2 = (void *)0xdeadbeef;
6859 present = FALSE;
6860 defaulted = TRUE;
6861 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6862 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6863 ok(present, "acl2 not present\n");
6864 ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
6865 ok(acl2->AceCount == 1, "Expected 1 ACE, got %d\n", acl2->AceCount);
6866 ok(!defaulted, "acl2 defaulted\n");
6867
6868 ret = pGetAce(acl2, 0, (void **)&ace);
6869 ok(ret, "GetAce failed with error %u\n", GetLastError());
6870 ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6871 ok(EqualSid(&ace->SidStart, psid), "Expected access allowed ACE\n");
6872 ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
6873 "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
6874
6875 HeapFree(GetProcessHeap(), 0, sd2);
6876
6877 /* Duplicate token without security attributes.
6878 * Tokens do not inherit the security descriptor in DuplicateToken. */
6879 ret = pDuplicateTokenEx(token2, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &token3);
6880 ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
6881
6882 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6883 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6884 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6885
6886 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6887 ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
6888 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6889
6890 acl2 = (void *)0xdeadbeef;
6891 present = FALSE;
6892 defaulted = TRUE;
6893 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6894 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6895 todo_wine
6896 ok(present, "DACL not present\n");
6897
6898 if (present)
6899 {
6900 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
6901 ok(!defaulted, "DACL defaulted\n");
6902
6903 index = 0;
6904 found = FALSE;
6905 while (pGetAce(acl2, index++, (void **)&ace))
6906 {
6907 if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
6908 found = TRUE;
6909 }
6910 ok(!found, "Access allowed ACE was inherited\n");
6911 }
6912
6913 HeapFree(GetProcessHeap(), 0, sd2);
6914
6915 /* When creating a child process, the process does inherit the token of
6916 * the parent but not the DACL of the token */
6917 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
6918 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
6919 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6920
6921 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6922 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd2, size, &size);
6923 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6924
6925 acl2 = (void *)0xdeadbeef;
6926 present = FALSE;
6927 defaulted = TRUE;
6928 ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
6929 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6930 ok(present, "DACL not present\n");
6931 ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
6932 ok(!defaulted, "DACL defaulted\n");
6933
6934 exp_access.grfAccessPermissions = GENERIC_ALL;
6935 exp_access.grfAccessMode = GRANT_ACCESS;
6936 exp_access.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
6937 exp_access.Trustee.pMultipleTrustee = NULL;
6938 exp_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
6939 exp_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
6940 exp_access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
6941 exp_access.Trustee.ptstrName = (void*)psid;
6942
6943 retd = pSetEntriesInAclW(1, &exp_access, acl2, &acl_child);
6944 ok(retd == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %u\n", retd);
6945
6946 memset(sd, 0, sizeof(buffer_sd));
6947 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6948 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6949
6950 ret = SetSecurityDescriptorDacl(sd, TRUE, acl_child, FALSE);
6951 ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
6952
6953 ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
6954 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6955
6956 /* The security label is also not inherited */
6957 if (pAddMandatoryAce)
6958 {
6959 ret = InitializeAcl(acl, 256, ACL_REVISION);
6960 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6961
6962 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6963 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6964
6965 memset(sd, 0, sizeof(buffer_sd));
6966 ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
6967 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6968
6969 ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
6970 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6971
6972 ret = SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd);
6973 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6974 }
6975 else
6976 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
6977
6978 /* Start child process with our modified token */
6979 memset(&startup, 0, sizeof(startup));
6980 startup.cb = sizeof(startup);
6981 startup.dwFlags = STARTF_USESHOWWINDOW;
