server: Add default security descriptor ownership for processes.

Signed-off-by: Erich E. Hoover <erich.e.hoover@gmail.com>
Signed-off-by: Vijay Kiran Kamuju <infyquest@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Erich E. Hoover 2019-04-22 23:45:29 +02:00 committed by Alexandre Julliard
parent 72e62952db
commit e11e8705eb
4 changed files with 63 additions and 1 deletions

View File

@ -4682,11 +4682,15 @@ static void test_acls(void)
static void test_GetSecurityInfo(void)
{
char domain_users_ptr[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
PSID domain_users_sid = (PSID) domain_users_ptr, domain_sid;
SID_IDENTIFIER_AUTHORITY sia = { SECURITY_NT_AUTHORITY };
DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
PSID admin_sid = (PSID) admin_ptr, user_sid;
char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
BOOL owner_defaulted, group_defaulted;
ACL_SIZE_INFORMATION acl_size;
PSECURITY_DESCRIPTOR pSD;
ACCESS_ALLOWED_ACE *ace;
@ -4813,6 +4817,37 @@ static void test_GetSecurityInfo(void)
}
LocalFree(pSD);
CloseHandle(obj);
/* Obtain the "domain users" SID from the user SID */
if (!AllocateAndInitializeSid(&sia, 4, *GetSidSubAuthority(user_sid, 0),
*GetSidSubAuthority(user_sid, 1),
*GetSidSubAuthority(user_sid, 2),
*GetSidSubAuthority(user_sid, 3), 0, 0, 0, 0, &domain_sid))
{
win_skip("Failed to get current domain SID\n");
return;
}
sid_size = sizeof(domain_users_ptr);
pCreateWellKnownSid(WinAccountDomainUsersSid, domain_sid, domain_users_sid, &sid_size);
FreeSid(domain_sid);
/* Test querying the ownership of a process */
ret = pGetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT,
OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
NULL, NULL, NULL, NULL, &pSD);
ok(!ret, "GetNamedSecurityInfo failed with error %d\n", ret);
bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
ok(owner != NULL, "owner should not be NULL\n");
ok(EqualSid(owner, admin_sid) || EqualSid(owner, user_sid),
"Process owner SID != Administrators SID.\n");
bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
ok(group != NULL, "group should not be NULL\n");
ok(EqualSid(group, domain_users_sid), "Process group SID != Domain Users SID.\n");
LocalFree(pSD);
}
static void test_GetSidSubAuthority(void)

View File

@ -63,6 +63,7 @@ static void process_dump( struct object *obj, int verbose );
static struct object_type *process_get_type( struct object *obj );
static int process_signaled( struct object *obj, struct wait_queue_entry *entry );
static unsigned int process_map_access( struct object *obj, unsigned int access );
static struct security_descriptor *process_get_sd( struct object *obj );
static void process_poll_event( struct fd *fd, int event );
static struct list *process_get_kernel_obj_list( struct object *obj );
static void process_destroy( struct object *obj );
@ -80,7 +81,7 @@ static const struct object_ops process_ops =
no_signal, /* signal */
no_get_fd, /* get_fd */
process_map_access, /* map_access */
default_get_sd, /* get_sd */
process_get_sd, /* get_sd */
default_set_sd, /* set_sd */
no_lookup_name, /* lookup_name */
no_link_name, /* link_name */
@ -669,6 +670,29 @@ static struct list *process_get_kernel_obj_list( struct object *obj )
return &process->kernel_object;
}
static struct security_descriptor *process_get_sd( struct object *obj )
{
static struct security_descriptor *process_default_sd;
if (obj->sd) return obj->sd;
if (!process_default_sd)
{
size_t users_sid_len = security_sid_len( security_domain_users_sid );
size_t admins_sid_len = security_sid_len( security_builtin_admins_sid );
process_default_sd = mem_alloc( sizeof(*process_default_sd) + admins_sid_len + users_sid_len );
process_default_sd->control = SE_DACL_PRESENT;
process_default_sd->owner_len = admins_sid_len;
process_default_sd->group_len = users_sid_len;
process_default_sd->sacl_len = 0;
process_default_sd->dacl_len = 0;
memcpy( process_default_sd + 1, security_builtin_admins_sid, admins_sid_len );
memcpy( (char *)(process_default_sd + 1) + admins_sid_len, security_domain_users_sid, users_sid_len );
}
return process_default_sd;
}
static void process_poll_event( struct fd *fd, int event )
{
struct process *process = get_fd_user( fd );

View File

@ -47,6 +47,7 @@ extern const PSID security_local_user_sid;
extern const PSID security_local_system_sid;
extern const PSID security_builtin_users_sid;
extern const PSID security_builtin_admins_sid;
extern const PSID security_domain_users_sid;
extern const PSID security_high_label_sid;

View File

@ -83,6 +83,7 @@ static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORIT
static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
static const SID_N(3) builtin_logon_sid = { SID_REVISION, 3, { SECURITY_NT_AUTHORITY }, { SECURITY_LOGON_IDS_RID, 0, 0 } };
static const SID_N(5) domain_users_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, DOMAIN_GROUP_RID_USERS } };
const PSID security_world_sid = (PSID)&world_sid;
static const PSID security_local_sid = (PSID)&local_sid;
@ -92,6 +93,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
const PSID security_local_user_sid = (PSID)&local_user_sid;
const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
const PSID security_domain_users_sid = (PSID)&domain_users_sid;
const PSID security_high_label_sid = (PSID)&high_label_sid;
static luid_t prev_luid_value = { 1000, 0 };