2 * Unit tests for security functions
4 * Copyright (c) 2004 Mike McCormack
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
23 #include "wine/test.h"
31 typedef VOID (WINAPI *fnBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
32 typedef VOID (WINAPI *fnBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
33 typedef VOID (WINAPI *fnBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
34 POBJECTS_AND_NAME_A pObjName,
35 SE_OBJECT_TYPE ObjectType,
37 LPSTR InheritedObjectTypeName,
39 typedef VOID (WINAPI *fnBuildTrusteeWithObjectsAndSidA)( PTRUSTEEA pTrustee,
40 POBJECTS_AND_SID pObjSid,
42 GUID* pInheritedObjectGuid,
44 typedef LPSTR (WINAPI *fnGetTrusteeNameA)( PTRUSTEEA pTrustee );
45 typedef BOOL (WINAPI *fnConvertSidToStringSidA)( PSID pSid, LPSTR *str );
46 typedef BOOL (WINAPI *fnConvertStringSidToSidA)( LPCSTR str, PSID pSid );
47 typedef BOOL (WINAPI *fnGetFileSecurityA)(LPCSTR, SECURITY_INFORMATION,
48 PSECURITY_DESCRIPTOR, DWORD, LPDWORD);
49 typedef DWORD (WINAPI *fnRtlAdjustPrivilege)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
53 fnBuildTrusteeWithSidA pBuildTrusteeWithSidA;
54 fnBuildTrusteeWithNameA pBuildTrusteeWithNameA;
55 fnBuildTrusteeWithObjectsAndNameA pBuildTrusteeWithObjectsAndNameA;
56 fnBuildTrusteeWithObjectsAndSidA pBuildTrusteeWithObjectsAndSidA;
57 fnGetTrusteeNameA pGetTrusteeNameA;
58 fnConvertSidToStringSidA pConvertSidToStringSidA;
59 fnConvertStringSidToSidA pConvertStringSidToSidA;
60 fnGetFileSecurityA pGetFileSecurityA;
61 fnRtlAdjustPrivilege pRtlAdjustPrivilege;
65 SID_IDENTIFIER_AUTHORITY auth;
69 static void init(void)
71 hmod = GetModuleHandle("advapi32.dll");
74 static void test_sid(void)
76 struct sidRef refs[] = {
77 { { {0x00,0x00,0x33,0x44,0x55,0x66} }, "S-1-860116326-1" },
78 { { {0x00,0x00,0x01,0x02,0x03,0x04} }, "S-1-16909060-1" },
79 { { {0x00,0x00,0x00,0x01,0x02,0x03} }, "S-1-66051-1" },
80 { { {0x00,0x00,0x00,0x00,0x01,0x02} }, "S-1-258-1" },
81 { { {0x00,0x00,0x00,0x00,0x00,0x02} }, "S-1-2-1" },
82 { { {0x00,0x00,0x00,0x00,0x00,0x0c} }, "S-1-12-1" },
84 const char noSubAuthStr[] = "S-1-5";
90 pConvertSidToStringSidA = (fnConvertSidToStringSidA)
91 GetProcAddress( hmod, "ConvertSidToStringSidA" );
92 if( !pConvertSidToStringSidA )
94 pConvertStringSidToSidA = (fnConvertStringSidToSidA)
95 GetProcAddress( hmod, "ConvertStringSidToSidA" );
96 if( !pConvertStringSidToSidA )
99 r = pConvertStringSidToSidA( NULL, NULL );
100 ok( !r, "expected failure with NULL parameters\n" );
101 if( GetLastError() == ERROR_CALL_NOT_IMPLEMENTED )
103 ok( GetLastError() == ERROR_INVALID_PARAMETER,
104 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
107 r = pConvertStringSidToSidA( refs[0].refStr, NULL );
108 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
109 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
112 r = pConvertStringSidToSidA( NULL, &str );
113 ok( !r && GetLastError() == ERROR_INVALID_PARAMETER,
114 "expected GetLastError() is ERROR_INVALID_PARAMETER, got %ld\n",
117 r = pConvertStringSidToSidA( noSubAuthStr, &psid );
119 "expected failure with no sub authorities\n" );
120 ok( GetLastError() == ERROR_INVALID_SID,
121 "expected GetLastError() is ERROR_INVALID_SID, got %ld\n",
124 for( i = 0; i < sizeof(refs) / sizeof(refs[0]); i++ )
128 r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
130 ok( r, "failed to allocate sid\n" );
131 r = pConvertSidToStringSidA( psid, &str );
