- Implement AdjustTokenPrivileges, DuplicateTokenEx and

GetTokenInformation (for the TokenPrivileges case). - Return STATUS_NO_TOKEN for OpenThreadToken when there is no token set for the thread.

- Implement AdjustTokenPrivileges, DuplicateTokenEx and
b0f02b28 · Robert Shearman · Alexandre Julliard · f8833dae · b0f02b28 · b0f02b28
Commit b0f02b28 authored Feb 11, 2005 by Robert Shearman Committed by Alexandre Julliard Feb 11, 2005
11 changed files
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -238,9 +238,18 @@ AdjustTokenPrivileges( HANDLE TokenHandle, BOOL DisableAllPrivileges,
                       LPVOID NewState, DWORD BufferLength,
                       LPVOID PreviousState, LPDWORD ReturnLength )
 {
-	return set_ntstatus( NtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges,
+    NTSTATUS status;
+
+    TRACE("\n");
+    
+    status = NtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges,
                                                     NewState, BufferLength, PreviousState,
-                                                     ReturnLength));
+                                                     ReturnLength);
+    SetLastError( RtlNtStatusToDosError( status ));
+    if ((status == STATUS_SUCCESS) || (status == STATUS_NOT_ALL_ASSIGNED))
+        return TRUE;
+    else
+        return FALSE;
 }

 /******************************************************************************
@@ -2996,10 +3005,24 @@ BOOL WINAPI DuplicateTokenEx(
        TOKEN_TYPE TokenType,
        PHANDLE DuplicateTokenHandle )
 {
-    FIXME("%p 0x%08lx 0x%08x 0x%08x %p - stub\n", ExistingTokenHandle, dwDesiredAccess,
+    OBJECT_ATTRIBUTES ObjectAttributes;
+
+    TRACE("%p 0x%08lx 0x%08x 0x%08x %p\n", ExistingTokenHandle, dwDesiredAccess,
          ImpersonationLevel, TokenType, DuplicateTokenHandle);

-    return FALSE;
+    InitializeObjectAttributes(
+        &ObjectAttributes,
+        NULL,
+        (lpTokenAttributes && lpTokenAttributes->bInheritHandle) ? OBJ_INHERIT : 0,
+        NULL,
+        lpTokenAttributes ? lpTokenAttributes->lpSecurityDescriptor : NULL );
+
+    return set_ntstatus( NtDuplicateToken( ExistingTokenHandle,
+                                           dwDesiredAccess,
+                                           &ObjectAttributes,
+                                           ImpersonationLevel,
+                                           TokenType,
+                                           DuplicateTokenHandle ) );
 }

 BOOL WINAPI DuplicateToken(

--- a/dlls/ntdll/nt.c
+++ b/dlls/ntdll/nt.c
@@ -88,11 +88,26 @@ NTSTATUS WINAPI NtDuplicateToken(
        IN TOKEN_TYPE TokenType,
        OUT PHANDLE NewToken)
 {
-	FIXME("(%p,0x%08lx,%p,0x%08x,0x%08x,%p),stub!\n",
-	ExistingToken, DesiredAccess, ObjectAttributes,
-	ImpersonationLevel, TokenType, NewToken);
-	dump_ObjectAttributes(ObjectAttributes);
-	return 0;
+    NTSTATUS status;
+
+    TRACE("(%p,0x%08lx,%p,0x%08x,0x%08x,%p)\n",
+        ExistingToken, DesiredAccess, ObjectAttributes,
+        ImpersonationLevel, TokenType, NewToken);
+        dump_ObjectAttributes(ObjectAttributes);
+
+    SERVER_START_REQ( duplicate_token )
+    {
+        req->handle = ExistingToken;
+        req->access = DesiredAccess;
+        req->inherit = ObjectAttributes && (ObjectAttributes->Attributes & OBJ_INHERIT);
+        req->primary = (TokenType == TokenPrimary);
+        req->impersonation_level = ImpersonationLevel;
+        status = wine_server_call( req );
+        if (!status) *NewToken = reply->new_handle;
+    }
+    SERVER_END_REQ;
+
+    return status;
 }

