From: Vijay Kiran Kamuju <infyquest@gmail.com>
Subject: [PATCH V3 1/2] server: Add default security descriptor ownership for processes.
Message-Id: <20190422214530.434-1-infyquest@gmail.com>
Date: Mon, 22 Apr 2019 23:45:29 +0200

From: "Erich E. Hoover" <erich.e.hoover@gmail.com>

Rename key_default_sd to process_default_sd and rebase properly.

From: Erich E. Hoover <erich.e.hoover@gmail.com>
Signed-off-by: Erich E. Hoover <erich.e.hoover@gmail.com>
Signed-off-by: Vijay Kiran Kamuju <infyquest@gmail.com>
---
 dlls/advapi32/tests/security.c | 35 ++++++++++++++++++++++++++++++++++
 server/process.c               | 27 +++++++++++++++++++++++++-
 server/security.h              |  1 +
 server/token.c                 |  2 ++
 4 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index d9cae64da8b..3097a64fb24 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -4682,11 +4682,15 @@ static void test_acls(void)
 
 static void test_GetSecurityInfo(void)
 {
+    char domain_users_ptr[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
     char b[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
     char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], dacl[100];
+    PSID domain_users_sid = (PSID) domain_users_ptr, domain_sid;
+    SID_IDENTIFIER_AUTHORITY sia = { SECURITY_NT_AUTHORITY };
     DWORD sid_size = sizeof(admin_ptr), l = sizeof(b);
     PSID admin_sid = (PSID) admin_ptr, user_sid;
     char sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
+    BOOL owner_defaulted, group_defaulted;
     ACL_SIZE_INFORMATION acl_size;
     PSECURITY_DESCRIPTOR pSD;
     ACCESS_ALLOWED_ACE *ace;
@@ -4813,6 +4817,37 @@ static void test_GetSecurityInfo(void)
     }
     LocalFree(pSD);
     CloseHandle(obj);
+
+    /* Obtain the "domain users" SID from the user SID */
+    if (!AllocateAndInitializeSid(&sia, 4, *GetSidSubAuthority(user_sid, 0),
+                                  *GetSidSubAuthority(user_sid, 1),
+                                  *GetSidSubAuthority(user_sid, 2),
+                                  *GetSidSubAuthority(user_sid, 3), 0, 0, 0, 0, &domain_sid))
+    {
+        win_skip("Failed to get current domain SID\n");
+        return;
+    }
+    sid_size = sizeof(domain_users_ptr);
+    pCreateWellKnownSid(WinAccountDomainUsersSid, domain_sid, domain_users_sid, &sid_size);
+    FreeSid(domain_sid);
+
+    /* Test querying the ownership of a process */
+    ret = pGetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT,
+                           OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION,
+                           NULL, NULL, NULL, NULL, &pSD);
+    ok(!ret, "GetNamedSecurityInfo failed with error %d\n", ret);
+
+    bret = GetSecurityDescriptorOwner(pSD, &owner, &owner_defaulted);
+    ok(bret, "GetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+    ok(owner != NULL, "owner should not be NULL\n");
+    ok(EqualSid(owner, admin_sid) || EqualSid(owner, user_sid),
+       "Process owner SID != Administrators SID.\n");
+
+    bret = GetSecurityDescriptorGroup(pSD, &group, &group_defaulted);
+    ok(bret, "GetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+    ok(group != NULL, "group should not be NULL\n");
+    ok(EqualSid(group, domain_users_sid), "Process group SID != Domain Users SID.\n");
+    LocalFree(pSD);
 }
 
 static void test_GetSidSubAuthority(void)
diff --git a/server/process.c b/server/process.c
index 4a1cebf2fca..f8a23b2cc53 100644
--- a/server/process.c
+++ b/server/process.c
@@ -63,6 +63,7 @@ static void process_dump( struct object *obj, int verbose );
 static struct object_type *process_get_type( struct object *obj );
 static int process_signaled( struct object *obj, struct wait_queue_entry *entry );
 static unsigned int process_map_access( struct object *obj, unsigned int access );
+static struct security_descriptor *process_get_sd( struct object *obj );
 static void process_poll_event( struct fd *fd, int event );
 static struct list *process_get_kernel_obj_list( struct object *obj );
 static void process_destroy( struct object *obj );
@@ -80,7 +81,7 @@ static const struct object_ops process_ops =
     no_signal,                   /* signal */
     no_get_fd,                   /* get_fd */
     process_map_access,          /* map_access */
-    default_get_sd,              /* get_sd */
+    process_get_sd,              /* get_sd */
     default_set_sd,              /* set_sd */
     no_lookup_name,              /* lookup_name */
     no_link_name,                /* link_name */
@@ -663,12 +664,36 @@ static unsigned int process_map_access( struct object *obj, unsigned int access
     return access & ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
 }
 
+
 static struct list *process_get_kernel_obj_list( struct object *obj )
 {
     struct process *process = (struct process *)obj;
     return &process->kernel_object;
 }
 
+static struct security_descriptor *process_get_sd( struct object *obj )
+{
+    static struct security_descriptor *process_default_sd;
+
+    if (obj->sd) return obj->sd;
+
+    if (!process_default_sd)
+    {
+        size_t users_sid_len = security_sid_len( security_domain_users_sid );
+        size_t admins_sid_len = security_sid_len( security_builtin_admins_sid );
+
+        process_default_sd = mem_alloc( sizeof(*process_default_sd) + admins_sid_len + users_sid_len  );
+        process_default_sd->control   = SE_DACL_PRESENT;
+        process_default_sd->owner_len = admins_sid_len;
+        process_default_sd->group_len = users_sid_len;
+        process_default_sd->sacl_len  = 0;
+        process_default_sd->dacl_len  = 0;
+        memcpy( process_default_sd + 1, security_builtin_admins_sid, admins_sid_len );
+        memcpy( (char *)(process_default_sd + 1) + admins_sid_len, security_domain_users_sid, users_sid_len );
+    }
+    return process_default_sd;
+}
+
 static void process_poll_event( struct fd *fd, int event )
 {
     struct process *process = get_fd_user( fd );
diff --git a/server/security.h b/server/security.h
index 873bbc6afd6..606dbb2ab2c 100644
--- a/server/security.h
+++ b/server/security.h
@@ -47,6 +47,7 @@ extern const PSID security_local_user_sid;
 extern const PSID security_local_system_sid;
 extern const PSID security_builtin_users_sid;
 extern const PSID security_builtin_admins_sid;
+extern const PSID security_domain_users_sid;
 extern const PSID security_high_label_sid;
 
 
diff --git a/server/token.c b/server/token.c
index 5c35bcc19f6..895809e7252 100644
--- a/server/token.c
+++ b/server/token.c
@@ -83,6 +83,7 @@ static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORIT
 static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
 static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
 static const SID_N(3) builtin_logon_sid = { SID_REVISION, 3, { SECURITY_NT_AUTHORITY }, { SECURITY_LOGON_IDS_RID, 0, 0 } };
+static const SID_N(5) domain_users_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, DOMAIN_GROUP_RID_USERS } };
 
 const PSID security_world_sid = (PSID)&world_sid;
 static const PSID security_local_sid = (PSID)&local_sid;
@@ -92,6 +93,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
 const PSID security_local_user_sid = (PSID)&local_user_sid;
 const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
 const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
+const PSID security_domain_users_sid = (PSID)&domain_users_sid;
 const PSID security_high_label_sid = (PSID)&high_label_sid;
 
 static luid_t prev_luid_value = { 1000, 0 };

-- 
2.17.0