132 ok( r, "failed to convert sid\n" );
135 ok( !strcmp( str, refs[i].refStr ),
136 "incorrect sid, expected %s, got %s\n", refs[i].refStr, str );
142 r = pConvertStringSidToSidA( refs[i].refStr, &psid );
143 ok( r, "failed to parse sid string\n" );
146 !memcmp( pisid->IdentifierAuthority.Value, refs[i].auth.Value,
147 sizeof(refs[i].auth) ),
148 "string sid %s didn't parse to expected value\n"
149 "(got 0x%04x%08lx, expected 0x%04x%08lx)\n",
151 MAKEWORD( pisid->IdentifierAuthority.Value[1],
152 pisid->IdentifierAuthority.Value[0] ),
153 MAKELONG( MAKEWORD( pisid->IdentifierAuthority.Value[5],
154 pisid->IdentifierAuthority.Value[4] ),
155 MAKEWORD( pisid->IdentifierAuthority.Value[3],
156 pisid->IdentifierAuthority.Value[2] ) ),
157 MAKEWORD( refs[i].auth.Value[1], refs[i].auth.Value[0] ),
158 MAKELONG( MAKEWORD( refs[i].auth.Value[5], refs[i].auth.Value[4] ),
159 MAKEWORD( refs[i].auth.Value[3], refs[i].auth.Value[2] ) ) );
165 static void test_trustee(void)
167 GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}};
168 GUID InheritedObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}};
170 OBJECTS_AND_NAME_ oan;
174 char szObjectTypeName[] = "ObjectTypeName";
175 char szInheritedObjectTypeName[] = "InheritedObjectTypeName";
176 char szTrusteeName[] = "szTrusteeName";
177 SID_IDENTIFIER_AUTHORITY auth = { {0x11,0x22,0,0,0, 0} };
179 memset( &ZeroGuid, 0x00, sizeof (ZeroGuid) );
181 pBuildTrusteeWithSidA = (fnBuildTrusteeWithSidA)
182 GetProcAddress( hmod, "BuildTrusteeWithSidA" );
183 pBuildTrusteeWithNameA = (fnBuildTrusteeWithNameA)
184 GetProcAddress( hmod, "BuildTrusteeWithNameA" );
185 pBuildTrusteeWithObjectsAndNameA = (fnBuildTrusteeWithObjectsAndNameA)
186 GetProcAddress (hmod, "BuildTrusteeWithObjectsAndNameA" );
187 pBuildTrusteeWithObjectsAndSidA = (fnBuildTrusteeWithObjectsAndSidA)
188 GetProcAddress (hmod, "BuildTrusteeWithObjectsAndSidA" );
189 pGetTrusteeNameA = (fnGetTrusteeNameA)
190 GetProcAddress (hmod, "GetTrusteeNameA" );
191 if( !pBuildTrusteeWithSidA || !pBuildTrusteeWithNameA ||
192 !pBuildTrusteeWithObjectsAndNameA || !pBuildTrusteeWithObjectsAndSidA ||
196 if ( ! AllocateAndInitializeSid( &auth, 1, 42, 0,0,0,0,0,0,0,&psid ) )
198 trace( "failed to init SID\n" );
202 /* test BuildTrusteeWithSidA */
203 memset( &trustee, 0xff, sizeof trustee );
204 pBuildTrusteeWithSidA( &trustee, psid );
206 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
207 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
208 "MultipleTrusteeOperation wrong\n");
209 ok( trustee.TrusteeForm == TRUSTEE_IS_SID, "TrusteeForm wrong\n");
210 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
211 ok( trustee.ptstrName == (LPSTR) psid, "ptstrName wrong\n" );
213 /* test BuildTrusteeWithObjectsAndSidA (test 1) */
214 memset( &trustee, 0xff, sizeof trustee );
215 memset( &oas, 0xff, sizeof(oas) );
216 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, &ObjectType,
217 &InheritedObjectType, psid);
219 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
220 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
221 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
222 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
223 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
225 ok(oas.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
226 ok(!memcmp(&oas.ObjectTypeGuid, &ObjectType, sizeof(GUID)), "ObjectTypeGuid wrong\n");