 /******************************************************************************
@@ -162,9 +177,34 @@ NTSTATUS WINAPI NtAdjustPrivilegesToken(
 	OUT PTOKEN_PRIVILEGES PreviousState,
 	OUT PDWORD ReturnLength)
 {
-	FIXME("(%p,0x%08x,%p,0x%08lx,%p,%p),stub!\n",
-	TokenHandle, DisableAllPrivileges, NewState, BufferLength, PreviousState, ReturnLength);
-	return 0;
+    NTSTATUS ret;
+
+    TRACE("(%p,0x%08x,%p,0x%08lx,%p,%p)\n",
+        TokenHandle, DisableAllPrivileges, NewState, BufferLength, PreviousState, ReturnLength);
+
+    SERVER_START_REQ( adjust_token_privileges )
+    {
+        req->handle = TokenHandle;
+        req->disable_all = DisableAllPrivileges;
+        req->get_modified_state = (PreviousState != NULL);
+        if (!DisableAllPrivileges)
+        {
+            wine_server_add_data( req, &NewState->Privileges,
+                                  NewState->PrivilegeCount * sizeof(NewState->Privileges[0]) );
+        }
+        if (PreviousState && BufferLength >= FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges ))
+            wine_server_set_reply( req, &PreviousState->Privileges,
+                                   BufferLength - FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges ) );
+        ret = wine_server_call( req );
+        if (PreviousState)
+        {
+            *ReturnLength = reply->len + FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges );
+            PreviousState->PrivilegeCount = reply->len / sizeof(LUID_AND_ATTRIBUTES);
+        }
+    }
+    SERVER_END_REQ;
+
+    return ret;
 }

 /******************************************************************************
@@ -185,6 +225,7 @@ NTSTATUS WINAPI NtQueryInformationToken(
 	LPDWORD retlen )
 {
    unsigned int len = 0;
+    NTSTATUS status = STATUS_SUCCESS;

    TRACE("(%p,%ld,%p,%ld,%p)\n",
          token,tokeninfoclass,tokeninfo,tokeninfolength,retlen);
@@ -197,9 +238,6 @@ NTSTATUS WINAPI NtQueryInformationToken(
    case TokenGroups:
        len = sizeof(TOKEN_GROUPS);
        break;
-    case TokenPrivileges:
-        len = sizeof(TOKEN_PRIVILEGES);
-        break;
    case TokenOwner:
        len = sizeof(TOKEN_OWNER) + sizeof(SID);
        break;
@@ -271,11 +309,17 @@ NTSTATUS WINAPI NtQueryInformationToken(
        }
        break;
    case TokenPrivileges:
-        if (tokeninfo)
+        SERVER_START_REQ( get_token_privileges )
        {
            TOKEN_PRIVILEGES *tpriv = tokeninfo;
-            tpriv->PrivilegeCount = 1;
+            req->handle = token;
+            if (tpriv && tokeninfolength > FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges ))
+                wine_server_set_reply( req, &tpriv->Privileges, tokeninfolength - FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges ) );
+            status = wine_server_call( req );
+            *retlen = FIELD_OFFSET( TOKEN_PRIVILEGES, Privileges ) + reply->len;
+            if (tpriv) tpriv->PrivilegeCount = reply->len / sizeof(LUID_AND_ATTRIBUTES);
        }
+        SERVER_END_REQ;
        break;
    case TokenOwner:
        if (tokeninfo)
@@ -294,7 +338,7 @@ NTSTATUS WINAPI NtQueryInformationToken(
            return STATUS_NOT_IMPLEMENTED;
        }
    }
-    return 0;
+    return status;
 }

 /******************************************************************************

--- a/include/wine/server_protocol.h
+++ b/include/wine/server_protocol.h
@@ -3171,6 +3171,50 @@ struct set_global_windows_reply
 #define SET_GLOBAL_TASKMAN_WINDOW  0x04


