Erich Hoover : server: Report administrator ownership by default for registry objects.

11 Apr 2013

Module: wine
Branch: master
Commit: 56c1a8b06293cfef2cb39e1f04e9e725d81982e2
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=56c1a8b06293cfef2cb39e1f04...
Author: Erich Hoover ehoover@mines.edu
Date:   Tue Mar  5 09:52:38 2013 -0700
server: Report administrator ownership by default for registry objects.
---
dlls/advapi32/tests/security.c |   31 +++++++++++++++++++++++++++----
 server/registry.c              |   25 ++++++++++++++++++++++++-
 server/security.h              |    1 +
 server/token.c                 |    8 ++++++++
 4 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index e4adab1..7dd0501 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -3005,10 +3005,12 @@ static void test_SetEntriesInAclA(void)
static void test_GetNamedSecurityInfoA(void)
 {
-    char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100], *user;
+    char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
+    char system_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES];
+    PSID admin_sid = (PSID) admin_ptr, system_sid = (PSID) system_ptr, user_sid;
     DWORD sid_size = sizeof(admin_ptr), user_size;
     char invalid_path[] = "/an invalid file path";
-    PSID admin_sid = (PSID) admin_ptr, user_sid;
+    char software_key[] = "MACHINE\Software";
     char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
     SECURITY_DESCRIPTOR_CONTROL control;
     ACL_SIZE_INFORMATION acl_size;
@@ -3113,10 +3115,10 @@ static void test_GetNamedSecurityInfoA(void)
/* Create security descriptor information and test that it comes back the same */
     pSD = &sd;
-    pDacl = (PACL)&dacl;
+    pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
     InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
     pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
-    bret = InitializeAcl(pDacl, sizeof(dacl), ACL_REVISION);
+    bret = InitializeAcl(pDacl, 100, ACL_REVISION);
     ok(bret, "Failed to initialize ACL.\n");
     bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
     ok(bret, "Failed to add Current User to ACL.\n");
@@ -3130,6 +3132,7 @@ static void test_GetNamedSecurityInfoA(void)
     SetLastError(0xdeadbeef);
     error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
                                    NULL, pDacl, NULL);
+    HeapFree(GetProcessHeap(), 0, pDacl);
     if (error != ERROR_SUCCESS && (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED))
     {
         win_skip("SetNamedSecurityInfoA is not implemented\n");
@@ -3178,6 +3181,26 @@ static void test_GetNamedSecurityInfoA(void)
     LocalFree(pSD);
     HeapFree(GetProcessHeap(), 0, user);
     CloseHandle(hTemp);
+
+    /* Test querying the ownership of a built-in registry key */
+    sid_size = sizeof(system_ptr);
+    pCreateWellKnownSid(WinLocalSystemSid, NULL, system_sid, &sid_size);
+    error = pGetNamedSecurityInfoA(software_key, SE_REGISTRY_KEY,
+                                   OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
+                                   NULL, NULL, NULL, NULL, &pSD);
+    ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
+
+    bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
+    ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+    ok(owner != NULL, "owner should not be NULL\n");
+    ok(EqualSid(owner, admin_sid), "MACHINE\Software owner SID != Administrators SID.\n");
+
+    bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
+    ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+    ok(group != NULL, "group should not be NULL\n");
+    ok(EqualSid(group, admin_sid) || broken(EqualSid(group, system_sid)) /* before Win7 */,
+       "MACHINE\Software group SID != Local System SID.\n");
+    LocalFree(pSD);
 }
static void test_ConvertStringSecurityDescriptor(void)
diff --git a/server/registry.c b/server/registry.c
index a144c26..efc2005 100644
--- a/server/registry.c
+++ b/server/registry.c
@@ -147,6 +147,7 @@ struct file_load_info
static void key_dump( struct object *obj, int verbose );
 static unsigned int key_map_access( struct object *obj, unsigned int access );
+static struct security_descriptor *key_get_sd( struct object *obj );
 static int key_close_handle( struct object *obj, struct process *process, obj_handle_t handle );
 static void key_destroy( struct object *obj );
@@ -162,7 +163,7 @@ static const struct object_ops key_ops =
     no_signal,               /* signal */
     no_get_fd,               /* get_fd */
     key_map_access,          /* map_access */
-    default_get_sd,          /* get_sd */
+    key_get_sd,              /* get_sd */
     default_set_sd,          /* set_sd */
     no_lookup_name,          /* lookup_name */
     no_open_file,            /* open_file */
@@ -336,6 +337,28 @@ static unsigned int key_map_access( struct object *obj, unsigned int access )
                       KEY_WOW64_64KEY | KEY_WOW64_32KEY);
 }
+static struct security_descriptor *key_get_sd( struct object *obj )
+{
+    static struct security_descriptor *key_default_sd;
+
+    if (obj->sd) return obj->sd;
+
+    if (!key_default_sd)
+    {
+        size_t sid_len = security_sid_len( security_builtin_admins_sid );
+
+        key_default_sd = mem_alloc( sizeof(*key_default_sd) + 2 * sid_len );
+        key_default_sd->control   = 0;
+        key_default_sd->owner_len = sid_len;
+        key_default_sd->group_len = sid_len;
+        key_default_sd->sacl_len  = 0;
+        key_default_sd->dacl_len  = 0;
+        memcpy( key_default_sd + 1, security_builtin_admins_sid, sid_len );
+        memcpy( (char *)(key_default_sd + 1) + sid_len, security_builtin_admins_sid, sid_len );
+    }
+    return key_default_sd;
+}
+
 /* close the notification associated with a handle */
 static int key_close_handle( struct object *obj, struct process *process, obj_handle_t handle )
 {
diff --git a/server/security.h b/server/security.h
index 03fd74e..9856f96 100644
--- a/server/security.h
+++ b/server/security.h
@@ -42,6 +42,7 @@ extern const LUID SeCreateGlobalPrivilege;
 extern const PSID security_world_sid;
 extern const PSID security_local_user_sid;
 extern const PSID security_local_system_sid;
+extern const PSID security_builtin_admins_sid;
/* token functions */
diff --git a/server/token.c b/server/token.c
index 5e0493a..7d6086d 100644
--- a/server/token.c
+++ b/server/token.c
@@ -77,6 +77,13 @@ static const struct /* same fields as struct SID */
     SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
     DWORD SubAuthority[5];
 } local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
+static const struct /* same fields as struct SID */
+{
+    BYTE Revision;
+    BYTE SubAuthorityCount;
+    SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
+    DWORD SubAuthority[2];
+} builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
const PSID security_world_sid = (PSID)&world_sid;
 static const PSID security_local_sid = (PSID)&local_sid;
@@ -84,6 +91,7 @@ static const PSID security_interactive_sid = (PSID)&interactive_sid;
 static const PSID security_authenticated_user_sid = (PSID)&authenticated_user_sid;
 const PSID security_local_system_sid = (PSID)&local_system_sid;
 const PSID security_local_user_sid = (PSID)&local_user_sid;
+const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
static luid_t prev_luid_value = { 1000, 0 };

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Erich Hoover : server: Report administrator ownership by default for registry objects.