227 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
228 ok(oas.pSid == psid, "pSid wrong\n");
230 /* test GetTrusteeNameA */
231 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oas, "GetTrusteeName returned wrong value\n");
233 /* test BuildTrusteeWithObjectsAndSidA (test 2) */
234 memset( &trustee, 0xff, sizeof trustee );
235 memset( &oas, 0xff, sizeof(oas) );
236 pBuildTrusteeWithObjectsAndSidA(&trustee, &oas, NULL,
237 &InheritedObjectType, psid);
239 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
240 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
241 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_SID, "TrusteeForm wrong\n");
242 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
243 ok(trustee.ptstrName == (LPSTR)&oas, "ptstrName wrong\n");
245 ok(oas.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
246 ok(!memcmp(&oas.ObjectTypeGuid, &ZeroGuid, sizeof(GUID)), "ObjectTypeGuid wrong\n");
247 ok(!memcmp(&oas.InheritedObjectTypeGuid, &InheritedObjectType, sizeof(GUID)), "InheritedObjectTypeGuid wrong\n");
248 ok(oas.pSid == psid, "pSid wrong\n");
252 /* test BuildTrusteeWithNameA */
253 memset( &trustee, 0xff, sizeof trustee );
254 pBuildTrusteeWithNameA( &trustee, szTrusteeName );
256 ok( trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
257 ok( trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE,
258 "MultipleTrusteeOperation wrong\n");
259 ok( trustee.TrusteeForm == TRUSTEE_IS_NAME, "TrusteeForm wrong\n");
260 ok( trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
261 ok( trustee.ptstrName == szTrusteeName, "ptstrName wrong\n" );
263 /* test BuildTrusteeWithObjectsAndNameA (test 1) */
264 memset( &trustee, 0xff, sizeof trustee );
265 memset( &oan, 0xff, sizeof(oan) );
266 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
267 szInheritedObjectTypeName, szTrusteeName);
269 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
270 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
271 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
272 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
273 ok(trustee.ptstrName == (LPTSTR)&oan, "ptstrName wrong\n");
275 ok(oan.ObjectsPresent == (ACE_OBJECT_TYPE_PRESENT | ACE_INHERITED_OBJECT_TYPE_PRESENT), "ObjectsPresent wrong\n");
276 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
277 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
278 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
280 /* test GetTrusteeNameA */
281 ok(pGetTrusteeNameA(&trustee) == (LPSTR)&oan, "GetTrusteeName returned wrong value\n");
283 /* test BuildTrusteeWithObjectsAndNameA (test 2) */
284 memset( &trustee, 0xff, sizeof trustee );
285 memset( &oan, 0xff, sizeof(oan) );
286 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, NULL,
287 szInheritedObjectTypeName, szTrusteeName);
289 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
290 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
291 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
292 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
293 ok(trustee.ptstrName == (LPSTR)&oan, "ptstrName wrong\n");
295 ok(oan.ObjectsPresent == ACE_INHERITED_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
296 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
297 ok(oan.InheritedObjectTypeName == szInheritedObjectTypeName, "InheritedObjectTypeName wrong\n");
298 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
300 /* test BuildTrusteeWithObjectsAndNameA (test 3) */
301 memset( &trustee, 0xff, sizeof trustee );
302 memset( &oan, 0xff, sizeof(oan) );
303 pBuildTrusteeWithObjectsAndNameA(&trustee, &oan, SE_KERNEL_OBJECT, szObjectTypeName,
304 NULL, szTrusteeName);
306 ok(trustee.pMultipleTrustee == NULL, "pMultipleTrustee wrong\n");
307 ok(trustee.MultipleTrusteeOperation == NO_MULTIPLE_TRUSTEE, "MultipleTrusteeOperation wrong\n");
308 ok(trustee.TrusteeForm == TRUSTEE_IS_OBJECTS_AND_NAME, "TrusteeForm wrong\n");
309 ok(trustee.TrusteeType == TRUSTEE_IS_UNKNOWN, "TrusteeType wrong\n");
310 ok(trustee.ptstrName == (LPTSTR)&oan, "ptstrName wrong\n");
312 ok(oan.ObjectsPresent == ACE_OBJECT_TYPE_PRESENT, "ObjectsPresent wrong\n");
313 ok(oan.ObjectType == SE_KERNEL_OBJECT, "ObjectType wrong\n");
314 ok(oan.InheritedObjectTypeName == NULL, "InheritedObjectTypeName wrong\n");
315 ok(oan.ptstrName == szTrusteeName, "szTrusteeName wrong\n");
318 /* If the first isn't defined, assume none is */
319 #ifndef SE_MIN_WELL_KNOWN_PRIVILEGE
320 #define SE_MIN_WELL_KNOWN_PRIVILEGE 2L
321 #define SE_CREATE_TOKEN_PRIVILEGE 2L
322 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 3L
323 #define SE_LOCK_MEMORY_PRIVILEGE 4L
324 #define SE_INCREASE_QUOTA_PRIVILEGE 5L
325 #define SE_MACHINE_ACCOUNT_PRIVILEGE 6L
326 #define SE_TCB_PRIVILEGE 7L
327 #define SE_SECURITY_PRIVILEGE 8L
328 #define SE_TAKE_OWNERSHIP_PRIVILEGE 9L
329 #define SE_LOAD_DRIVER_PRIVILEGE 10L
330 #define SE_SYSTEM_PROFILE_PRIVILEGE 11L
331 #define SE_SYSTEMTIME_PRIVILEGE 12L
332 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE 13L
333 #define SE_INC_BASE_PRIORITY_PRIVILEGE 14L
334 #define SE_CREATE_PAGEFILE_PRIVILEGE 15L
335 #define SE_CREATE_PERMANENT_PRIVILEGE 16L
336 #define SE_BACKUP_PRIVILEGE 17L
337 #define SE_RESTORE_PRIVILEGE 18L
338 #define SE_SHUTDOWN_PRIVILEGE 19L
339 #define SE_DEBUG_PRIVILEGE 20L
340 #define SE_AUDIT_PRIVILEGE 21L
341 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 22L
342 #define SE_CHANGE_NOTIFY_PRIVILLEGE 23L
343 #define SE_REMOTE_SHUTDOWN_PRIVILEGE 24L
344 #define SE_UNDOCK_PRIVILEGE 25L
345 #define SE_SYNC_AGENT_PRIVILEGE 26L
346 #define SE_ENABLE_DELEGATION_PRIVILEGE 27L
347 #define SE_MANAGE_VOLUME_PRIVILEGE 28L
348 #define SE_IMPERSONATE_PRIVILEGE 29L
349 #define SE_CREATE_GLOBAL_PRIVILEGE 30L
350 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
351 #endif /* ndef SE_MIN_WELL_KNOWN_PRIVILEGE */
353 static void test_allocateLuid(void)
355 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
359 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
360 if (!pAllocateLocallyUniqueId) return;
362 ret = pAllocateLocallyUniqueId(&luid1);
363 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
367 "AllocateLocallyUniqueId failed: %ld\n", GetLastError());
368 ret = pAllocateLocallyUniqueId(&luid2);
370 "AllocateLocallyUniqueId failed: %ld\n", GetLastError());
371 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
372 "AllocateLocallyUniqueId returned a well-known LUID\n");
373 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
374 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
375 ret = pAllocateLocallyUniqueId(NULL);
376 ok( !ret && GetLastError() == ERROR_NOACCESS,
377 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %ld\n",
381 static void test_lookupPrivilegeName(void)