+struct adjust_token_privileges_request
+{
+    struct request_header __header;
+    obj_handle_t  handle;
+    int           disable_all;
+    int           get_modified_state;
+    /* VARARG(privileges,LUID_AND_ATTRIBUTES); */
+};
+struct adjust_token_privileges_reply
+{
+    struct reply_header __header;
+    unsigned int  len;
+    /* VARARG(privileges,LUID_AND_ATTRIBUTES); */
+};
+
+
+struct get_token_privileges_request
+{
+    struct request_header __header;
+    obj_handle_t  handle;
+};
+struct get_token_privileges_reply
+{
+    struct reply_header __header;
+    unsigned int  len;
+    /* VARARG(privileges,LUID_AND_ATTRIBUTES); */
+};
+
+struct duplicate_token_request
+{
+    struct request_header __header;
+    obj_handle_t  handle;
+    unsigned int  access;
+    int           inherit;
+    int           primary;
+    int           impersonation_level;
+};
+struct duplicate_token_reply
+{
+    struct reply_header __header;
+    obj_handle_t  new_handle;
+};
+
+
 enum request
 {
    REQ_new_process,
@@ -3353,6 +3397,9 @@ enum request
    REQ_set_clipboard_info,
    REQ_open_token,
    REQ_set_global_windows,
+    REQ_adjust_token_privileges,
+    REQ_get_token_privileges,
+    REQ_duplicate_token,
    REQ_NB_REQUESTS
 };

@@ -3540,6 +3587,9 @@ union generic_request
    struct set_clipboard_info_request set_clipboard_info_request;
    struct open_token_request open_token_request;
    struct set_global_windows_request set_global_windows_request;
+    struct adjust_token_privileges_request adjust_token_privileges_request;
+    struct get_token_privileges_request get_token_privileges_request;
+    struct duplicate_token_request duplicate_token_request;
 };
 union generic_reply
 {
@@ -3725,8 +3775,11 @@ union generic_reply
    struct set_clipboard_info_reply set_clipboard_info_reply;
    struct open_token_reply open_token_reply;
    struct set_global_windows_reply set_global_windows_reply;
+    struct adjust_token_privileges_reply adjust_token_privileges_reply;
+    struct get_token_privileges_reply get_token_privileges_reply;
+    struct duplicate_token_reply duplicate_token_reply;
 };

-#define SERVER_PROTOCOL_VERSION 156
+#define SERVER_PROTOCOL_VERSION 157

 #endif /* __WINE_WINE_SERVER_PROTOCOL_H */
--- a/include/winnt.h
+++ b/include/winnt.h
@@ -2808,6 +2808,7 @@ typedef struct _ACL_SIZE_INFORMATION

 #define SE_PRIVILEGE_ENABLED_BY_DEFAULT 0x00000001
 #define SE_PRIVILEGE_ENABLED 		0x00000002
+#define SE_PRIVILEGE_REMOVE		0x00000004
 #define SE_PRIVILEGE_USED_FOR_ACCESS 	0x80000000

 #define SE_OWNER_DEFAULTED		0x00000001

--- a/include/winternl.h
+++ b/include/winternl.h
@@ -1396,6 +1396,7 @@ NTSTATUS  WINAPI NtDeleteKey(HKEY);
 NTSTATUS  WINAPI NtDeleteValueKey(HKEY,const UNICODE_STRING *);
 NTSTATUS  WINAPI NtDeviceIoControlFile(HANDLE,HANDLE,PIO_APC_ROUTINE,PVOID,PIO_STATUS_BLOCK,ULONG,PVOID,ULONG,PVOID,ULONG);
 NTSTATUS  WINAPI NtDuplicateObject(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,ULONG,ULONG);
+NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,SECURITY_IMPERSONATION_LEVEL,TOKEN_TYPE,PHANDLE);
 NTSTATUS  WINAPI NtEnumerateKey(HKEY,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
 NTSTATUS  WINAPI NtEnumerateValueKey(HKEY,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
 NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);

