- Reformat Se code and put functions to more appropriate locations.

svn path=/trunk/; revision=33129
2024-06-29 01:12:06 +00:00 · 2008-04-23 20:38:37 +00:00 · 2008-04-23 20:38:37 +00:00 · 9dc0da2dea
parent c72bfe8de2
commit 9dc0da2dea
13 changed files with 4886 additions and 5090 deletions
--- a/reactos/ntoskrnl/ex/uuid.c
+++ b/reactos/ntoskrnl/ex/uuid.c
@ -40,8 +40,8 @@ static BOOLEAN UuidSequenceInitialized = FALSE;
 static BOOLEAN UuidSequenceChanged = FALSE;
 static UCHAR UuidSeed[SEED_BUFFER_SIZE];
 static ULONG UuidCount;
-
-
+static LARGE_INTEGER LuidIncrement;
+static LARGE_INTEGER LuidValue;

 /* FUNCTIONS ****************************************************************/

@ -214,6 +214,91 @@ ExpCreateUuids(PULARGE_INTEGER Time,
    return STATUS_SUCCESS;
 }

+VOID
+INIT_FUNCTION
+NTAPI
+ExpInitLuid(VOID)
+{
+    LUID DummyLuidValue = SYSTEM_LUID;
+    
+    LuidValue.u.HighPart = DummyLuidValue.HighPart;
+    LuidValue.u.LowPart = DummyLuidValue.LowPart;
+    LuidIncrement.QuadPart = 1;
+}
+
+
+NTSTATUS
+NTAPI
+ExpAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
+{
+    LARGE_INTEGER NewLuid, PrevLuid;
+    
+    /* atomically increment the luid */
+    do
+    {
+        PrevLuid = LuidValue;
+        NewLuid = RtlLargeIntegerAdd(PrevLuid,
+                                     LuidIncrement);
+    } while(ExfInterlockedCompareExchange64(&LuidValue.QuadPart,
+                                            &NewLuid.QuadPart,
+                                            &PrevLuid.QuadPart) != PrevLuid.QuadPart);
+    
+    LocallyUniqueId->LowPart = NewLuid.u.LowPart;
+    LocallyUniqueId->HighPart = NewLuid.u.HighPart;
+    
+    return STATUS_SUCCESS;
+}
+
+
+/*
+ * @implemented
+ */
+NTSTATUS STDCALL
+NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
+{
+    LUID NewLuid;
+    KPROCESSOR_MODE PreviousMode;
+    NTSTATUS Status = STATUS_SUCCESS;
+    
+    PAGED_CODE();
+    
+    PreviousMode = ExGetPreviousMode();
+    
+    if(PreviousMode != KernelMode)
+    {
+        _SEH_TRY
+        {
+            ProbeForWrite(LocallyUniqueId,
+                          sizeof(LUID),
+                          sizeof(ULONG));
+        }
+        _SEH_HANDLE
+        {
+            Status = _SEH_GetExceptionCode();
+        }
+        _SEH_END;
+        
+        if(!NT_SUCCESS(Status))
+        {
+            return Status;
+        }
+    }
+    
+    Status = ExpAllocateLocallyUniqueId(&NewLuid);
+    
+    _SEH_TRY
+    {
+        *LocallyUniqueId = NewLuid;
+    }
+    _SEH_HANDLE
+    {
+        Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
+    
+    return Status;
+}
+
 /*
 * @unimplemented
 */
--- a/reactos/ntoskrnl/include/internal/se.h
+++ b/reactos/ntoskrnl/include/internal/se.h
@ -94,7 +94,7 @@ SeInitSRM(VOID);

 VOID
 NTAPI
-SepInitLuid(VOID);
+ExpInitLuid(VOID);

 VOID
 NTAPI
@ -315,6 +315,15 @@ SeSetWorldSecurityDescriptor(
    PULONG BufferLength
 );

+NTSTATUS
+STDCALL
+SeCopyClientToken(
+    IN PACCESS_TOKEN Token,
+    IN SECURITY_IMPERSONATION_LEVEL Level,
+    IN KPROCESSOR_MODE PreviousMode,
+    OUT PACCESS_TOKEN* NewToken
+);
+
 #define SepAcquireTokenLockExclusive(Token)                                    \
  do {                                                                         \
    KeEnterCriticalRegion();                                                   \
--- a/reactos/ntoskrnl/ntoskrnl-generic.rbuild
+++ b/reactos/ntoskrnl/ntoskrnl-generic.rbuild
@ -425,7 +425,6 @@
 		<file>acl.c</file>
 		<file>audit.c</file>
 		<file>lsa.c</file>
-		<file>luid.c</file>
 		<file>priv.c</file>
 		<file>sd.c</file>
 		<file>semgr.c</file>
--- a/reactos/ntoskrnl/se/access.c
+++ b/reactos/ntoskrnl/se/access.c
@ -8,14 +8,114 @@
 *                               Based on patch by Javier M. Mellid
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>

-/* FUNCTIONS ***************************************************************/
+/* GLOBALS ********************************************************************/