6982 startup.wShowWindow = SW_SHOWNORMAL;
6983
6984 sprintf(buffer, "%s tests/security.c test_token_sd", myARGV[0]);
6985 ret = CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startup, &info);
6986 ok(ret, "CreateProcess failed with error %u\n", GetLastError());
6987 winetest_wait_child_process(info.hProcess);
6988 CloseHandle(info.hProcess);
6989 CloseHandle(info.hThread);
6990
6991 LocalFree(acl_child);
6992 LocalFree(psid);
6993
6994 CloseHandle(token3);
6995 CloseHandle(token2);
6996 CloseHandle(token);
6997 }
6998
6999 static void test_child_token_sd(void)
7000 {
7001 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7002 {SECURITY_MANDATORY_LOW_RID}};
7003 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7004 BOOL ret, present, defaulted;
7005 ACCESS_ALLOWED_ACE *acc_ace;
7006 SECURITY_DESCRIPTOR *sd;
7007 DWORD size, i;
7008 HANDLE token;
7009 PSID psid;
7010 ACL *acl;
7011
7012 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
7013 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
7014
7015 ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
7016 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7017
7018 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
7019 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7020 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7021
7022 sd = HeapAlloc(GetProcessHeap(), 0, size);
7023 ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd, size, &size);
7024 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7025
7026 acl = NULL;
7027 present = FALSE;
7028 defaulted = TRUE;
7029 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
7030 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7031 ok(present, "DACL not present\n");
7032 ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
7033 ok(!defaulted, "DACL defaulted\n");
7034
7035 ok(acl->AceCount, "Expected at least one ACE\n");
7036 for (i = 0; i < acl->AceCount; i++)
7037 {
7038 ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
7039 ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
7040 "ACE inherited from the parent\n");
7041 }
7042
7043 LocalFree(psid);
7044 HeapFree(GetProcessHeap(), 0, sd);
7045
7046 if (!pAddMandatoryAce)
7047 {
7048 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7049 return;
7050 }
7051
7052 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
7053 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
7054 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7055
7056 sd = HeapAlloc(GetProcessHeap(), 0, size);
7057 ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
7058 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7059
7060 acl = NULL;
7061 present = FALSE;
7062 defaulted = TRUE;
7063 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7064 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7065 ok(present, "SACL not present\n");
7066 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7067 ok(!defaulted, "SACL defaulted\n");
7068 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7069 ret = pGetAce(acl, 0, (void **)&ace_label);
7070 ok(ret, "GetAce failed with error %u\n", GetLastError());
7071 ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
7072 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7073 ok(!EqualSid(&ace_label->SidStart, &low_level),
7074 "Low integrity level should not have been inherited\n");
7075
7076 HeapFree(GetProcessHeap(), 0, sd);
7077 }
7078
7079 START_TEST(security)
7080 {
7081 init();
7082 if (!hmod) return;
7083
7084 if (myARGC >= 3)
7085 {
7086 if (!strcmp(myARGV[2], "test_token_sd"))
7087 test_child_token_sd();
7088 else
7089 test_process_security_child();
7090 return;
7091 }
7092 test_kernel_objects_security();
7093 test_sid();
7094 test_trustee();
7095 test_luid();
7096 test_CreateWellKnownSid();
7097 test_FileSecurity();
7098 test_AccessCheck();
7099 test_token_attr();
7100 test_GetTokenInformation();
7101 test_LookupAccountSid();
7102 test_LookupAccountName();
7103 test_security_descriptor();
7104 test_process_security();
7105 test_impersonation_level();
7106 test_SetEntriesInAclW();
7107 test_SetEntriesInAclA();
7108 test_CreateDirectoryA();
7109 test_GetNamedSecurityInfoA();
7110 test_ConvertStringSecurityDescriptor();
7111 test_ConvertSecurityDescriptorToString();
7112 test_PrivateObjectSecurity();
7113 test_acls();
7114 test_GetWindowsAccountDomainSid();
7115 test_GetSecurityInfo();
7116 test_GetSidSubAuthority();
7117 test_CheckTokenMembership();
7118 test_EqualSid();
7119 test_GetUserNameA();
7120 test_GetUserNameW();
7121 test_CreateRestrictedToken();
7122 test_TokenIntegrityLevel();
7123 test_default_dacl_owner_sid();
7124 test_AdjustTokenPrivileges();
7125 test_AddAce();
7126 test_AddMandatoryAce();
7127 test_system_security_access();
7128 test_GetSidIdentifierAuthority();
7129 test_pseudo_tokens();
7130 test_maximum_allowed();
7131 test_token_label();
7132
7133 /* Must be the last test, modifies process token */
7134 test_token_security_descriptor();
7135 }
Windows API implementation