--- a/server/object.h
+++ b/server/object.h
@@ -153,7 +153,7 @@ extern void close_signals(void);

 /* token functions */

-extern struct token *create_token(void);
+extern struct token *create_admin_token(void);

 /* atom functions */


--- a/server/process.c
+++ b/server/process.c
@@ -278,7 +278,7 @@ struct thread *create_process( int fd )
    process->exe.namelen     = 0;
    process->exe.filename    = NULL;
    process->group_id        = 0;
-    process->token           = create_token();
+    process->token           = create_admin_token();
    list_init( &process->locks );
    list_init( &process->classes );


--- a/server/protocol.def
+++ b/server/protocol.def
@@ -2229,3 +2229,32 @@ enum message_type
 #define SET_GLOBAL_SHELL_WINDOWS   0x01  /* set both main shell and listview windows */
 #define SET_GLOBAL_PROGMAN_WINDOW  0x02
 #define SET_GLOBAL_TASKMAN_WINDOW  0x04
+
+/* Adjust the privileges held by a token */
+@REQ(adjust_token_privileges)
+    obj_handle_t  handle; /* handle to the token */
+    int           disable_all; /* disable all privileges? */
+    int           get_modified_state; /* get modified privileges? */
+    VARARG(privileges,LUID_AND_ATTRIBUTES); /* privileges to enable/disable/remove */
+@REPLY
+    unsigned int  len; /* total length in bytes required to store token privileges */
+    VARARG(privileges,LUID_AND_ATTRIBUTES); /* modified privileges */
+@END
+
+/* Retrieves the set of privileges held by or available to a token */
+@REQ(get_token_privileges)
+    obj_handle_t  handle; /* handle to the token */
+@REPLY
+    unsigned int  len; /* total length in bytes required to store token privileges */
+    VARARG(privileges,LUID_AND_ATTRIBUTES); /* privileges held by or available to a token */
+@END
+
+@REQ(duplicate_token)
+    obj_handle_t  handle; /* handle to the token to duplicate */
+    unsigned int  access; /* access rights to the new token */
+    int           inherit; /* inherit flag */
+    int           primary; /* is the new token to be a primary one? */
+    int           impersonation_level; /* impersonation level of the new token */
+@REPLY
+    obj_handle_t  new_handle; /* duplicated handle */
+@END
--- a/server/request.h
+++ b/server/request.h
@@ -283,6 +283,9 @@ DECL_HANDLER(set_class_info);
 DECL_HANDLER(set_clipboard_info);
 DECL_HANDLER(open_token);
 DECL_HANDLER(set_global_windows);
+DECL_HANDLER(adjust_token_privileges);
+DECL_HANDLER(get_token_privileges);
+DECL_HANDLER(duplicate_token);

 #ifdef WANT_REQUEST_HANDLERS

@@ -469,6 +472,9 @@ static const req_handler req_handlers[REQ_NB_REQUESTS] =
    (req_handler)req_set_clipboard_info,
    (req_handler)req_open_token,
    (req_handler)req_set_global_windows,
+    (req_handler)req_adjust_token_privileges,
+    (req_handler)req_get_token_privileges,
+    (req_handler)req_duplicate_token,
 };
 #endif  /* WANT_REQUEST_HANDLERS */


--- a/server/token.c
+++ b/server/token.c
--- a/server/trace.c
+++ b/server/trace.c
@@ -407,6 +407,23 @@ static void dump_varargs_properties( size_t size )
    remove_data( size );
 }

+static void dump_varargs_LUID_AND_ATTRIBUTES( size_t size )
+{
+    const LUID_AND_ATTRIBUTES *lat = cur_data;
+    size_t len = size / sizeof(*lat);
+
+    fputc( '{', stderr );
+    while (len > 0)
+    {
+        fprintf( stderr, "{luid=%08lx%08lx,attr=%lx}",
+                 lat->Luid.HighPart, lat->Luid.LowPart, lat->Attributes );
+        lat++;
+        if (--len) fputc( ',', stderr );
+    }
+    fputc( '}', stderr );
+    remove_data( size );
+}
+
 typedef void (*dump_func)( const void *req );