+ERESOURCE SepSubjectContextLock;
+
+/* FUNCTIONS ******************************************************************/
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeCaptureSubjectContextEx(IN PETHREAD Thread,
+                          IN PEPROCESS Process,
+                          OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
+{
+    BOOLEAN CopyOnOpen, EffectiveOnly;
+    PAGED_CODE();
+    
+    /* Save the unique ID */
+    SubjectContext->ProcessAuditId = Process->UniqueProcessId;
+    
+    /* Check if we have a thread */
+    if (!Thread)
+    {
+        /* We don't, so no token */
+        SubjectContext->ClientToken = NULL;
+    }
+    else
+    {
+        /* Get the impersonation token */
+        SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
+                                                                    &CopyOnOpen,
+                                                                    &EffectiveOnly,
+                                                                    &SubjectContext->ImpersonationLevel);
+    }
+    
+    /* Get the primary token */
+    SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
+}
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
+{
+    /* Call the extended API */
+    SeCaptureSubjectContextEx(PsGetCurrentThread(),
+                              PsGetCurrentProcess(),
+                              SubjectContext);
+}
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+{
+    PAGED_CODE();
+    
+    KeEnterCriticalRegion();
+    ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
+}
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+{
+    PAGED_CODE();
+    
+    ExReleaseResourceLite(&SepSubjectContextLock);
+    KeLeaveCriticalRegion();
+}
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+{
+    PAGED_CODE();
+    
+    if (SubjectContext->PrimaryToken != NULL)
+    {
+        ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
+    }
+    
+    if (SubjectContext->ClientToken != NULL)
+    {
+        ObDereferenceObject(SubjectContext->ClientToken);
+    }
+}
+
+/*
+ * @implemented
+ */
 NTSTATUS
 NTAPI
 SeCreateAccessStateEx(IN PETHREAD Thread,
@ -83,7 +183,7 @@ SeCreateAccessState(IN OUT PACCESS_STATE AccessState,
 {
    PAGED_CODE();

-    /* Call the internal API */
+    /* Call the extended API */
    return SeCreateAccessStateEx(PsGetCurrentThread(),
                                 PsGetCurrentProcess(),
                                 AccessState,
@ -127,8 +227,8 @@ SeDeleteAccessState(IN PACCESS_STATE AccessState)
 */
 VOID
 STDCALL
-SeSetAccessStateGenericMapping(PACCESS_STATE AccessState,
-                               PGENERIC_MAPPING GenericMapping)
+SeSetAccessStateGenericMapping(IN PACCESS_STATE AccessState,
+                               IN PGENERIC_MAPPING GenericMapping)
 {
    PAGED_CODE();

@ -136,4 +236,137 @@ SeSetAccessStateGenericMapping(PACCESS_STATE AccessState,
    ((PAUX_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
 }

+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
+SeCreateClientSecurity(IN PETHREAD Thread,
+                       IN PSECURITY_QUALITY_OF_SERVICE Qos,
+                       IN BOOLEAN RemoteClient,
+                       OUT PSECURITY_CLIENT_CONTEXT ClientContext)
+{
+    TOKEN_TYPE TokenType;
+    BOOLEAN ThreadEffectiveOnly;
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
+    PACCESS_TOKEN Token;
+    NTSTATUS Status;
+    PACCESS_TOKEN NewToken;
+    PAGED_CODE();
+    
+    Token = PsReferenceEffectiveToken(Thread,
+                                      &TokenType,
+                                      &ThreadEffectiveOnly,
+                                      &ImpersonationLevel);
+    if (TokenType != TokenImpersonation)
+    {
+        ClientContext->DirectAccessEffectiveOnly = Qos->EffectiveOnly;
+    }
+    else
+    {
+        if (Qos->ImpersonationLevel > ImpersonationLevel)
+        {
+            if (Token) ObDereferenceObject(Token);
+            return STATUS_BAD_IMPERSONATION_LEVEL;
+        }
+        
+        if ((ImpersonationLevel == SecurityAnonymous) ||
+            (ImpersonationLevel == SecurityIdentification) ||
+            ((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
+        {
+            if (Token) ObDereferenceObject(Token);
+            return STATUS_BAD_IMPERSONATION_LEVEL;
+        }
+        
+        ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
+                                                    (Qos->EffectiveOnly)) ?
+        TRUE : FALSE;
+    }
+    
+    if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
+    {
+        ClientContext->DirectlyAccessClientToken = FALSE;
+        Status = SeCopyClientToken(Token, ImpersonationLevel, 0, &NewToken);
+        if (!NT_SUCCESS(Status)) return Status;
+    }
+    else
+    {
+        ClientContext->DirectlyAccessClientToken = TRUE;
+        if (RemoteClient != FALSE)
+        {
+#if 0
+            SeGetTokenControlInformation(Token,
+                                         &ClientContext->ClientTokenControl);
+#endif
+        }
+        
+        NewToken = Token;
+    }
+    
+    ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
+    ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
+    ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
+    ClientContext->SecurityQos.EffectiveOnly = Qos->EffectiveOnly;
+    ClientContext->ServerIsRemote = RemoteClient;
+    ClientContext->ClientToken = NewToken;
+    return STATUS_SUCCESS;
+}
+
+/*
+ * @unimplemented
+ */
+NTSTATUS
+NTAPI
+SeCreateClientSecurityFromSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
+                                         IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
+                                         IN BOOLEAN ServerIsRemote,
+                                         OUT PSECURITY_CLIENT_CONTEXT ClientContext)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+NTSTATUS
+NTAPI
+SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext,
+                      IN PETHREAD ServerThread OPTIONAL)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
+/*
+ * @implemented
+ */
+VOID
+NTAPI
+SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
+                    IN PETHREAD ServerThread OPTIONAL)
+{
+    UCHAR b;
+    
+    PAGED_CODE();
+    
+    if (ClientContext->DirectlyAccessClientToken == FALSE)
+    {
+        b = ClientContext->SecurityQos.EffectiveOnly;
+    }
+    else
+    {
+        b = ClientContext->DirectAccessEffectiveOnly;
+    }
+    if (ServerThread == NULL)
+    {
+        ServerThread = PsGetCurrentThread();
+    }
+    PsImpersonateClient(ServerThread,
+                        ClientContext->ClientToken,
+                        1,
+                        b,
+                        ClientContext->SecurityQos.ImpersonationLevel);
+}
+
 /* EOF */
--- a/reactos/ntoskrnl/se/acl.c
+++ b/reactos/ntoskrnl/se/acl.c
@ -7,28 +7,26 @@
 * PROGRAMMERS:     David Welch <welch@cwcom.net>
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
-#include <internal/debug.h>
+#define NDEBUG
+#include <debug.h>