383 BOOL (WINAPI *pLookupPrivilegeNameA)(LPCSTR, PLUID, LPSTR, LPDWORD);
384 char buf[MAX_PATH]; /* arbitrary, seems long enough */
385 DWORD cchName = sizeof(buf);
386 LUID luid = { 0, 0 };
390 /* check whether it's available first */
391 pLookupPrivilegeNameA = (void*)GetProcAddress(hmod, "LookupPrivilegeNameA");
392 if (!pLookupPrivilegeNameA) return;
393 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
394 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
395 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
398 /* check with a short buffer */
400 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
401 ret = pLookupPrivilegeNameA(NULL, &luid, NULL, &cchName);
402 ok( !ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
403 "LookupPrivilegeNameA didn't fail with ERROR_INSUFFICIENT_BUFFER: %ld\n",
405 ok(cchName == strlen("SeCreateTokenPrivilege") + 1,
406 "LookupPrivilegeNameA returned an incorrect required length for\n"
407 "SeCreateTokenPrivilege (got %ld, expected %d)\n", cchName,
408 lstrlenA("SeCreateTokenPrivilege") + 1);
409 /* check a known value and its returned length on success */
410 cchName = sizeof(buf);
411 ok(pLookupPrivilegeNameA(NULL, &luid, buf, &cchName) &&
412 cchName == strlen("SeCreateTokenPrivilege"),
413 "LookupPrivilegeNameA returned an incorrect output length for\n"
414 "SeCreateTokenPrivilege (got %ld, expected %d)\n", cchName,
415 (int)strlen("SeCreateTokenPrivilege"));
416 /* check known values */
417 for (i = SE_MIN_WELL_KNOWN_PRIVILEGE; i < SE_MAX_WELL_KNOWN_PRIVILEGE; i++)
420 cchName = sizeof(buf);
421 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
422 ok( ret || GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
423 "LookupPrivilegeNameA(0.%ld) failed: %ld\n", i, GetLastError());
425 /* check a bogus LUID */
426 luid.LowPart = 0xdeadbeef;
427 cchName = sizeof(buf);
428 ret = pLookupPrivilegeNameA(NULL, &luid, buf, &cchName);
429 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
430 "LookupPrivilegeNameA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
432 /* check on a bogus system */
433 luid.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
434 cchName = sizeof(buf);
435 ret = pLookupPrivilegeNameA("b0gu5.Nam3", &luid, buf, &cchName);
436 ok( !ret && GetLastError() == RPC_S_SERVER_UNAVAILABLE,
437 "LookupPrivilegeNameA didn't fail with RPC_S_SERVER_UNAVAILABLE: %ld\n",
447 static void test_lookupPrivilegeValue(void)
449 static const struct NameToLUID privs[] = {
450 { "SeCreateTokenPrivilege", SE_CREATE_TOKEN_PRIVILEGE },
451 { "SeAssignPrimaryTokenPrivilege", SE_ASSIGNPRIMARYTOKEN_PRIVILEGE },
452 { "SeLockMemoryPrivilege", SE_LOCK_MEMORY_PRIVILEGE },
453 { "SeIncreaseQuotaPrivilege", SE_INCREASE_QUOTA_PRIVILEGE },
454 { "SeMachineAccountPrivilege", SE_MACHINE_ACCOUNT_PRIVILEGE },
455 { "SeTcbPrivilege", SE_TCB_PRIVILEGE },
456 { "SeSecurityPrivilege", SE_SECURITY_PRIVILEGE },
457 { "SeTakeOwnershipPrivilege", SE_TAKE_OWNERSHIP_PRIVILEGE },
458 { "SeLoadDriverPrivilege", SE_LOAD_DRIVER_PRIVILEGE },
459 { "SeSystemProfilePrivilege", SE_SYSTEM_PROFILE_PRIVILEGE },
460 { "SeSystemtimePrivilege", SE_SYSTEMTIME_PRIVILEGE },
461 { "SeProfileSingleProcessPrivilege", SE_PROF_SINGLE_PROCESS_PRIVILEGE },
462 { "SeIncreaseBasePriorityPrivilege", SE_INC_BASE_PRIORITY_PRIVILEGE },
463 { "SeCreatePagefilePrivilege", SE_CREATE_PAGEFILE_PRIVILEGE },
