Commit 7dfdcf30 authored by Hans Leidekker's avatar Hans Leidekker Committed by Alexandre Julliard

server: The token user SID must be present in the default DACL.

parent fa0a7396
...@@ -4591,6 +4591,64 @@ static void test_TokenIntegrityLevel(void) ...@@ -4591,6 +4591,64 @@ static void test_TokenIntegrityLevel(void)
CloseHandle(token); CloseHandle(token);
} }
static void test_default_dacl_owner_sid(void)
{
HANDLE handle;
BOOL ret, defaulted, present, found;
DWORD size, index;
SECURITY_DESCRIPTOR *sd;
SECURITY_ATTRIBUTES sa;
PSID owner;
ACL *dacl;
ACCESS_ALLOWED_ACE *ace;
sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
ok( ret, "error %u\n", GetLastError() );
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = sd;
sa.bInheritHandle = FALSE;
handle = CreateEvent( &sa, TRUE, TRUE, "test_event" );
ok( handle != NULL, "error %u\n", GetLastError() );
size = 0;
ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
sd = HeapAlloc( GetProcessHeap(), 0, size );
ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
ok( ret, "error %u\n", GetLastError() );
owner = (void *)0xdeadbeef;
defaulted = TRUE;
ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
ok( ret, "error %u\n", GetLastError() );
ok( owner != (void *)0xdeadbeef, "owner not set\n" );
todo_wine ok( !defaulted, "owner defaulted\n" );
dacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
ok( ret, "error %u\n", GetLastError() );
ok( present, "dacl not present\n" );
ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
todo_wine ok( !defaulted, "dacl defaulted\n" );
index = 0;
found = FALSE;
while (pGetAce( dacl, index++, (void **)&ace ))
{
if (EqualSid( &ace->SidStart, owner )) found = TRUE;
}
ok( found, "owner sid not found in dacl\n" );
HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
HeapFree( GetProcessHeap(), 0, sd );
CloseHandle( handle );
}
START_TEST(security) START_TEST(security)
{ {
init(); init();
...@@ -4629,4 +4687,5 @@ START_TEST(security) ...@@ -4629,4 +4687,5 @@ START_TEST(security)
test_GetUserNameW(); test_GetUserNameW();
test_CreateRestrictedToken(); test_CreateRestrictedToken();
test_TokenIntegrityLevel(); test_TokenIntegrityLevel();
test_default_dacl_owner_sid();
} }
...@@ -640,8 +640,8 @@ struct token *token_create_admin( void ) ...@@ -640,8 +640,8 @@ struct token *token_create_admin( void )
PSID alias_admins_sid; PSID alias_admins_sid;
PSID alias_users_sid; PSID alias_users_sid;
PSID logon_sid; PSID logon_sid;
/* note: should be the owner specified in the token */ const SID *user_sid = security_unix_uid_to_sid( getuid() );
ACL *default_dacl = create_default_dacl( &interactive_sid ); ACL *default_dacl = create_default_dacl( user_sid );
alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]), alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]),
alias_admins_subauth ); alias_admins_subauth );
...@@ -688,10 +688,9 @@ struct token *token_create_admin( void ) ...@@ -688,10 +688,9 @@ struct token *token_create_admin( void )
{ logon_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_LOGON_ID }, { logon_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_LOGON_ID },
}; };
static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}}; static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
token = create_token( TRUE, security_unix_uid_to_sid( getuid() ), token = create_token( TRUE, user_sid, admin_groups, sizeof(admin_groups)/sizeof(admin_groups[0]),
admin_groups, sizeof(admin_groups)/sizeof(admin_groups[0]), admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]), default_dacl,
admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]), admin_source, NULL, -1 );
default_dacl, admin_source, NULL, -1 );
/* we really need a primary group */ /* we really need a primary group */
assert( token->primary_group ); assert( token->primary_group );
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment