From: Sebastian Lackner <sebastian@fds-team.de>
Subject: [4/4] advapi32/tests: Add ACL inheritance tests for creating subdirectories with NtCreateFile.
Message-Id: <551BC82D.20903@fds-team.de>
Date: Wed, 01 Apr 2015 12:27:57 +0200

After this test has been applied we can be sure that kernel32 just passes the SD to ntdll without any changes. This means inheritance has to be done either in ntdll or the wineserver. The next step is to find out more details how exactly the inheritance mechanism works. It is not identical to advapi32 because we do not need any logic to combine multiple descriptors, only inheriting ACLs from the parent directory is supported.

---
 dlls/advapi32/tests/security.c | 78 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

From b6a62ad548216284a98848ec5c0d592317bf671f Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Wed, 1 Apr 2015 10:48:35 +0200
Subject: advapi32/tests: Add ACL inheritance tests for creating subdirectories
 with NtCreateFile.

---
 dlls/advapi32/tests/security.c | 78 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 898ebdb..239965d 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -3491,6 +3491,84 @@ static void test_CreateDirectoryA(void)
         ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError());
     }
 
+    /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) without security descriptor */
+    strcpy(tmpfile, tmpdir);
+    lstrcatA(tmpfile, "/tmpdir");
+    get_nt_pathW(tmpfile, &tmpfileW);
+
+    attr.Length = sizeof(attr);
+    attr.RootDirectory = 0;
+    attr.ObjectName = &tmpfileW;
+    attr.Attributes = OBJ_CASE_INSENSITIVE;
+    attr.SecurityDescriptor = NULL;
+    attr.SecurityQualityOfService = NULL;
+
+    status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL,
+                           FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, NULL, 0);
+    ok(!status, "NtCreateFile failed with %08x\n", status);
+    RtlFreeUnicodeString(&tmpfileW);
+
+    error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
+                                   OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+                                   (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
+    ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
+    test_inherited_dacl(pDacl, admin_sid, user_sid,
+                        OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERITED_ACE,
+                        0x1f01ff, TRUE, TRUE, TRUE, __LINE__);
+    LocalFree(pSD);
+    CloseHandle(hTemp);
+
+    /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) with security descriptor */
+    pSD = &sd;
+    InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
+    pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
+    bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
+    ok(bret, "Failed to initialize ACL\n");
+    bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
+    ok(bret, "Failed to add ACL to security desciptor\n");
+
+    strcpy(tmpfile, tmpdir);
+    lstrcatA(tmpfile, "/tmpdir2");
+    get_nt_pathW(tmpfile, &tmpfileW);
+
+    attr.Length = sizeof(attr);
+    attr.RootDirectory = 0;
+    attr.ObjectName = &tmpfileW;
+    attr.Attributes = OBJ_CASE_INSENSITIVE;
+    attr.SecurityDescriptor = pSD;
+    attr.SecurityQualityOfService = NULL;
+
+    status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL,
+                           FILE_SHARE_READ, FILE_CREATE, FILE_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE, NULL, 0);
+    todo_wine
+    ok(!status, "NtCreateFile failed with %08x\n", status);
+    RtlFreeUnicodeString(&tmpfileW);
+    HeapFree(GetProcessHeap(), 0, pDacl);
+
+    if (!status)
+    {
+        error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
+                                 OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+                                 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
+        ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
+        bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
+        ok(bret, "GetAclInformation failed\n");
+        ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
+                                   acl_size.AceCount);
+        LocalFree(pSD);
+
+        error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
+                                       OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+                                       (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
+        ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
+        bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
+        ok(bret, "GetAclInformation failed\n");
+        ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
+                                   acl_size.AceCount);
+        LocalFree(pSD);
+        CloseHandle(hTemp);
+    }
+
 done:
     HeapFree(GetProcessHeap(), 0, user);
     bret = RemoveDirectoryA(tmpdir);

-- 
2.3.3