git.oblomov.eu Git - wine/blob - dlls/advapi32/tests/security.c

   1 /*
   2  * Unit tests for security functions
   3  *
   4  * Copyright (c) 2004 Mike McCormack
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  */
  20
  21 #include <stdarg.h>
  22 #include <stdio.h>
  23
  24 #include "ntstatus.h"
  25 #define WIN32_NO_STATUS
  26 #include "windef.h"
  27 #include "winbase.h"
  28 #include "winerror.h"
  29 #include "aclapi.h"
  30 #include "winnt.h"
  31 #include "winternl.h"
  32 #include "sddl.h"
  33 #include "ntsecapi.h"
  34
  35 #include "wine/test.h"
  36
  37 typedef VOID (WINAPI *fnBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
  38 typedef VOID (WINAPI *fnBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
  39 typedef VOID (WINAPI *fnBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
  40                                                           POBJECTS_AND_NAME_A pObjName,
  41                                                           SE_OBJECT_TYPE ObjectType,
  42                                                           LPSTR ObjectTypeName,
  43                                                           LPSTR InheritedObjectTypeName,
  44                                                           LPSTR Name );
  45 typedef VOID (WINAPI *fnBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
  46                                                          POBJECTS_AND_SID pObjSid,
  47                                                          GUID* pObjectGuid,
  48                                                          GUID* pInheritedObjectGuid,
  49                                                          PSID pSid );
  50 typedef LPSTR (WINAPI *fnGetTrusteeNameA)( PTRUSTEEA pTrustee );
  51 typedef BOOL (WINAPI *fnConvertSidToStringSidA)( PSID pSid, LPSTR *str );
  52 typedef BOOL (WINAPI *fnConvertStringSidToSidA)( LPCSTR str, PSID pSid );
  53 typedef BOOL (WINAPI *fnGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
  54                                           PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
  55 typedef DWORD (WINAPI *fnRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
  56 typedef BOOL (WINAPI *fnCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
  57
  58 typedef NTSTATUS (WINAPI *fnLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMATION_CLASS,PVOID*);
  59 typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE);
  60 typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID);
  61 typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
  62
  63 static HMODULE hmod;
  64
  65 fnBuildTrusteeWithSidA   pBuildTrusteeWithSidA;
  66 fnBuildTrusteeWithNameA  pBuildTrusteeWithNameA;
  67 fnBuildTrusteeWithObjectsAndNameA pBuildTrusteeWithObjectsAndNameA;
  68 fnBuildTrusteeWithObjectsAndSidA pBuildTrusteeWithObjectsAndSidA;
  69 fnGetTrusteeNameA pGetTrusteeNameA;
  70 fnConvertSidToStringSidA pConvertSidToStringSidA;
  71 fnConvertStringSidToSidA pConvertStringSidToSidA;
  72 fnGetFileSecurityA pGetFileSecurityA;
  73 fnRtlAdjustPrivilege pRtlAdjustPrivilege;
  74 fnCreateWellKnownSid pCreateWellKnownSid;
  75 fnLsaQueryInformationPolicy pLsaQueryInformationPolicy;
  76 fnLsaClose pLsaClose;
  77 fnLsaFreeMemory pLsaFreeMemory;
  78 fnLsaOpenPolicy pLsaOpenPolicy;
  79
  80 struct sidRef
  81 {
  82     SID_IDENTIFIER_AUTHORITY auth;
  83     const char *refStr;
  84 };
  85
  86 static void init(void)
  87 {
  88     hmod = GetModuleHandle("advapi32.dll");
  89 }
  90
  91 static void test_str_sid(char *str_sid)
  92 {
  93     PSID psid;
  94     char *temp;
  95
  96     if (pConvertStringSidToSidA(str_sid, &psid))
  97     {
  98         if (pConvertSidToStringSidA(psid, &temp))
  99         {
 100             trace(" %s: %s\n", str_sid, temp);
 101             LocalFree(temp);
 102         }
 103     }
 104     else
 105         trace("%s couldn't be converted, returned %ld\n", str_sid, GetLastError());
 106 }
 107
 108 static void test_sid(void)
 109 {
 110     struct sidRef refs[] = {
 111      { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
 112      { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1"  },
 113      { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1"     },
 114      { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1"       },
 115      { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1"         },
 116      { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1"        },
 117     };
 118     const char noSubAuthStr[] = "S-1-5";
 119     unsigned int i;
 120     PSID psid = NULL;
 121     BOOL r;
 122     LPSTR str = NULL;
 123
 124     pConvertSidToStringSidA = (fnConvertSidToStringSidA)
 125                     GetProcAddress( hmod, "ConvertSidToStringSidA" );
 126     if( !pConvertSidToStringSidA )
 127         return;
 128     pConvertStringSidToSidA = (fnConvertStringSidToSidA)
 129                     GetProcAddress( hmod, "ConvertStringSidToSidA" );
 130     if( !pConvertStringSidToSidA )
 131         return;
 132
 133     r = pConvertStringSidToSidA( NULL, NULL );
 134     ok( !r, "expected failure with NULL parameters\n" );
 135     if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
 136         return;
 137     ok( GetLastError() == ERROR_INVALID_PARAMETER,
 138      "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
 139      GetLastError() );
 140
 141     r = pConvertStringSidToSidA( refs[0].refStr, NULL );
 142     ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
 143      "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
 144      GetLastError() );
 145
 146     r = pConvertStringSidToSidA( NULL, &str );
 147     ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
 148      "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
 149      GetLastError() );
 150
 151     r = pConvertStringSidToSidA( noSubAuthStr, &psid );
 152     ok( !r,
 153      "expected failure with no sub authorities\n" );
 154     ok( GetLastError() == ERROR_INVALID_SID,
 155      "expected GetLastError() is ERROR_INVALID_SID, got %ld\n",
 156      GetLastError() );
 157
 158     for( i = 0; i < sizeof(refs) / sizeof(refs[0]); i++ )
 159     {
 160         PISID pisid;
 161
 162         r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
 163          &psid );
 164         ok( r, "failed to allocate sid\n" );
 165         r = pConvertSidToStringSidA( psid, &str );
 166         ok( r, "failed to convert sid\n" );
 167         if (r)
 168         {
 169             ok( !strcmp( str, refs[i].refStr ),
 170                 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
 171             LocalFree( str );
 172         }
 173         if( psid )
 174             FreeSid( psid );
 175
 176         r = pConvertStringSidToSidA( refs[i].refStr, &psid );
 177         ok( r, "failed to parse sid string\n" );
 178         pisid = (PISID)psid;
 179         ok( pisid &&
 180          !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
 181          sizeof(refs[i].auth) ),
 182          "string sid %s didn't parse to expected value\n"
 183          "(got 0x%04x%08lx, expected 0x%04x%08lx)\n",
 184          refs[i].refStr,
 185          MAKEWORD( pisid->IdentifierAuthority.Value[1],
 186          pisid->IdentifierAuthority.Value[0] ),
 187          MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
 188          pisid->IdentifierAuthority.Value[4] ),
 189          MAKEWORD( pisid->IdentifierAuthority.Value[3],
 190          pisid->IdentifierAuthority.Value[2] ) ),
 191          MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
 192          MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
 193          MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
 194         if( psid )
 195             LocalFree( psid );
 196     }
 197
 198     test_str_sid("AO");
 199     test_str_sid("RU");
 200     test_str_sid("AN");
 201     test_str_sid("AU");
 202     test_str_sid("BA");
 203     test_str_sid("BG");
 204     test_str_sid("BO");
 205     test_str_sid("BU");
 206     test_str_sid("CA");
 207     test_str_sid("CG");
 208     test_str_sid("CO");
 209     test_str_sid("DA");
 210     test_str_sid("DC");
 211     test_str_sid("DD");
 212     test_str_sid("DG");
 213     test_str_sid("DU");
 214     test_str_sid("EA");
 215     test_str_sid("ED");
 216     test_str_sid("WD");
 217     test_str_sid("PA");
 218     test_str_sid("IU");
 219     test_str_sid("LA");
 220     test_str_sid("LG");
 221     test_str_sid("LS");
 222     test_str_sid("SY");
 223     test_str_sid("NU");
 224     test_str_sid("NO");
 225     test_str_sid("NS");
 226     test_str_sid("PO");
 227     test_str_sid("PS");
 228     test_str_sid("PU");
 229     test_str_sid("RS");
 230     test_str_sid("RD");
 231     test_str_sid("RE");
 232     test_str_sid("RC");
 233     test_str_sid("SA");
 234     test_str_sid("SO");
 235     test_str_sid("SU");
 236 }
 237
 238 static void test_trustee(void)
 239 {
 240     GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
 241     GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
 242     GUID ZeroGuid;
 243     OBJECTS_AND_NAME_ oan;
 244     OBJECTS_AND_SID oas;
 245     TRUSTEE trustee;
 246     PSID psid;
 247     char szObjectTypeName[] = "ObjectTypeName";
 248     char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
 249     char szTrusteeName[] = "szTrusteeName";
 250     SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
 251
 252     memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
 253
 254     pBuildTrusteeWithSidA = (fnBuildTrusteeWithSidA)
 255                     GetProcAddress( hmod, "BuildTrusteeWithSidA" );
 256     pBuildTrusteeWithNameA = (fnBuildTrusteeWithNameA)
 257                     GetProcAddress( hmod, "BuildTrusteeWithNameA" );
 258     pBuildTrusteeWithObjectsAndNameA = (fnBuildTrusteeWithObjectsAndNameA)
 259                     GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
 260     pBuildTrusteeWithObjectsAndSidA = (fnBuildTrusteeWithObjectsAndSidA)
 261                     GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
 262     pGetTrusteeNameA = (fnGetTrusteeNameA)
 263                     GetProcAddress (hmod, "GetTrusteeNameA" );
 264     if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
 265         !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
 266         !pGetTrusteeNameA )
 267         return;
 268
 269     if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
 270     {
 271         trace( "failed to init SID\n" );
 272        return;
 273     }
 274
 275     /* test BuildTrusteeWithSidA */
 276     memset( &trustee, 0xff, sizeof trustee );
 277     pBuildTrusteeWithSidA( &trustee, psid );
 278
 279     ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 280     ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
 281         "MultipleTrusteeOperation wrong\n");
 282     ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
 283     ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 284     ok( trustee.ptstrName == (LPSTR) psid, "ptstrName wrong\n" );
 285
 286     /* test BuildTrusteeWithObjectsAndSidA (test 1) */
 287     memset( &trustee, 0xff, sizeof trustee );
 288     memset( &oas, 0xff, sizeof(oas) );
 289     pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
 290                                     &InheritedObjectType, psid);
 291
 292     ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 293     ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
 294     ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
 295     ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 296     ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
 297
 298     ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
 299     ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
 300     ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
 301     ok(oas.pSid == psid, "pSid wrong\n");
 302
 303     /* test GetTrusteeNameA */
 304     ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
 305
 306     /* test BuildTrusteeWithObjectsAndSidA (test 2) */
 307     memset( &trustee, 0xff, sizeof trustee );
 308     memset( &oas, 0xff, sizeof(oas) );
 309     pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
 310                                     &InheritedObjectType, psid);
 311
 312     ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 313     ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
 314     ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
 315     ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 316     ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
 317
 318     ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
 319     ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
 320     ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
 321     ok(oas.pSid == psid, "pSid wrong\n");
 322
 323     FreeSid( psid );
 324
 325     /* test BuildTrusteeWithNameA */
 326     memset( &trustee, 0xff, sizeof trustee );
 327     pBuildTrusteeWithNameA( &trustee, szTrusteeName );
 328
 329     ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 330     ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
 331         "MultipleTrusteeOperation wrong\n");
 332     ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
 333     ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 334     ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
 335
 336     /* test BuildTrusteeWithObjectsAndNameA (test 1) */
 337     memset( &trustee, 0xff, sizeof trustee );
 338     memset( &oan, 0xff, sizeof(oan) );
 339     pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
 340                                      szInheritedObjectTypeName, szTrusteeName);
 341
 342     ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 343     ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
 344     ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
 345     ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 346     ok(trustee.ptstrName == (LPTSTR)&oan, "ptstrName wrong\n");
 347
 348     ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
 349     ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
 350     ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
 351     ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
 352
 353     /* test GetTrusteeNameA */
 354     ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
 355
 356     /* test BuildTrusteeWithObjectsAndNameA (test 2) */
 357     memset( &trustee, 0xff, sizeof trustee );
 358     memset( &oan, 0xff, sizeof(oan) );
 359     pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
 360                                      szInheritedObjectTypeName, szTrusteeName);
 361
 362     ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 363     ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
 364     ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
 365     ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 366     ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
 367
 368     ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
 369     ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
 370     ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
 371     ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
 372
 373     /* test BuildTrusteeWithObjectsAndNameA (test 3) */
 374     memset( &trustee, 0xff, sizeof trustee );
 375     memset( &oan, 0xff, sizeof(oan) );
 376     pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
 377                                      NULL, szTrusteeName);
 378
 379     ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
 380     ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
 381     ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
 382     ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
 383     ok(trustee.ptstrName == (LPTSTR)&oan, "ptstrName wrong\n");
 384
 385     ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
 386     ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
 387     ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
 388     ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
 389 }
 390
 391 /* If the first isn't defined, assume none is */
 392 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
 393 #define SE_MIN_WELL_KNOWN_PRIVILEGE       2L
 394 #define SE_CREATE_TOKEN_PRIVILEGE         2L
 395 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   3L
 396 #define SE_LOCK_MEMORY_PRIVILEGE          4L
 397 #define SE_INCREASE_QUOTA_PRIVILEGE       5L
 398 #define SE_MACHINE_ACCOUNT_PRIVILEGE      6L
 399 #define SE_TCB_PRIVILEGE                  7L
 400 #define SE_SECURITY_PRIVILEGE             8L
 401 #define SE_TAKE_OWNERSHIP_PRIVILEGE       9L
 402 #define SE_LOAD_DRIVER_PRIVILEGE         10L
 403 #define SE_SYSTEM_PROFILE_PRIVILEGE      11L
 404 #define SE_SYSTEMTIME_PRIVILEGE          12L
 405 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
 406 #define SE_INC_BASE_PRIORITY_PRIVILEGE   14L
 407 #define SE_CREATE_PAGEFILE_PRIVILEGE     15L
 408 #define SE_CREATE_PERMANENT_PRIVILEGE    16L
 409 #define SE_BACKUP_PRIVILEGE              17L
 410 #define SE_RESTORE_PRIVILEGE             18L
 411 #define SE_SHUTDOWN_PRIVILEGE            19L
 412 #define SE_DEBUG_PRIVILEGE               20L
 413 #define SE_AUDIT_PRIVILEGE               21L
 414 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE  22L
 415 #define SE_CHANGE_NOTIFY_PRIVILLEGE      23L
 416 #define SE_REMOTE_SHUTDOWN_PRIVILEGE     24L
 417 #define SE_UNDOCK_PRIVILEGE              25L
 418 #define SE_SYNC_AGENT_PRIVILEGE          26L
 419 #define SE_ENABLE_DELEGATION_PRIVILEGE   27L
 420 #define SE_MANAGE_VOLUME_PRIVILEGE       28L
 421 #define SE_IMPERSONATE_PRIVILEGE         29L
 422 #define SE_CREATE_GLOBAL_PRIVILEGE       30L
 423 #define SE_MAX_WELL_KNOWN_PRIVILEGE      SE_CREATE_GLOBAL_PRIVILEGE
 424 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
 425
 426 static void test_allocateLuid(void)
 427 {
 428     BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
 429     LUID luid1, luid2;
 430     BOOL ret;
 431
 432     pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
 433     if (!pAllocateLocallyUniqueId) return;
 434
 435     ret = pAllocateLocallyUniqueId(&luid1);
 436     if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
 437         return;
 438
 439     ok(ret,
 440      "AllocateLocallyUniqueId failed: %ld\n", GetLastError());
 441     ret = pAllocateLocallyUniqueId(&luid2);
 442     ok( ret,
 443      "AllocateLocallyUniqueId failed: %ld\n", GetLastError());
 444     ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
 445      "AllocateLocallyUniqueId returned a well-known LUID\n");
 446     ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
 447      "AllocateLocallyUniqueId returned non-unique LUIDs\n");
 448     ret = pAllocateLocallyUniqueId(NULL);
 449     ok( !ret && GetLastError() == ERROR_NOACCESS,
 450      "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %ld\n",
 451      GetLastError());
 452 }
 453
 454 static void test_lookupPrivilegeName(void)
 455 {
 456     BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
 457     char buf[MAX_PATH]; /* arbitrary, seems long enough */
 458     DWORD cchName = sizeof(buf);
 459     LUID luid = { 0, 0 };
 460     LONG i;
 461     BOOL ret;
 462
 463     /* check whether it's available first */
 464     pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
 465     if (!pLookupPrivilegeNameA) return;
 466     luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
 467     ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
 468     if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
 469         return;
 470
 471     /* check with a short buffer */
 472     cchName = 0;
 473     luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
 474     ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
 475     ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
 476      "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %ld\n",
 477      GetLastError());
 478     ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
 479      "LookupPrivilegeNameA returned an incorrect required length for\n"
 480      "SeCreateTokenPrivilege (got %ld, expected %d)\n", cchName,
 481      lstrlenA("SeCreateTokenPrivilege") + 1);
 482     /* check a known value and its returned length on success */
 483     cchName = sizeof(buf);
 484     ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
 485      cchName == strlen("SeCreateTokenPrivilege"),
 486      "LookupPrivilegeNameA returned an incorrect output length for\n"
 487      "SeCreateTokenPrivilege (got %ld, expected %d)\n", cchName,
 488      (int)strlen("SeCreateTokenPrivilege"));
 489     /* check known values */
 490     for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i < SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
 491     {
 492         luid.LowPart = i;
 493         cchName = sizeof(buf);
 494         ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
 495         ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
 496          "LookupPrivilegeNameA(0.%ld) failed: %ld\n", i, GetLastError());
 497     }
 498     /* check a bogus LUID */
 499     luid.LowPart = 0xdeadbeef;
 500     cchName = sizeof(buf);
 501     ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
 502     ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
 503      "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
 504      GetLastError());
 505     /* check on a bogus system */
 506     luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
 507     cchName = sizeof(buf);
 508     ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
 509     ok( !ret && GetLastError() == RPC_S_SERVER_UNAVAILABLE,
 510      "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE: %ld\n",
 511      GetLastError());
 512 }
 513
 514 struct NameToLUID
 515 {
 516     const char *name;
 517     DWORD lowPart;
 518 };
 519
 520 static void test_lookupPrivilegeValue(void)
 521 {
 522     static const struct NameToLUID privs[] = {
 523      { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
 524      { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
 525      { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
