[PATCH 1/5] advapi32/tests: Show that tokens do not inherit security descriptors during duplication.
Matteo Bruni
mbruni at codeweavers.com
Fri Jun 16 13:41:33 CDT 2017
From: Michael Müller <michael at fds-team.de>
Signed-off-by: Matteo Bruni <mbruni at codeweavers.com>
---
dlls/advapi32/tests/security.c | 45 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 09c6a721cc..65e9758e3d 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6722,11 +6722,11 @@ static void test_token_security_descriptor(void)
SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
char buffer_acl[256];
ACL *acl = (ACL *)&buffer_acl, *acl2;
- BOOL defaulted, present, ret;
+ BOOL defaulted, present, ret, found;
+ HANDLE token, token2, token3;
ACCESS_ALLOWED_ACE *ace;
SECURITY_ATTRIBUTES sa;
- HANDLE token, token2;
- DWORD size;
+ DWORD size, index;
PSID psid;
if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
@@ -6789,8 +6789,47 @@ static void test_token_security_descriptor(void)
HeapFree(GetProcessHeap(), 0, sd2);
+ /* Duplicate token without security attributes.
+ * Tokens do not inherit the security descriptor in DuplicateToken. */
+ ret = pDuplicateTokenEx(token2, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &token3);
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ acl2 = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ todo_wine
+ ok(present, "DACL not present\n");
+
+ if (present)
+ {
+ ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
+ ok(!defaulted, "DACL defaulted\n");
+
+ index = 0;
+ found = FALSE;
+ while (pGetAce(acl2, index++, (void **)&ace))
+ {
+ if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+ found = TRUE;
+ }
+ ok(!found, "Access allowed ACE was inherited\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd2);
+
LocalFree(psid);
+ CloseHandle(token3);
CloseHandle(token2);
CloseHandle(token);
}
--
2.13.0
More information about the wine-patches
mailing list