Vitaliy Margolen : advapi32: Add few more tests for token access check and fix it on Wine. - wine-commits

25 Jan 2007

Module: wine
Branch: master
Commit: 2cf11ef771955bf858d062a2de218e619cd0f4d4
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=2cf11ef771955bf858d062a2de...
Author: Vitaliy Margolen wine-patches@kievinfo.com
Date:   Wed Jan 24 23:41:39 2007 -0700
advapi32: Add few more tests for token access check and fix it on Wine.
---
dlls/advapi32/tests/security.c |   48 +++++++++++++++++++++++++++++++++------
 server/token.c                 |    2 +-
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 6ff3a0f..4fc9fad 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -656,6 +656,7 @@ static void test_AccessCheck(void)
     BOOL res;
     HMODULE NtDllModule;
     BOOLEAN Enabled;
+    DWORD err;
NtDllModule = GetModuleHandle("ntdll.dll");
@@ -691,8 +692,8 @@ static void test_AccessCheck(void)
     res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
     ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
-    res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_ALL_ACCESS, AdminSid);
-    ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
+    res = AddAccessDeniedAce(Acl, ACL_REVISION, KEY_SET_VALUE, AdminSid);
+    ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
@@ -702,12 +703,6 @@ static void test_AccessCheck(void)
     res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
     ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
-    res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
-    ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
-
-    res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
-    ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
-
     PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
     PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
     PrivSet->PrivilegeCount = 16;
@@ -720,6 +715,33 @@ static void test_AccessCheck(void)
                           TOKEN_QUERY, TRUE, &Token);
     ok(ret, "OpenThreadToken failed with error %d\n", GetLastError());
+    /* SD without owner/group */
+    SetLastError(0xdeadbeef);
+    Access = AccessStatus = 0xdeadbeef;
+    ret = AccessCheck(SecurityDescriptor, Token, KEY_QUERY_VALUE, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    err = GetLastError();
+    ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
+       "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
+    ok(Access == 0xdeadbeef && AccessStatus == 0xdeadbeef,
+       "Access and/or AccessStatus were changed!\n");
+
+    /* Set owner and group */
+    res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
+    ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+    res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
+    ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+
+    /* Generic access mask */
+    SetLastError(0xdeadbeef);
+    ret = AccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    err = GetLastError();
+    ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
+       "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
+    ok(Access == 0xdeadbeef && AccessStatus == 0xdeadbeef,
+       "Access and/or AccessStatus were changed!\n");
+
     ret = AccessCheck(SecurityDescriptor, Token, KEY_READ, &Mapping,
                       PrivSet, &PrivSetLen, &Access, &AccessStatus);
     ok(ret, "AccessCheck failed with error %d\n", GetLastError());
@@ -735,6 +757,16 @@ static void test_AccessCheck(void)
         GetLastError());
     trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
+    /* Access denied by SD */
+    SetLastError(0xdeadbeef);
+    ret = AccessCheck(SecurityDescriptor, Token, KEY_WRITE, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    ok(ret, "AccessCheck failed with error %d\n", GetLastError());
+    err = GetLastError();
+    ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
+       "with ERROR_ACCESS_DENIED, instead of %d\n", err);
+    ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
+
     SetLastError(0);
     PrivSet->PrivilegeCount = 16;
     ret = AccessCheck(SecurityDescriptor, Token, ACCESS_SYSTEM_SECURITY, &Mapping,
diff --git a/server/token.c b/server/token.c
index c27e73b..e3e0490 100644
--- a/server/token.c
+++ b/server/token.c
@@ -838,7 +838,7 @@ static unsigned int token_access_check(
                     if (desired_access & access)
                     {
                         *granted_access = 0;
-                        return STATUS_SUCCESS;
+                        return STATUS_ACCESS_DENIED;
                     }
                 }
             }

    