 /* Everything below this line is generated automatically by tools/make_requests */
@@ -2623,6 +2640,48 @@ static void dump_set_global_windows_reply( const struct set_global_windows_reply
    fprintf( stderr, " old_taskman_window=%p", req->old_taskman_window );
 }

+static void dump_adjust_token_privileges_request( const struct adjust_token_privileges_request *req )
+{
+    fprintf( stderr, " handle=%p,", req->handle );
+    fprintf( stderr, " disable_all=%d,", req->disable_all );
+    fprintf( stderr, " get_modified_state=%d,", req->get_modified_state );
+    fprintf( stderr, " privileges=" );
+    dump_varargs_LUID_AND_ATTRIBUTES( cur_size );
+}
+
+static void dump_adjust_token_privileges_reply( const struct adjust_token_privileges_reply *req )
+{
+    fprintf( stderr, " len=%08x,", req->len );
+    fprintf( stderr, " privileges=" );
+    dump_varargs_LUID_AND_ATTRIBUTES( cur_size );
+}
+
+static void dump_get_token_privileges_request( const struct get_token_privileges_request *req )
+{
+    fprintf( stderr, " handle=%p", req->handle );
+}
+
+static void dump_get_token_privileges_reply( const struct get_token_privileges_reply *req )
+{
+    fprintf( stderr, " len=%08x,", req->len );
+    fprintf( stderr, " privileges=" );
+    dump_varargs_LUID_AND_ATTRIBUTES( cur_size );
+}
+
+static void dump_duplicate_token_request( const struct duplicate_token_request *req )
+{
+    fprintf( stderr, " handle=%p,", req->handle );
+    fprintf( stderr, " access=%08x,", req->access );
+    fprintf( stderr, " inherit=%d,", req->inherit );
+    fprintf( stderr, " primary=%d,", req->primary );
+    fprintf( stderr, " impersonation_level=%d", req->impersonation_level );
+}
+
+static void dump_duplicate_token_reply( const struct duplicate_token_reply *req )
+{
+    fprintf( stderr, " new_handle=%p", req->new_handle );
+}
+
 static const dump_func req_dumpers[REQ_NB_REQUESTS] = {
    (dump_func)dump_new_process_request,
    (dump_func)dump_get_new_process_info_request,
@@ -2804,6 +2863,9 @@ static const dump_func req_dumpers[REQ_NB_REQUESTS] = {
    (dump_func)dump_set_clipboard_info_request,
    (dump_func)dump_open_token_request,
    (dump_func)dump_set_global_windows_request,
+    (dump_func)dump_adjust_token_privileges_request,
+    (dump_func)dump_get_token_privileges_request,
+    (dump_func)dump_duplicate_token_request,
 };

 static const dump_func reply_dumpers[REQ_NB_REQUESTS] = {
@@ -2987,6 +3049,9 @@ static const dump_func reply_dumpers[REQ_NB_REQUESTS] = {
    (dump_func)dump_set_clipboard_info_reply,
    (dump_func)dump_open_token_reply,
    (dump_func)dump_set_global_windows_reply,
+    (dump_func)dump_adjust_token_privileges_reply,
+    (dump_func)dump_get_token_privileges_reply,
+    (dump_func)dump_duplicate_token_reply,
 };

 static const char * const req_names[REQ_NB_REQUESTS] = {
@@ -3170,6 +3235,9 @@ static const char * const req_names[REQ_NB_REQUESTS] = {
    "set_clipboard_info",
    "open_token",
    "set_global_windows",
+    "adjust_token_privileges",
+    "get_token_privileges",
+    "duplicate_token",
 };

 /* ### make_requests end ### */