 #if defined (ALLOC_PRAGMA)
 #pragma alloc_text(INIT, SepInitDACLs)
 #endif

-
-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/

 PACL SePublicDefaultDacl = NULL;
 PACL SeSystemDefaultDacl = NULL;
-
 PACL SePublicDefaultUnrestrictedDacl = NULL;
 PACL SePublicOpenDacl = NULL;
 PACL SePublicOpenUnrestrictedDacl = NULL;
 PACL SeUnrestrictedDacl = NULL;

-
-/* FUNCTIONS ****************************************************************/
+/* FUNCTIONS ******************************************************************/

 BOOLEAN
 INIT_FUNCTION
--- a/reactos/ntoskrnl/se/audit.c
+++ b/reactos/ntoskrnl/se/audit.c
@ -7,12 +7,13 @@
 * PROGRAMMERS:     Eric Kohl <eric.kohl@t-online.de>
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
-#include <internal/debug.h>
+#define NDEBUG
+#include <debug.h>

-/* INTERNAL *****************************************************************/
+/* PRIVATE FUNCTIONS***********************************************************/

 BOOLEAN
 NTAPI
@ -179,7 +180,165 @@ SeLocateProcessImageName(IN PEPROCESS Process,
    return Status;
 }

-/* FUNCTIONS ****************************************************************/
+/* PUBLIC FUNCTIONS ***********************************************************/
+
+/*
+ * @unimplemented
+ */
+VOID
+STDCALL
+SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
+                        IN PUNICODE_STRING LinkName,
+                        IN BOOLEAN bSuccess)
+{
+	UNIMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+BOOLEAN
+STDCALL
+SeAuditingFileEvents(IN BOOLEAN AccessGranted,
+                     IN PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+	UNIMPLEMENTED;
+	return FALSE;
+}
+
+/*
+ * @unimplemented
+ */
+BOOLEAN
+STDCALL
+SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
+                                IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
+{
+	UNIMPLEMENTED;
+	return FALSE;
+}
+
+/*
+ * @unimplemented
+ */
+BOOLEAN
+STDCALL
+SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
+                         IN PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+	UNIMPLEMENTED;
+	return FALSE;
+}
+
+/*
+ * @unimplemented
+ */
+BOOLEAN
+STDCALL
+SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
+                                    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                    IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
+{
+	UNIMPLEMENTED;
+	return FALSE;
+}
+
+/*
+ * @unimplemented
+ */
+BOOLEAN
+STDCALL
+SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
+                             IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                             IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
+{
+	UNIMPLEMENTED;
+	return FALSE;
+}
+
+/*
+ * @unimplemented
+ */
+VOID
+STDCALL
+SeCloseObjectAuditAlarm(
+                        IN PVOID Object,
+                        IN HANDLE Handle,
+                        IN BOOLEAN PerformAction
+                        )
+{
+	UNIMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+VOID STDCALL
+SeDeleteObjectAuditAlarm(IN PVOID Object,
+                         IN HANDLE Handle)
+{
+    UNIMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+VOID
+NTAPI
+SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
+                       IN PVOID Object OPTIONAL,
+                       IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
+                       IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                       IN PACCESS_STATE AccessState,
+                       IN BOOLEAN ObjectCreated,
+                       IN BOOLEAN AccessGranted,
+                       IN KPROCESSOR_MODE AccessMode,
+                       OUT PBOOLEAN GenerateOnClose)
+{
+    PAGED_CODE();
+    
+    /* Audits aren't done on kernel-mode access */
+    if (AccessMode == KernelMode) return;
+    
+    /* Otherwise, unimplemented! */
+    //UNIMPLEMENTED;
+    return;
+}
+
+/*
+ * @unimplemented
+ */
+VOID STDCALL
+SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
+                                IN PVOID Object OPTIONAL,
+                                IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
+                                IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                IN PACCESS_STATE AccessState,
+                                IN BOOLEAN ObjectCreated,
+                                IN BOOLEAN AccessGranted,
+                                IN KPROCESSOR_MODE AccessMode,
+                                OUT PBOOLEAN GenerateOnClose)
+{
+    UNIMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+VOID
+STDCALL
+SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
+                            IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
+                            IN ACCESS_MASK DesiredAccess,
+                            IN PPRIVILEGE_SET Privileges,
+                            IN BOOLEAN AccessGranted,
+                            IN KPROCESSOR_MODE CurrentMode)
+{
+	UNIMPLEMENTED;
+}
+
+/* SYSTEM CALLS ***************************************************************/

 NTSTATUS
 NTAPI
@ -263,175 +422,4 @@ NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
    return(STATUS_NOT_IMPLEMENTED);
 }