 526      { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
 527      { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
 528      { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
 529      { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
 530      { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
 531      { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
 532      { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
 533      { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
 534      { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
 535      { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
 536      { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
 537      { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
 538      { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
 539      { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
 540      { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
 541      { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
 542      { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
 543      { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
 544      { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILLEGE },
 545      { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
 546      { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
 547      { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
 548      { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
 549      { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
 550      { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
 551      { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
 552     };
 553     BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
 554     int i;
 555     LUID luid;
 556     BOOL ret;
 557
 558     /* check whether it's available first */
 559     pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
 560     if (!pLookupPrivilegeValueA) return;
 561     ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
 562     if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
 563         return;
 564
 565     /* check a bogus system name */
 566     ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
 567     ok( !ret && GetLastError() == RPC_S_SERVER_UNAVAILABLE,
 568      "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE: %ld\n",
 569      GetLastError());
 570     /* check a NULL string */
 571     ret = pLookupPrivilegeValueA(NULL, 0, &luid);
 572     ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
 573      "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
 574      GetLastError());
 575     /* check a bogus privilege name */
 576     ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
 577     ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
 578      "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
 579      GetLastError());
 580     /* check case insensitive */
 581     ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
 582     ok( ret,
 583      "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %ld\n",
 584      GetLastError());
 585     for (i = 0; i < sizeof(privs) / sizeof(privs[0]); i++)
 586     {
 587         /* Not all privileges are implemented on all Windows versions, so
 588          * don't worry if the call fails
 589          */
 590         if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
 591         {
 592             ok(luid.LowPart == privs[i].lowPart,
 593              "LookupPrivilegeValueA returned an invalid LUID for %s\n",
 594              privs[i].name);
 595         }
 596     }
 597 }
 598
 599 static void test_luid(void)
 600 {
 601     test_allocateLuid();
 602     test_lookupPrivilegeName();
 603     test_lookupPrivilegeValue();
 604 }
 605
 606 static void test_FileSecurity(void)
 607 {
 608     char directory[MAX_PATH];
 609     DWORD retval, outSize;
 610     BOOL result;
 611     BYTE buffer[0x40];
 612
 613     pGetFileSecurityA = (fnGetFileSecurityA)
 614                     GetProcAddress( hmod, "GetFileSecurityA" );
 615     if( !pGetFileSecurityA )
 616         return;
 617
 618     retval = GetTempPathA(sizeof(directory), directory);
 619     if (!retval) {
 620         trace("GetTempPathA failed\n");
 621         return;
 622     }
 623
 624     strcpy(directory, "\\Should not exist");
 625
 626     SetLastError(NO_ERROR);
 627     result = pGetFileSecurityA( directory,OWNER_SECURITY_INFORMATION,buffer,0x40,&outSize);
 628     ok(!result, "GetFileSecurityA should fail for not existing directories/files\n");
 629     ok( (GetLastError() == ERROR_FILE_NOT_FOUND ) ||
 630         (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED) ,
 631         "last error ERROR_FILE_NOT_FOUND / ERROR_CALL_NOT_IMPLEMENTED (98) "
 632         "expected, got %ld\n", GetLastError());
 633 }
 634
 635 static void test_AccessCheck(void)
 636 {
 637     PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
 638     PACL Acl = NULL;
 639     SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
 640     SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
 641     SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
 642     GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
 643     ACCESS_MASK Access;
 644     BOOL AccessStatus;
 645     HANDLE Token;
 646     BOOL ret;
 647     DWORD PrivSetLen;
 648     PRIVILEGE_SET *PrivSet;
 649     BOOL res;
 650     HMODULE NtDllModule;
 651     BOOLEAN Enabled;
 652
 653     NtDllModule = GetModuleHandle("ntdll.dll");
 654
 655     if (!NtDllModule)
 656     {