464 { "SeCreatePermanentPrivilege", SE_CREATE_PERMANENT_PRIVILEGE },
465 { "SeBackupPrivilege", SE_BACKUP_PRIVILEGE },
466 { "SeRestorePrivilege", SE_RESTORE_PRIVILEGE },
467 { "SeShutdownPrivilege", SE_SHUTDOWN_PRIVILEGE },
468 { "SeDebugPrivilege", SE_DEBUG_PRIVILEGE },
469 { "SeAuditPrivilege", SE_AUDIT_PRIVILEGE },
470 { "SeSystemEnvironmentPrivilege", SE_SYSTEM_ENVIRONMENT_PRIVILEGE },
471 { "SeChangeNotifyPrivilege", SE_CHANGE_NOTIFY_PRIVILLEGE },
472 { "SeRemoteShutdownPrivilege", SE_REMOTE_SHUTDOWN_PRIVILEGE },
473 { "SeUndockPrivilege", SE_UNDOCK_PRIVILEGE },
474 { "SeSyncAgentPrivilege", SE_SYNC_AGENT_PRIVILEGE },
475 { "SeEnableDelegationPrivilege", SE_ENABLE_DELEGATION_PRIVILEGE },
476 { "SeManageVolumePrivilege", SE_MANAGE_VOLUME_PRIVILEGE },
477 { "SeImpersonatePrivilege", SE_IMPERSONATE_PRIVILEGE },
478 { "SeCreateGlobalPrivilege", SE_CREATE_GLOBAL_PRIVILEGE },
480 BOOL (WINAPI *pLookupPrivilegeValueA)(LPCSTR, LPCSTR, PLUID);
485 /* check whether it's available first */
486 pLookupPrivilegeValueA = (void*)GetProcAddress(hmod, "LookupPrivilegeValueA");
487 if (!pLookupPrivilegeValueA) return;
488 ret = pLookupPrivilegeValueA(NULL, "SeCreateTokenPrivilege", &luid);
489 if (!ret && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
492 /* check a bogus system name */
493 ret = pLookupPrivilegeValueA("b0gu5.Nam3", "SeCreateTokenPrivilege", &luid);
494 ok( !ret && GetLastError() == RPC_S_SERVER_UNAVAILABLE,
495 "LookupPrivilegeValueA didn't fail with RPC_S_SERVER_UNAVAILABLE: %ld\n",
497 /* check a NULL string */
498 ret = pLookupPrivilegeValueA(NULL, 0, &luid);
499 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
500 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
502 /* check a bogus privilege name */
503 ret = pLookupPrivilegeValueA(NULL, "SeBogusPrivilege", &luid);
504 ok( !ret && GetLastError() == ERROR_NO_SUCH_PRIVILEGE,
505 "LookupPrivilegeValueA didn't fail with ERROR_NO_SUCH_PRIVILEGE: %ld\n",
507 /* check case insensitive */
508 ret = pLookupPrivilegeValueA(NULL, "sEcREATEtOKENpRIVILEGE", &luid);
510 "LookupPrivilegeValueA(NULL, sEcREATEtOKENpRIVILEGE, &luid) failed: %ld\n",
512 for (i = 0; i < sizeof(privs) / sizeof(privs[0]); i++)
514 /* Not all privileges are implemented on all Windows versions, so
515 * don't worry if the call fails
517 if (pLookupPrivilegeValueA(NULL, privs[i].name, &luid))
519 ok(luid.LowPart == privs[i].lowPart,
520 "LookupPrivilegeValueA returned an invalid LUID for %s\n",
526 static void test_luid(void)
529 test_lookupPrivilegeName();
530 test_lookupPrivilegeValue();
533 static void test_FileSecurity(void)
535 char directory[MAX_PATH];
536 DWORD retval, outSize;
540 pGetFileSecurityA = (fnGetFileSecurityA)
541 GetProcAddress( hmod, "GetFileSecurityA" );
542 if( !pGetFileSecurityA )
545 retval = GetTempPathA(sizeof(directory), directory);
547 trace("GetTempPathA failed\n");
551 strcpy(directory, "\\Should not exist");
553 SetLastError(NO_ERROR);
554 result = pGetFileSecurityA( directory,OWNER_SECURITY_INFORMATION,buffer,0x40,&outSize);
555 ok(!result, "GetFileSecurityA should fail for not existing directories/files\n");
556 ok( (GetLastError() == ERROR_FILE_NOT_FOUND ) ||
557 (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED) ,
558 "last error ERROR_FILE_NOT_FOUND / ERROR_CALL_NOT_IMPLEMENTED (98) "
559 "expected, got %ld\n", GetLastError());
562 static void test_AccessCheck(void)