-
-/*
- * @unimplemented
- */
-VOID
-STDCALL
-SeAuditHardLinkCreation(
-	IN PUNICODE_STRING FileName,
-	IN PUNICODE_STRING LinkName,
-	IN BOOLEAN bSuccess
-	)
-{
-	UNIMPLEMENTED;
-}
-
-/*
- * @unimplemented
- */
-BOOLEAN
-STDCALL
-SeAuditingFileEvents(
-	IN BOOLEAN AccessGranted,
-	IN PSECURITY_DESCRIPTOR SecurityDescriptor
-	)
-{
-	UNIMPLEMENTED;
-	return FALSE;
-}
-
-/*
- * @unimplemented
- */
-BOOLEAN
-STDCALL
-SeAuditingFileEventsWithContext(
-	IN BOOLEAN AccessGranted,
-	IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-	IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
-	)
-{
-	UNIMPLEMENTED;
-	return FALSE;
-}
-
-/*
- * @unimplemented
- */
-BOOLEAN
-STDCALL
-SeAuditingHardLinkEvents(
-	IN BOOLEAN AccessGranted,
-	IN PSECURITY_DESCRIPTOR SecurityDescriptor
-	)
-{
-	UNIMPLEMENTED;
-	return FALSE;
-}
-
-/*
- * @unimplemented
- */
-BOOLEAN
-STDCALL
-SeAuditingHardLinkEventsWithContext(
-	IN BOOLEAN AccessGranted,
-	IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-	IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
-	)
-{
-	UNIMPLEMENTED;
-	return FALSE;
-}
-
-/*
- * @unimplemented
- */
-BOOLEAN
-STDCALL
-SeAuditingFileOrGlobalEvents(
-	IN BOOLEAN AccessGranted,
-	IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-	IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
-	)
-{
-	UNIMPLEMENTED;
-	return FALSE;
-}
-
-/*
- * @unimplemented
- */
-VOID
-STDCALL
-SeCloseObjectAuditAlarm(
-	IN PVOID Object,
-	IN HANDLE Handle,
-	IN BOOLEAN PerformAction
-	)
-{
-	UNIMPLEMENTED;
-}
-
-/*
- * @unimplemented
- */
-VOID STDCALL
-SeDeleteObjectAuditAlarm(IN PVOID Object,
-			 IN HANDLE Handle)
-{
-  UNIMPLEMENTED;
-}
-
-/*
- * @unimplemented
- */
-VOID
-NTAPI
-SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
-                       IN PVOID Object OPTIONAL,
-                       IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
-                       IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-                       IN PACCESS_STATE AccessState,
-                       IN BOOLEAN ObjectCreated,
-                       IN BOOLEAN AccessGranted,
-                       IN KPROCESSOR_MODE AccessMode,
-                       OUT PBOOLEAN GenerateOnClose)
-{
-    PAGED_CODE();
-
-    /* Audits aren't done on kernel-mode access */
-    if (AccessMode == KernelMode) return;
-
-    /* Otherwise, unimplemented! */
-    //UNIMPLEMENTED;
-    return;
-}
-
-/*
- * @unimplemented
- */
-VOID STDCALL
-SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
-				IN PVOID Object OPTIONAL,
-				IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
-				IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-				IN PACCESS_STATE AccessState,
-				IN BOOLEAN ObjectCreated,
-				IN BOOLEAN AccessGranted,
-				IN KPROCESSOR_MODE AccessMode,
-				OUT PBOOLEAN GenerateOnClose)
-{
-  UNIMPLEMENTED;
-}
-
-/*
- * @unimplemented
- */
-VOID
-STDCALL
-SePrivilegeObjectAuditAlarm(
-	IN HANDLE Handle,
-	IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
-	IN ACCESS_MASK DesiredAccess,
-	IN PPRIVILEGE_SET Privileges,
-	IN BOOLEAN AccessGranted,
-	IN KPROCESSOR_MODE CurrentMode
-	)
-{
-	UNIMPLEMENTED;
-}
-
 /* EOF */
--- a/reactos/ntoskrnl/se/lsa.c
+++ b/reactos/ntoskrnl/se/lsa.c
@ -1,28 +1,32 @@
 /*
 * COPYRIGHT:       See COPYING in the top level directory
 * PROJECT:         ReactOS kernel
- * FILE:            ntoskrnl/se/lsa.c
- * PURPOSE:         No purpose listed.
+ * FILE:            ntoskrnl/se/sid.c
+ * PURPOSE:         Security manager
 *
- * PROGRAMMERS:     No programmer listed.
+ * PROGRAMMERS:     David Welch <welch@cwcom.net>
 */

+/* INCLUDES *******************************************************************/
+
 #include <ntoskrnl.h>
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>
+
+/* FUNCTIONS ******************************************************************/

 /*
 * @unimplemented
 */
-NTSTATUS STDCALL LsaCallAuthenticationPackage (
-    ULONG Unknown0,
+NTSTATUS
+NTAPI
+LsaCallAuthenticationPackage(ULONG Unknown0,
                             ULONG Unknown1,
                             ULONG Unknown2,
                             ULONG Unknown3,
                             ULONG Unknown4,
                             ULONG Unknown5,
-    ULONG Unknown6
-    )
+                             ULONG Unknown6)
 {
    return STATUS_NOT_IMPLEMENTED;
 }
@ -30,10 +34,10 @@ NTSTATUS STDCALL LsaCallAuthenticationPackage (
 /*
 * @unimplemented
 */
-NTSTATUS STDCALL LsaDeregisterLogonProcess (
-    ULONG Unknown0,
-    ULONG Unknown1
-    )
+NTSTATUS
+NTAPI
+LsaDeregisterLogonProcess(ULONG Unknown0,
+                          ULONG Unknown1)
 {
    return STATUS_NOT_IMPLEMENTED;
 }
@ -41,16 +45,15 @@ NTSTATUS STDCALL LsaDeregisterLogonProcess (
 /*
 * @implemented
 */
-NTSTATUS STDCALL LsaFreeReturnBuffer (PVOID Buffer)
+NTSTATUS
+NTAPI
+LsaFreeReturnBuffer(PVOID Buffer)
 {
-    ULONG Size = 0; /* required by MEM_RELEASE */
-
-    return ZwFreeVirtualMemory (
-               NtCurrentProcess(),
-	       & Buffer,
-	       & Size,
-	       MEM_RELEASE
-               );
+    ULONG Size = 0;
+    return ZwFreeVirtualMemory(NtCurrentProcess(),
+                               &Buffer,
+                               &Size,
+                               MEM_RELEASE);
 }

 /*
@ -79,11 +82,11 @@ LsaLogonUser(IN HANDLE LsaHandle,
 /*
 * @unimplemented
 */
-NTSTATUS STDCALL LsaLookupAuthenticationPackage (
-    ULONG	Unknown0,
+NTSTATUS
+NTAPI
+LsaLookupAuthenticationPackage(ULONG Unknown0,
                               ULONG Unknown1,
-    ULONG	Unknown2
-    )
+                               ULONG Unknown2)
 {
    return STATUS_NOT_IMPLEMENTED;
 }
@ -93,7 +96,7 @@ NTSTATUS STDCALL LsaLookupAuthenticationPackage (
 */
 NTSTATUS
 NTAPI
-LsaRegisterLogonProcess (IN PLSA_STRING LogonProcessName,
+LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName,
                        OUT PHANDLE LsaHandle,
                        OUT PLSA_OPERATIONAL_MODE SecurityMode)
 {
@ -105,9 +108,7 @@ LsaRegisterLogonProcess (IN PLSA_STRING LogonProcessName,
 */
 NTSTATUS
 STDCALL
-SeMarkLogonSessionForTerminationNotification(
-	IN PLUID LogonId
-	)
+SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
 {
 	UNIMPLEMENTED;
 	return STATUS_NOT_IMPLEMENTED;
@ -118,9 +119,7 @@ SeMarkLogonSessionForTerminationNotification(
 */
 NTSTATUS
 STDCALL
-SeRegisterLogonSessionTerminatedRoutine(
-	IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
-	)
+SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
 {
 	UNIMPLEMENTED;
 	return STATUS_NOT_IMPLEMENTED;
@ -131,13 +130,10 @@ SeRegisterLogonSessionTerminatedRoutine(
 */
 NTSTATUS
 STDCALL
-SeUnregisterLogonSessionTerminatedRoutine(
-	IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
-	)
+SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
 {
 	UNIMPLEMENTED;
 	return STATUS_NOT_IMPLEMENTED;
 }

-
 /* EOF */
--- a/reactos/ntoskrnl/se/luid.c
+++ b/reactos/ntoskrnl/se/luid.c
@ -1,112 +0,0 @@
-/*
- * COPYRIGHT:       See COPYING in the top level directory
- * PROJECT:         ReactOS kernel
- * FILE:            ntoskrnl/se/luid.c
- * PURPOSE:         Security manager
- *
- * PROGRAMMERS:     No programmer listed.
- */
-
-/* INCLUDES *****************************************************************/
-
-#include <ntoskrnl.h>
-#include <internal/debug.h>
-
-#if defined (ALLOC_PRAGMA)
-#pragma alloc_text(INIT, SepInitLuid)
-#endif
-
-
-/* GLOBALS *******************************************************************/
-
-static LARGE_INTEGER LuidIncrement;
-static LARGE_INTEGER LuidValue;
-
-/* FUNCTIONS *****************************************************************/
-
-VOID
-INIT_FUNCTION
-NTAPI
-SepInitLuid(VOID)
-{
-  LUID DummyLuidValue = SYSTEM_LUID;
-
-  LuidValue.u.HighPart = DummyLuidValue.HighPart;
-  LuidValue.u.LowPart = DummyLuidValue.LowPart;
-  LuidIncrement.QuadPart = 1;
-}
-
-
-NTSTATUS
-NTAPI
-ExpAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
-{
-  LARGE_INTEGER NewLuid, PrevLuid;
-
-  /* atomically increment the luid */
-  do
-  {
-    PrevLuid = LuidValue;
-    NewLuid = RtlLargeIntegerAdd(PrevLuid,
-                                 LuidIncrement);
-  } while(ExfInterlockedCompareExchange64(&LuidValue.QuadPart,
-                                          &NewLuid.QuadPart,
-                                          &PrevLuid.QuadPart) != PrevLuid.QuadPart);
-
-  LocallyUniqueId->LowPart = NewLuid.u.LowPart;
-  LocallyUniqueId->HighPart = NewLuid.u.HighPart;
-
-  return STATUS_SUCCESS;
-}
-
-
-/*
- * @implemented
- */
-NTSTATUS STDCALL
-NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
-{
-  LUID NewLuid;
-  KPROCESSOR_MODE PreviousMode;
-  NTSTATUS Status = STATUS_SUCCESS;
-
-  PAGED_CODE();
-
-  PreviousMode = ExGetPreviousMode();
-
-  if(PreviousMode != KernelMode)
-  {
-    _SEH_TRY
-    {
-      ProbeForWrite(LocallyUniqueId,
-                    sizeof(LUID),
-                    sizeof(ULONG));
-    }
-    _SEH_HANDLE
-    {
-      Status = _SEH_GetExceptionCode();
-    }
-    _SEH_END;
-
-    if(!NT_SUCCESS(Status))
-    {
-      return Status;
-    }
-  }
-
-  Status = ExpAllocateLocallyUniqueId(&NewLuid);
-
-  _SEH_TRY
-  {
-    *LocallyUniqueId = NewLuid;
-  }
-  _SEH_HANDLE
-  {
-    Status = _SEH_GetExceptionCode();
-  }
-  _SEH_END;
-
-  return Status;
-}
-
-/* EOF */
--- a/reactos/ntoskrnl/se/priv.c
+++ b/reactos/ntoskrnl/se/priv.c
@ -7,18 +7,17 @@
 * PROGRAMMERS:     No programmer listed.
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES ******************************************************************/

 #include <ntoskrnl.h>
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>

 #if defined (ALLOC_PRAGMA)
 #pragma alloc_text(INIT, SepInitPrivileges)
 #endif

-
-/* GLOBALS *******************************************************************/
+/* GLOBALS ********************************************************************/

 LUID SeCreateTokenPrivilege;
 LUID SeAssignPrimaryTokenPrivilege;
@ -47,8 +46,7 @@ LUID SeUndockPrivilege;
 LUID SeSyncAgentPrivilege;
 LUID SeEnableDelegationPrivilege;

-
-/* FUNCTIONS ***************************************************************/
+/* PRIVATE FUNCTIONS **********************************************************/

 VOID
 INIT_FUNCTION
@ -170,7 +168,6 @@ SepPrivilegeCheck (PTOKEN Token,
    return FALSE;
 }

-
 NTSTATUS
 NTAPI
 SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
@ -271,7 +268,6 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
    return Status;
 }

-
 VOID
 NTAPI
 SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
@ -287,6 +283,101 @@ SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
    }
 }

+/* PUBLIC FUNCTIONS ***********************************************************/
+
+/*
+ * @unimplemented
+ */
+NTSTATUS
+STDCALL
+SeAppendPrivileges(PACCESS_STATE AccessState,
+                   PPRIVILEGE_SET Privileges)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
+/*
+ * @unimplemented
+ */
+VOID
+STDCALL
+SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
+{
+    UNIMPLEMENTED;
+}
+
+/*
+ * @implemented
+ */
+BOOLEAN STDCALL
+SePrivilegeCheck (PPRIVILEGE_SET Privileges,
+                  PSECURITY_SUBJECT_CONTEXT SubjectContext,
+                  KPROCESSOR_MODE PreviousMode)
+{
+    PACCESS_TOKEN Token = NULL;
+    
+    PAGED_CODE();
+    
+    if (SubjectContext->ClientToken == NULL)
+    {
+        Token = SubjectContext->PrimaryToken;
+    }
+    else
+    {
+        Token = SubjectContext->ClientToken;
+        if (SubjectContext->ImpersonationLevel < 2)
+        {
+            return FALSE;
+        }
+    }
+    
+    return SepPrivilegeCheck (Token,
+                              Privileges->Privilege,
+                              Privileges->PrivilegeCount,
+                              Privileges->Control,
+                              PreviousMode);
+}
+
+/*
+ * @implemented
+ */
+BOOLEAN STDCALL
+SeSinglePrivilegeCheck (IN LUID PrivilegeValue,
+                        IN KPROCESSOR_MODE PreviousMode)
+{
+    SECURITY_SUBJECT_CONTEXT SubjectContext;
+    PRIVILEGE_SET Priv;
+    BOOLEAN Result;
+    
+    PAGED_CODE();
+    
+    SeCaptureSubjectContext (&SubjectContext);
+    
+    Priv.PrivilegeCount = 1;
+    Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
+    Priv.Privilege[0].Luid = PrivilegeValue;
+    Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
+    
+    Result = SePrivilegeCheck (&Priv,
+                               &SubjectContext,
+                               PreviousMode);
+    
+    if (PreviousMode != KernelMode)
+    {
+#if 0
+        SePrivilegedServiceAuditAlarm (0,
+                                       &SubjectContext,
+                                       &PrivilegeValue);
+#endif
+    }
+    
+    SeReleaseSubjectContext (&SubjectContext);
+    
+    return Result;
+}
+
+/* SYSTEM CALLS ***************************************************************/

 NTSTATUS STDCALL
 NtPrivilegeCheck (IN HANDLE ClientToken,
@ -420,75 +511,4 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
 }


-/*
- * @implemented
- */
-BOOLEAN STDCALL
-SePrivilegeCheck (PPRIVILEGE_SET Privileges,
-		  PSECURITY_SUBJECT_CONTEXT SubjectContext,
-		  KPROCESSOR_MODE PreviousMode)
-{
-  PACCESS_TOKEN Token = NULL;
-
-  PAGED_CODE();
-
-  if (SubjectContext->ClientToken == NULL)
-    {
-      Token = SubjectContext->PrimaryToken;
-    }
-  else
-    {
-      Token = SubjectContext->ClientToken;
-      if (SubjectContext->ImpersonationLevel < 2)
-	{
-	  return FALSE;
-	}
-    }
-
-  return SepPrivilegeCheck (Token,
-			    Privileges->Privilege,
-			    Privileges->PrivilegeCount,
-			    Privileges->Control,
-			    PreviousMode);
-}
-
-
-/*
- * @implemented
- */
-BOOLEAN STDCALL
-SeSinglePrivilegeCheck (IN LUID PrivilegeValue,
-			IN KPROCESSOR_MODE PreviousMode)
-{
-  SECURITY_SUBJECT_CONTEXT SubjectContext;
-  PRIVILEGE_SET Priv;
-  BOOLEAN Result;
-
-  PAGED_CODE();
-
-  SeCaptureSubjectContext (&SubjectContext);
-
-  Priv.PrivilegeCount = 1;
-  Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
-  Priv.Privilege[0].Luid = PrivilegeValue;
-  Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
-
-  Result = SePrivilegeCheck (&Priv,
-			     &SubjectContext,
-			     PreviousMode);
-
-  if (PreviousMode != KernelMode)
-    {
-#if 0
-      SePrivilegedServiceAuditAlarm (0,
-				     &SubjectContext,
-				     &PrivilegeValue);
-#endif
-    }
-
-  SeReleaseSubjectContext (&SubjectContext);
-
-  return Result;
-}
-
 /* EOF */
--- a/reactos/ntoskrnl/se/sd.c
+++ b/reactos/ntoskrnl/se/sd.c
@ -7,17 +7,17 @@
 * PROGRAMMERS:     David Welch <welch@cwcom.net>
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
-#include <internal/debug.h>
+#define NDEBUG
+#include <debug.h>

 #if defined (ALLOC_PRAGMA)
 #pragma alloc_text(INIT, SepInitSDs)
 #endif

-
-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/

 PSECURITY_DESCRIPTOR SePublicDefaultSd = NULL;
 PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd = NULL;
@ -26,7 +26,7 @@ PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL;
 PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL;
 PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL;

-/* FUNCTIONS ***************************************************************/
+/* PRIVATE FUNCTIONS **********************************************************/

 BOOLEAN
 INIT_FUNCTION
@ -377,19 +377,18 @@ SepReleaseSecurityQualityOfService(IN PSECURITY_QUALITY_OF_SERVICE CapturedSecur
    }
 }

+/* PUBLIC FUNCTIONS ***********************************************************/

 /*
 * @implemented
 */
 NTSTATUS
 STDCALL
-SeCaptureSecurityDescriptor(
-	IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
+SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
                            IN KPROCESSOR_MODE CurrentMode,
                            IN POOL_TYPE PoolType,
                            IN BOOLEAN CaptureIfKernel,
-	OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor
-	)
+                            OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
 {
    PISECURITY_DESCRIPTOR OriginalSecurityDescriptor = _OriginalSecurityDescriptor;
    SECURITY_DESCRIPTOR DescriptorCopy;
@ -529,42 +528,42 @@ SeCaptureSecurityDescriptor(
        
        /* determine the size of the SIDs */
 #define DetermineSIDSize(SidType)                                              \
-    do {                                                                       \
-    if(DescriptorCopy.SidType != NULL)                                         \
-    {                                                                          \
-      SID *SidType = (SID*)DescriptorCopy.SidType;                             \
-                                                                               \
-      if(CurrentMode != KernelMode)                                            \
-      {                                                                        \
-        /* securely access the buffers! */                                     \
-        _SEH_TRY                                                               \
-        {                                                                      \
-          SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount);       \
-          SidType##Size = RtlLengthRequiredSid(SidType##SAC);                  \
-          DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG));            \
-          ProbeForRead(SidType,                                                \
-                       SidType##Size,                                          \
-                       sizeof(ULONG));                                         \
-        }                                                                      \
-        _SEH_HANDLE                                                            \
-        {                                                                      \
-          Status = _SEH_GetExceptionCode();                                    \
-        }                                                                      \
-        _SEH_END;                                                              \
-                                                                               \
-        if(!NT_SUCCESS(Status))                                                \
-        {                                                                      \
-          return Status;                                                       \
-        }                                                                      \
-      }                                                                        \
-      else                                                                     \
-      {                                                                        \
-        SidType##SAC = SidType->SubAuthorityCount;                             \
-        SidType##Size = RtlLengthRequiredSid(SidType##SAC);                    \
-        DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG));              \
-      }                                                                        \
-    }                                                                          \
-    } while(0)
+do {                                                                       \
+if(DescriptorCopy.SidType != NULL)                                         \
+{                                                                          \
+SID *SidType = (SID*)DescriptorCopy.SidType;                             \
+\
+if(CurrentMode != KernelMode)                                            \
+{                                                                        \
+/* securely access the buffers! */                                     \
+_SEH_TRY                                                               \
+{                                                                      \
+SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount);       \
+SidType##Size = RtlLengthRequiredSid(SidType##SAC);                  \
+DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG));            \
+ProbeForRead(SidType,                                                \
+SidType##Size,                                          \
+sizeof(ULONG));                                         \
+}                                                                      \
+_SEH_HANDLE                                                            \
+{                                                                      \
+Status = _SEH_GetExceptionCode();                                    \
+}                                                                      \
+_SEH_END;                                                              \
+\
+if(!NT_SUCCESS(Status))                                                \
+{                                                                      \
+return Status;                                                       \
+}                                                                      \
+}                                                                        \
+else                                                                     \
+{                                                                        \
+SidType##SAC = SidType->SubAuthorityCount;                             \
+SidType##Size = RtlLengthRequiredSid(SidType##SAC);                    \
+DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG));              \
+}                                                                        \
+}                                                                          \
+} while(0)
        
        DetermineSIDSize(Owner);
        DetermineSIDSize(Group);
@ -573,45 +572,45 @@ SeCaptureSecurityDescriptor(
        