 657         trace("not running on NT, skipping test\n");
 658         return;
 659     }
 660     pRtlAdjustPrivilege = (fnRtlAdjustPrivilege)
 661                           GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
 662     if (!pRtlAdjustPrivilege) return;
 663
 664     Acl = HeapAlloc(GetProcessHeap(), 0, 256);
 665     res = InitializeAcl(Acl, 256, ACL_REVISION);
 666     if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
 667     {
 668         trace("ACLs not implemented - skipping tests\n");
 669         return;
 670     }
 671     ok(res, "InitializeAcl failed with error %ld\n", GetLastError());
 672
 673     res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
 674     ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
 675
 676     res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
 677         DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
 678     ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
 679
 680     res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
 681         DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
 682     ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
 683
 684     res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
 685     ok(res, "AddAccessAllowedAceEx failed with error %ld\n", GetLastError());
 686
 687     res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_ALL_ACCESS, AdminSid);
 688     ok(res, "AddAccessAllowedAceEx failed with error %ld\n", GetLastError());
 689
 690     SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
 691
 692     res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
 693     ok(res, "InitializeSecurityDescriptor failed with error %ld\n", GetLastError());
 694
 695     res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
 696     ok(res, "SetSecurityDescriptorDacl failed with error %ld\n", GetLastError());
 697
 698     res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
 699     ok(res, "SetSecurityDescriptorOwner failed with error %ld\n", GetLastError());
 700
 701     res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
 702     ok(res, "SetSecurityDescriptorGroup failed with error %ld\n", GetLastError());
 703
 704     PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
 705     PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
 706     PrivSet->PrivilegeCount = 16;
 707
 708     ImpersonateSelf(SecurityImpersonation);
 709
 710     pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
 711
 712     ret = OpenThreadToken(GetCurrentThread(),
 713                           TOKEN_QUERY, TRUE, &Token);
 714     ok(ret, "OpenThreadToken failed with error %ld\n", GetLastError());
 715
 716     ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
 717                       PrivSet, &PrivSetLen, &Access, &AccessStatus);
 718     ok(ret, "AccessCheck failed with error %ld\n", GetLastError());
 719     ok(AccessStatus && (Access == KEY_READ),
 720         "AccessCheck failed to grant access with error %ld\n",
 721         GetLastError());
 722
 723     ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
 724                       PrivSet, &PrivSetLen, &Access, &AccessStatus);
 725     ok(ret, "AccessCheck failed with error %ld\n", GetLastError());
 726     ok(AccessStatus,
 727         "AccessCheck failed to grant any access with error %ld\n",
 728         GetLastError());
 729     trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08lx\n", Access);
 730
 731     SetLastError(0);
 732     PrivSet->PrivilegeCount = 16;
 733     ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
 734                       PrivSet, &PrivSetLen, &Access, &AccessStatus);
 735     ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
 736         "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %ld\n",
 737         GetLastError());
 738
 739     ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
 740     if (!ret)
 741     {
 742         SetLastError(0);
 743         PrivSet->PrivilegeCount = 16;
 744         ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
 745                           PrivSet, &PrivSetLen, &Access, &AccessStatus);
 746         ok(ret && AccessStatus && GetLastError() == 0,
 747             "AccessCheck should have succeeded, error %ld\n",
 748             GetLastError());
 749         ok(Access == ACCESS_SYSTEM_SECURITY,
 750             "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08lx\n",
 751             Access);
 752     }
 753     else
 754         trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
 755             ret);
 756
 757     RevertToSelf();
 758
 759     if (EveryoneSid)
 760         FreeSid(EveryoneSid);
 761     if (AdminSid)
 762         FreeSid(AdminSid);
 763     if (UsersSid)
 764         FreeSid(UsersSid);
 765     HeapFree(GetProcessHeap(), 0, Acl);
 766     HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
 767     HeapFree(GetProcessHeap(), 0, PrivSet);
 768 }
 769
 770 /* test GetTokenInformation for the various attributes */
 771 static void test_token_attr(void)
 772 {
 773     HANDLE Token;
 774     DWORD Size;
 775     TOKEN_PRIVILEGES *Privileges;
 776     TOKEN_GROUPS *Groups;
 777     TOKEN_USER *User;
 778     BOOL ret;
 779     DWORD i, GLE;
 780     LPSTR SidString;
 781
 782     if(!pConvertSidToStringSidA)
 783         return;
 784
 785     ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &Token);
 786     GLE = GetLastError();
 787     ok(ret || (GLE == ERROR_CALL_NOT_IMPLEMENTED),
 788         "OpenProcessToken failed with error %ld\n", GLE);
 789     if(!ret && (GLE == ERROR_CALL_NOT_IMPLEMENTED))