564 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
566 SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
567 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
568 SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
569 GENERIC_MAPPING Mapping = { KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS };
575 PRIVILEGE_SET *PrivSet;
580 NtDllModule = GetModuleHandle("ntdll.dll");
584 trace("not running on NT, skipping test\n");
587 pRtlAdjustPrivilege = (fnRtlAdjustPrivilege)
588 GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
589 if (!pRtlAdjustPrivilege) return;
591 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
592 res = InitializeAcl(Acl, 256, ACL_REVISION);
593 if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
595 trace("ACLs not implemented - skipping tests\n");
598 ok(res, "InitializeAcl failed with error %ld\n", GetLastError());
600 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
601 ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
603 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
604 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
605 ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
607 res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
608 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
609 ok(res, "AllocateAndInitializeSid failed with error %ld\n", GetLastError());
611 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
612 ok(res, "AddAccessAllowedAceEx failed with error %ld\n", GetLastError());
614 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_ALL_ACCESS, AdminSid);
615 ok(res, "AddAccessAllowedAceEx failed with error %ld\n", GetLastError());
617 SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
619 res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
620 ok(res, "InitializeSecurityDescriptor failed with error %ld\n", GetLastError());
622 res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
623 ok(res, "SetSecurityDescriptorDacl failed with error %ld\n", GetLastError());
625 res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
626 ok(res, "SetSecurityDescriptorOwner failed with error %ld\n", GetLastError());
628 res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
629 ok(res, "SetSecurityDescriptorGroup failed with error %ld\n", GetLastError());
631 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
632 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
633 PrivSet->PrivilegeCount = 16;
635 ImpersonateSelf(SecurityImpersonation);
637 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
639 ret = OpenThreadToken(GetCurrentThread(),
640 TOKEN_QUERY, TRUE, &Token);
641 ok(ret, "OpenThreadToken failed with error %ld\n", GetLastError());
643 ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
644 PrivSet, &PrivSetLen, &Access, &AccessStatus);
645 ok(ret, "AccessCheck failed with error %ld\n", GetLastError());
646 ok(AccessStatus && (Access == KEY_READ),
647 "AccessCheck failed to grant access with error %ld\n",
650 ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
651 PrivSet, &PrivSetLen, &Access, &AccessStatus);
652 ok(ret, "AccessCheck failed with error %ld\n", GetLastError());
654 "AccessCheck failed to grant any access with error %ld\n",
656 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08lx\n", Access);
659 PrivSet->PrivilegeCount = 16;
660 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
