[PATCH 1/2] server: Add default security descriptor ownership for processes.
Vijay Kiran Kamuju
infyquest at gmail.com
Wed Apr 17 03:53:31 CDT 2019
From: "Erich E. Hoover" <erich.e.hoover at gmail.com>
From: Erich E. Hoover <erich.e.hoover at gmail.com>
Signed-off-by: Vijay Kiran Kamuju <infyquest at gmail.com>
---
dlls/advapi32/tests/security.c | 35 ++++++++++++++++++++++++++++++++++
server/process.c | 26 ++++++++++++++++++++++++-
server/security.h | 1 +
server/token.c | 2 ++
4 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index d9cae64da8b..3097a64fb24 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -4682,11 +4682,15 @@ static void test_acls(void)
static void test_GetSecurityInfo(void)
{
+ char domain_users_ptr[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
+ PSID domain_users_sid = (PSID) domain_users_ptr, domain_sid;
+ SID_IDENTIFIER_AUTHORITY sia = { SECURITY_NT_AUTHORITY };
DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
PSID admin_sid = (PSID) admin_ptr, user_sid;
char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
+ BOOL owner_defaulted, group_defaulted;
ACL_SIZE_INFORMATION acl_size;
PSECURITY_DESCRIPTOR pSD;
ACCESS_ALLOWED_ACE *ace;
@@ -4813,6 +4817,37 @@ static void test_GetSecurityInfo(void)
}
LocalFree(pSD);
CloseHandle(obj);
+
+ /* Obtain the "domain users" SID from the user SID */
+ if (!AllocateAndInitializeSid(&sia, 4, *GetSidSubAuthority(user_sid, 0),
+ *GetSidSubAuthority(user_sid, 1),
+ *GetSidSubAuthority(user_sid, 2),
+ *GetSidSubAuthority(user_sid, 3), 0, 0, 0, 0, &domain_sid))
+ {
+ win_skip("Failed to get current domain SID\n");
+ return;
+ }
+ sid_size = sizeof(domain_users_ptr);
+ pCreateWellKnownSid(WinAccountDomainUsersSid, domain_sid, domain_users_sid, &sid_size);
+ FreeSid(domain_sid);
+
+ /* Test querying the ownership of a process */
+ ret = pGetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT,
+ OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
+ NULL, NULL, NULL, NULL, &pSD);
+ ok(!ret, "GetNamedSecurityInfo failed with error %d\n", ret);
+
+ bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
+ ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+ ok(owner != NULL, "owner should not be NULL\n");
+ ok(EqualSid(owner, admin_sid) || EqualSid(owner, user_sid),
+ "Process owner SID != Administrators SID.\n");
+
+ bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
+ ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+ ok(group != NULL, "group should not be NULL\n");
+ ok(EqualSid(group, domain_users_sid), "Process group SID != Domain Users SID.\n");
+ LocalFree(pSD);
}
static void test_GetSidSubAuthority(void)
diff --git a/server/process.c b/server/process.c
index 473d3b1a27a..f7af438b561 100644
--- a/server/process.c
+++ b/server/process.c
@@ -63,6 +63,7 @@ static void process_dump( struct object *obj, int verbose );
static struct object_type *process_get_type( struct object *obj );
static int process_signaled( struct object *obj, struct wait_queue_entry *entry );
static unsigned int process_map_access( struct object *obj, unsigned int access );
+static struct security_descriptor *process_get_sd( struct object *obj );
static void process_poll_event( struct fd *fd, int event );
static void process_destroy( struct object *obj );
static void terminate_process( struct process *process, struct thread *skip, int exit_code );
@@ -79,7 +80,7 @@ static const struct object_ops process_ops =
no_signal, /* signal */
no_get_fd, /* get_fd */
process_map_access, /* map_access */
- default_get_sd, /* get_sd */
+ process_get_sd, /* get_sd */
default_set_sd, /* set_sd */
no_lookup_name, /* lookup_name */
no_link_name, /* link_name */
@@ -661,6 +662,29 @@ static unsigned int process_map_access( struct object *obj, unsigned int access
return access & ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
}
+static struct security_descriptor *process_get_sd( struct object *obj )
+{
+ static struct security_descriptor *key_default_sd;
+
+ if (obj->sd) return obj->sd;
+
+ if (!key_default_sd)
+ {
+ size_t users_sid_len = security_sid_len( security_domain_users_sid );
+ size_t admins_sid_len = security_sid_len( security_builtin_admins_sid );
+
+ key_default_sd = mem_alloc( sizeof(*key_default_sd) + admins_sid_len + users_sid_len );
+ key_default_sd->control = SE_DACL_PRESENT;
+ key_default_sd->owner_len = admins_sid_len;
+ key_default_sd->group_len = users_sid_len;
+ key_default_sd->sacl_len = 0;
+ key_default_sd->dacl_len = 0;
+ memcpy( key_default_sd + 1, security_builtin_admins_sid, admins_sid_len );
+ memcpy( (char *)(key_default_sd + 1) + admins_sid_len, security_domain_users_sid, users_sid_len );
+ }
+ return key_default_sd;
+}
+
static void process_poll_event( struct fd *fd, int event )
{
struct process *process = get_fd_user( fd );
diff --git a/server/security.h b/server/security.h
index 873bbc6afd6..606dbb2ab2c 100644
--- a/server/security.h
+++ b/server/security.h
@@ -47,6 +47,7 @@ extern const PSID security_local_user_sid;
extern const PSID security_local_system_sid;
extern const PSID security_builtin_users_sid;
extern const PSID security_builtin_admins_sid;
+extern const PSID security_domain_users_sid;
extern const PSID security_high_label_sid;
diff --git a/server/token.c b/server/token.c
index 5c35bcc19f6..895809e7252 100644
--- a/server/token.c
+++ b/server/token.c
@@ -83,6 +83,7 @@ static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORIT
static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
static const SID_N(3) builtin_logon_sid = { SID_REVISION, 3, { SECURITY_NT_AUTHORITY }, { SECURITY_LOGON_IDS_RID, 0, 0 } };
+static const SID_N(5) domain_users_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, DOMAIN_GROUP_RID_USERS } };
const PSID security_world_sid = (PSID)&world_sid;
static const PSID security_local_sid = (PSID)&local_sid;
@@ -92,6 +93,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
const PSID security_local_user_sid = (PSID)&local_user_sid;
const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
+const PSID security_domain_users_sid = (PSID)&domain_users_sid;
const PSID security_high_label_sid = (PSID)&high_label_sid;
static luid_t prev_luid_value = { 1000, 0 };
--
2.17.0
More information about the wine-devel
mailing list