 790     {
 791         trace("OpenProcessToken() not implemented, skipping test_token_attr()\n");
 792         return;
 793     }
 794
 795     /* groups */
 796     ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
 797     Groups = HeapAlloc(GetProcessHeap(), 0, Size);
 798     ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
 799     ok(ret, "GetTokenInformation(TokenGroups) failed with error %ld\n", GetLastError());
 800     trace("TokenGroups:\n");
 801     for (i = 0; i < Groups->GroupCount; i++)
 802     {
 803         DWORD NameLength = 255;
 804         TCHAR Name[255];
 805         DWORD DomainLength = 255;
 806         TCHAR Domain[255];
 807         SID_NAME_USE SidNameUse;
 808         pConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
 809         Name[0] = '\0';
 810         Domain[0] = '\0';
 811         ret = LookupAccountSid(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
 812         ok(ret, "LookupAccountSid(%s) failed with error %ld\n", SidString, GetLastError());
 813         trace("\t%s, %s\\%s use: %d attr: 0x%08lx\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
 814         LocalFree(SidString);
 815     }
 816     HeapFree(GetProcessHeap(), 0, Groups);
 817
 818     /* user */
 819     ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
 820     ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
 821         "GetTokenInformation(TokenUser) failed with error %ld\n", GetLastError());
 822     User = HeapAlloc(GetProcessHeap(), 0, Size);
 823     ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
 824     ok(ret,
 825         "GetTokenInformation(TokenUser) failed with error %ld\n", GetLastError());
 826
 827     pConvertSidToStringSidA(User->User.Sid, &SidString);
 828     trace("TokenUser: %s attr: 0x%08lx\n", SidString, User->User.Attributes);
 829     LocalFree(SidString);
 830
 831     /* privileges */
 832     ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
 833     ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
 834         "GetTokenInformation(TokenPrivileges) failed with error %ld\n", GetLastError());
 835     Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
 836     ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
 837     ok(ret,
 838         "GetTokenInformation(TokenPrivileges) failed with error %ld\n", GetLastError());
 839     trace("TokenPrivileges:\n");
 840     for (i = 0; i < Privileges->PrivilegeCount; i++)
 841     {
 842         TCHAR Name[256];
 843         DWORD NameLen = sizeof(Name)/sizeof(Name[0]);
 844         LookupPrivilegeName(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
 845         trace("\t%s, 0x%lx\n", Name, Privileges->Privileges[i].Attributes);
 846     }
 847 }
 848
 849 static void test_LookupAccountSid(void)
 850 {
 851     SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
 852     char account[MAX_PATH], domain[MAX_PATH];
 853     DWORD acc_size, dom_size;
 854     PSID pUsersSid = NULL;
 855     SID_NAME_USE use;
 856     BOOL ret;
 857     DWORD size;
 858     union u
 859     {
 860         SID sid;
 861         char max[SECURITY_MAX_SID_SIZE];
 862     } max_sid;
 863     char *str_sid;
 864     int i;
 865
 866     /* native windows crashes if account size, domain size, or name use is NULL */
 867
 868     ret = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
 869         DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &pUsersSid);
 870     ok(ret, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
 871
 872     /* try NULL account */
 873     acc_size = MAX_PATH;
 874     dom_size = MAX_PATH;
 875     ret = LookupAccountSid(NULL, pUsersSid, NULL, &acc_size, domain, &dom_size, &use);
 876     ok(ret, "LookupAccountSid() Expected TRUE, got FALSE\n");
 877
 878     /* try NULL domain */
 879     acc_size = MAX_PATH;
 880     dom_size = MAX_PATH;
 881     ret = LookupAccountSid(NULL, pUsersSid, account, &acc_size, NULL, &dom_size, &use);
 882     ok(ret, "LookupAccountSid() Expected TRUE, got FALSE\n");
 883
 884     pCreateWellKnownSid = (fnCreateWellKnownSid)GetProcAddress( hmod, "CreateWellKnownSid" );
 885
 886     if (pCreateWellKnownSid && pConvertSidToStringSidA)
 887     {
 888         trace("Well Known SIDs:\n");
 889         for (i = 0; i <= 60; i++)
 890         {
 891             size = SECURITY_MAX_SID_SIZE;
 892             if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
 893             {
 894                 if (pConvertSidToStringSidA(&max_sid.sid, &str_sid))
 895                 {
 896                     acc_size = MAX_PATH;
 897                     dom_size = MAX_PATH;
 898                     if (LookupAccountSid(NULL, &max_sid.sid, account, &acc_size, domain, &dom_size, &use))
 899                         trace(" %d: %s %s\\%s %d\n", i, str_sid, domain, account, use);
 900                     LocalFree(str_sid);
 901                 }
 902             }
 903             else
 904                 trace(" CreateWellKnownSid(%d) failed: %ld\n", i, GetLastError());
 905         }
 906
 907         pLsaQueryInformationPolicy = (fnLsaQueryInformationPolicy)GetProcAddress( hmod, "LsaQueryInformationPolicy");
 908         pLsaOpenPolicy = (fnLsaOpenPolicy)GetProcAddress( hmod, "LsaOpenPolicy");
 909         pLsaFreeMemory = (fnLsaFreeMemory)GetProcAddress( hmod, "LsaFreeMemory");
 910         pLsaClose = (fnLsaClose)GetProcAddress( hmod, "LsaClose");
 911
 912         if (pLsaQueryInformationPolicy && pLsaOpenPolicy && pLsaFreeMemory && pLsaClose)
 913         {
 914             NTSTATUS status;