661 PrivSet, &PrivSetLen, &Access, &AccessStatus);
662 ok(ret && !AccessStatus && GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
663 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %ld\n",
666 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
670 PrivSet->PrivilegeCount = 16;
671 ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
672 PrivSet, &PrivSetLen, &Access, &AccessStatus);
673 ok(ret && AccessStatus && GetLastError() == 0,
674 "AccessCheck should have succeeded, error %ld\n",
676 ok(Access == ACCESS_SYSTEM_SECURITY,
677 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08lx\n",
681 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
687 FreeSid(EveryoneSid);
692 HeapFree(GetProcessHeap(), 0, Acl);
693 HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
694 HeapFree(GetProcessHeap(), 0, PrivSet);
697 /* test GetTokenInformation for the various attributes */
698 static void test_token_attr(void)
702 TOKEN_PRIVILEGES *Privileges;
703 TOKEN_GROUPS *Groups;
709 ret = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &Token);
710 GLE = GetLastError();
711 ok(ret || (GLE == ERROR_CALL_NOT_IMPLEMENTED),
712 "OpenProcessToken failed with error %ld\n", GLE);
713 if(!ret && (GLE == ERROR_CALL_NOT_IMPLEMENTED))
715 trace("OpenProcessToken() not implemented, skipping test_token_attr()\n");
720 ret = GetTokenInformation(Token, TokenGroups, NULL, 0, &Size);
721 Groups = HeapAlloc(GetProcessHeap(), 0, Size);
722 ret = GetTokenInformation(Token, TokenGroups, Groups, Size, &Size);
723 ok(ret, "GetTokenInformation(TokenGroups) failed with error %ld\n", GetLastError());
724 trace("TokenGroups:\n");
725 for (i = 0; i < Groups->GroupCount; i++)
727 DWORD NameLength = 255;
729 DWORD DomainLength = 255;
731 SID_NAME_USE SidNameUse;
732 pConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
735 ret = LookupAccountSid(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
736 ok(ret, "LookupAccountSid failed with error %ld\n", GetLastError());
737 trace("\t%s, %s\\%s attr: 0x%08lx\n", SidString, Domain, Name, Groups->Groups[i].Attributes);
738 LocalFree(SidString);
742 ret = GetTokenInformation(Token, TokenUser, NULL, 0, &Size);
743 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
744 "GetTokenInformation(TokenUser) failed with error %ld\n", GetLastError());
745 User = HeapAlloc(GetProcessHeap(), 0, Size);
746 ret = GetTokenInformation(Token, TokenUser, User, Size, &Size);
748 "GetTokenInformation(TokenUser) failed with error %ld\n", GetLastError());
750 pConvertSidToStringSidA(User->User.Sid, &SidString);
751 trace("TokenUser: %s attr: 0x%08lx\n", SidString, User->User.Attributes);
752 LocalFree(SidString);
755 ret = GetTokenInformation(Token, TokenPrivileges, NULL, 0, &Size);
756 ok(!ret && (GetLastError() == ERROR_INSUFFICIENT_BUFFER),
757 "GetTokenInformation(TokenPrivileges) failed with error %ld\n", GetLastError());
758 Privileges = HeapAlloc(GetProcessHeap(), 0, Size);
759 ret = GetTokenInformation(Token, TokenPrivileges, Privileges, Size, &Size);
761 "GetTokenInformation(TokenPrivileges) failed with error %ld\n", GetLastError());
762 trace("TokenPrivileges:\n");
763 for (i = 0; i < Privileges->PrivilegeCount; i++)
766 DWORD NameLen = sizeof(Name)/sizeof(Name[0]);
767 LookupPrivilegeName(NULL, &Privileges->Privileges[i].Luid, Name, &NameLen);
768 trace("\t%s, 0x%lx\n", Name, Privileges->Privileges[i].Attributes);
projects / wine / blob