server: The token user SID must be present in the default DACL.
Hans Leidekker
hans at codeweavers.com
Tue Jul 30 04:06:42 CDT 2013
---
dlls/advapi32/tests/security.c | 59 ++++++++++++++++++++++++++++++++++++++++
server/token.c | 11 ++++----
2 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 30da864..c622bb2 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -4591,6 +4591,64 @@ static void test_TokenIntegrityLevel(void)
CloseHandle(token);
}
+static void test_default_dacl_owner_sid(void)
+{
+ HANDLE handle;
+ BOOL ret, defaulted, present, found;
+ DWORD size, index;
+ SECURITY_DESCRIPTOR *sd;
+ SECURITY_ATTRIBUTES sa;
+ PSID owner;
+ ACL *dacl;
+ ACCESS_ALLOWED_ACE *ace;
+
+ sd = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH );
+ ret = InitializeSecurityDescriptor( sd, SECURITY_DESCRIPTOR_REVISION );
+ ok( ret, "error %u\n", GetLastError() );
+
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.lpSecurityDescriptor = sd;
+ sa.bInheritHandle = FALSE;
+ handle = CreateEvent( &sa, TRUE, TRUE, "test_event" );
+ ok( handle != NULL, "error %u\n", GetLastError() );
+
+ size = 0;
+ ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, NULL, 0, &size );
+ ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "error %u\n", GetLastError() );
+
+ sd = HeapAlloc( GetProcessHeap(), 0, size );
+ ret = GetKernelObjectSecurity( handle, OWNER_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION, sd, size, &size );
+ ok( ret, "error %u\n", GetLastError() );
+
+ owner = (void *)0xdeadbeef;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorOwner( sd, &owner, &defaulted );
+ ok( ret, "error %u\n", GetLastError() );
+ ok( owner != (void *)0xdeadbeef, "owner not set\n" );
+ todo_wine ok( !defaulted, "owner defaulted\n" );
+
+ dacl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl( sd, &present, &dacl, &defaulted );
+ ok( ret, "error %u\n", GetLastError() );
+ ok( present, "dacl not present\n" );
+ ok( dacl != (void *)0xdeadbeef, "dacl not set\n" );
+ todo_wine ok( !defaulted, "dacl defaulted\n" );
+
+ index = 0;
+ found = FALSE;
+ while (pGetAce( dacl, index++, (void **)&ace ))
+ {
+ if (EqualSid( &ace->SidStart, owner )) found = TRUE;
+ }
+ ok( found, "owner sid not found in dacl\n" );
+
+ HeapFree( GetProcessHeap(), 0, sa.lpSecurityDescriptor );
+ HeapFree( GetProcessHeap(), 0, sd );
+ CloseHandle( handle );
+}
+
START_TEST(security)
{
init();
@@ -4629,4 +4687,5 @@ START_TEST(security)
test_GetUserNameW();
test_CreateRestrictedToken();
test_TokenIntegrityLevel();
+ test_default_dacl_owner_sid();
}
diff --git a/server/token.c b/server/token.c
index 6d8961a..cb81eec 100644
--- a/server/token.c
+++ b/server/token.c
@@ -640,8 +640,8 @@ struct token *token_create_admin( void )
PSID alias_admins_sid;
PSID alias_users_sid;
PSID logon_sid;
- /* note: should be the owner specified in the token */
- ACL *default_dacl = create_default_dacl( &interactive_sid );
+ const SID *user_sid = security_unix_uid_to_sid( getuid() );
+ ACL *default_dacl = create_default_dacl( user_sid );
alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]),
alias_admins_subauth );
@@ -688,10 +688,9 @@ struct token *token_create_admin( void )
{ logon_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_LOGON_ID },
};
static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
- token = create_token( TRUE, security_unix_uid_to_sid( getuid() ),
- admin_groups, sizeof(admin_groups)/sizeof(admin_groups[0]),
- admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]),
- default_dacl, admin_source, NULL, -1 );
+ token = create_token( TRUE, user_sid, admin_groups, sizeof(admin_groups)/sizeof(admin_groups[0]),
+ admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]), default_dacl,
+ admin_source, NULL, -1 );
/* we really need a primary group */
assert( token->primary_group );
}
--
1.7.10.4
More information about the wine-patches
mailing list