 915             LSA_HANDLE handle;
 916             LSA_OBJECT_ATTRIBUTES object_attributes;
 917
 918             ZeroMemory(&object_attributes, sizeof(object_attributes));
 919
 920             status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
 921             ok(status == STATUS_SUCCESS, "LsaOpenPolicy() returned 0x%08lx\n", status);
 922
 923             if (status == STATUS_SUCCESS)
 924             {
 925                 PPOLICY_ACCOUNT_DOMAIN_INFO info;
 926                 status = pLsaQueryInformationPolicy(handle, PolicyAccountDomainInformation, (PVOID*)&info);
 927                 ok(status == STATUS_SUCCESS, "LsaQueryInformationPolicy() failed, returned 0x%08lx\n", status);
 928                 if (status == STATUS_SUCCESS)
 929                 {
 930                     ok(info->DomainSid!=0, "LsaQueryInformationPolicy(PolicyAccountDomainInformation) missing SID\n");
 931                     if (info->DomainSid)
 932                     {
 933                         int count = *GetSidSubAuthorityCount(info->DomainSid);
 934                         int len = GetSidLengthRequired(count);
 935
 936                         CopySid(len, &max_sid, info->DomainSid);
 937
 938                         ret = pConvertSidToStringSidA(&max_sid.sid, &str_sid);
 939                         ok(ret, "ConvertSidToStringSidA() failed: %ld\n", GetLastError());
 940                         if (ret)
 941                         {
 942                             acc_size = MAX_PATH;
 943                             dom_size = MAX_PATH;
 944                             ret = LookupAccountSid(NULL, &max_sid.sid, account, &acc_size, domain, &dom_size, &use);
 945                             ok(ret, "LookupAccountSid(%s) failed: %ld\n", str_sid, GetLastError());
 946                             if (ret)
 947                                 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
 948                             LocalFree(str_sid);
 949                         }
 950
 951                         max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_ADMIN;
 952                         max_sid.sid.SubAuthorityCount = count + 1;
 953
 954                         ret = pConvertSidToStringSidA(&max_sid.sid, &str_sid);
 955                         ok(ret, "ConvertSidToStringSidA() failed: %ld\n", GetLastError());
 956                         if (ret)
 957                         {
 958                             acc_size = MAX_PATH;
 959                             dom_size = MAX_PATH;
 960                             ret = LookupAccountSid(NULL, &max_sid.sid, account, &acc_size, domain, &dom_size, &use);
 961                             ok(ret, "LookupAccountSid(%s) failed: %ld\n", str_sid, GetLastError());
 962                             if (ret)
 963                                 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
 964                             LocalFree(str_sid);
 965                         }
 966
 967                         max_sid.sid.SubAuthority[count] = DOMAIN_USER_RID_GUEST;
 968                         max_sid.sid.SubAuthorityCount = count + 1;
 969
 970                         ret = pConvertSidToStringSidA(&max_sid.sid, &str_sid);
 971                         ok(ret, "ConvertSidToStringSidA() failed: %ld\n", GetLastError());
 972                         if (ret)
 973                         {
 974                             acc_size = MAX_PATH;
 975                             dom_size = MAX_PATH;
 976                             ret = LookupAccountSid(NULL, &max_sid.sid, account, &acc_size, domain, &dom_size, &use);
 977                             ok(ret, "LookupAccountSid(%s) failed: %ld\n", str_sid, GetLastError());
 978                             if (ret)
 979                                 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
 980                             LocalFree(str_sid);
 981                         }
 982
 983                         max_sid.sid.SubAuthority[count] = 1000;
 984                         max_sid.sid.SubAuthorityCount = count + 1;
 985
 986                         ret = pConvertSidToStringSidA(&max_sid.sid, &str_sid);
 987                         ok(ret, "ConvertSidToStringSidA() failed: %ld\n", GetLastError());
 988                         if (ret)
 989                         {
 990                             acc_size = MAX_PATH;
 991                             dom_size = MAX_PATH;
 992                             ret = LookupAccountSid(NULL, &max_sid.sid, account, &acc_size, domain, &dom_size, &use);
 993                             /* this can fail if no user accounts exist */
 994                             if (ret)
 995                                 trace(" %s %s\\%s %d\n", str_sid, domain, account, use);
 996                             else
 997                                 trace("LookupAccountSid(%s) failed: %ld\n", str_sid, GetLastError());
 998                             LocalFree(str_sid);
 999                         }
1000                     }
1001
1002                     pLsaFreeMemory((LPVOID)info);
1003                 }
1004
1005                 status = pLsaClose(handle);
1006                 ok(status == STATUS_SUCCESS, "LsaClose() failed, returned 0x%08lx\n", status);
1007             }
1008         }
1009     }
1010 }
1011
1012 START_TEST(security)
1013 {
1014     init();
1015     if (!hmod) return;
1016     test_sid();
1017     test_trustee();
1018     test_luid();
1019     test_FileSecurity();
1020     test_AccessCheck();
1021     test_token_attr();
1022     test_LookupAccountSid();
1023 }