        /* determine the size of the ACLs */
 #define DetermineACLSize(AclType, AclFlag)                                     \
-    do {                                                                       \
-    if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) &&                    \
-       DescriptorCopy.AclType != NULL)                                         \
-    {                                                                          \
-      PACL AclType = (PACL)DescriptorCopy.AclType;                             \
-                                                                               \
-      if(CurrentMode != KernelMode)                                            \
-      {                                                                        \
-        /* securely access the buffers! */                                     \
-        _SEH_TRY                                                               \
-        {                                                                      \
-          AclType##Size = ProbeForReadUshort(&AclType->AclSize);               \
-          DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG));            \
-          ProbeForRead(AclType,                                                \
-                       AclType##Size,                                          \
-                       sizeof(ULONG));                                         \
-        }                                                                      \
-        _SEH_HANDLE                                                            \
-        {                                                                      \
-          Status = _SEH_GetExceptionCode();                                    \
-        }                                                                      \
-        _SEH_END;                                                              \
-                                                                               \
-        if(!NT_SUCCESS(Status))                                                \
-        {                                                                      \
-          return Status;                                                       \
-        }                                                                      \
-      }                                                                        \
-      else                                                                     \
-      {                                                                        \
-        AclType##Size = AclType->AclSize;                                      \
-        DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG));              \
-      }                                                                        \
-    }                                                                          \
-    else                                                                       \
-    {                                                                          \
-      DescriptorCopy.AclType = NULL;                                           \
-    }                                                                          \
-    } while(0)
+do {                                                                       \
+if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) &&                    \
+DescriptorCopy.AclType != NULL)                                         \
+{                                                                          \
+PACL AclType = (PACL)DescriptorCopy.AclType;                             \
+\
+if(CurrentMode != KernelMode)                                            \
+{                                                                        \
+/* securely access the buffers! */                                     \
+_SEH_TRY                                                               \
+{                                                                      \
+AclType##Size = ProbeForReadUshort(&AclType->AclSize);               \
+DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG));            \
+ProbeForRead(AclType,                                                \
+AclType##Size,                                          \
+sizeof(ULONG));                                         \
+}                                                                      \
+_SEH_HANDLE                                                            \
+{                                                                      \
+Status = _SEH_GetExceptionCode();                                    \
+}                                                                      \
+_SEH_END;                                                              \
+\
+if(!NT_SUCCESS(Status))                                                \
+{                                                                      \
+return Status;                                                       \
+}                                                                      \
+}                                                                        \
+else                                                                     \
+{                                                                        \
+AclType##Size = AclType->AclSize;                                      \
+DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG));              \
+}                                                                        \
+}                                                                          \
+else                                                                       \
+{                                                                          \
+DescriptorCopy.AclType = NULL;                                           \
+}                                                                          \
+} while(0)
        
        DetermineACLSize(Sacl, SACL);
        DetermineACLSize(Dacl, DACL);
@ -639,22 +638,22 @@ SeCaptureSecurityDescriptor(
                 Make sure to validate the SIDs and ACLs *again* as they could have
                 been modified in the meanwhile! */
 #define CopySID(Type)                                                          \
-        do {                                                                   \
-        if(DescriptorCopy.Type != NULL)                                        \
-        {                                                                      \
-          NewDescriptor->Type = (PVOID)Offset;                                 \
-          RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor +                     \
-                                (ULONG_PTR)NewDescriptor->Type),               \
-                        DescriptorCopy.Type,                                   \
-                        Type##Size);                                           \
-          if (!RtlValidSid((PSID)((ULONG_PTR)NewDescriptor +                   \
-                                  (ULONG_PTR)NewDescriptor->Type)))            \
-          {                                                                    \
-            RtlRaiseStatus(STATUS_INVALID_SID);                                \
-          }                                                                    \
-          Offset += ROUND_UP(Type##Size, sizeof(ULONG));                       \
-        }                                                                      \
-        } while(0)
+do {                                                                   \
+if(DescriptorCopy.Type != NULL)                                        \
+{                                                                      \
+NewDescriptor->Type = (PVOID)Offset;                                 \
+RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor +                     \
+(ULONG_PTR)NewDescriptor->Type),               \
+DescriptorCopy.Type,                                   \
+Type##Size);                                           \
+if (!RtlValidSid((PSID)((ULONG_PTR)NewDescriptor +                   \
+(ULONG_PTR)NewDescriptor->Type)))            \
+{                                                                    \
+RtlRaiseStatus(STATUS_INVALID_SID);                                \
+}                                                                    \
+Offset += ROUND_UP(Type##Size, sizeof(ULONG));                       \
+}                                                                      \
+} while(0)
                
                CopySID(Owner);
                CopySID(Group);
@ -662,22 +661,22 @@ SeCaptureSecurityDescriptor(
 #undef CopySID
                
 #define CopyACL(Type)                                                          \
-        do {                                                                   \
-        if(DescriptorCopy.Type != NULL)                                        \
-        {                                                                      \
-          NewDescriptor->Type = (PVOID)Offset;                                 \
-          RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor +                     \
-                                (ULONG_PTR)NewDescriptor->Type),               \
-                        DescriptorCopy.Type,                                   \
-                        Type##Size);                                           \
-          if (!RtlValidAcl((PACL)((ULONG_PTR)NewDescriptor +                   \
-                                  (ULONG_PTR)NewDescriptor->Type)))            \
-          {                                                                    \
-            RtlRaiseStatus(STATUS_INVALID_ACL);                                \
-          }                                                                    \
-          Offset += ROUND_UP(Type##Size, sizeof(ULONG));                       \
-        }                                                                      \
-        } while(0)
+do {                                                                   \
+if(DescriptorCopy.Type != NULL)                                        \
+{                                                                      \
+NewDescriptor->Type = (PVOID)Offset;                                 \
+RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor +                     \
+(ULONG_PTR)NewDescriptor->Type),               \
+DescriptorCopy.Type,                                   \
+Type##Size);                                           \
+if (!RtlValidAcl((PACL)((ULONG_PTR)NewDescriptor +                   \
+(ULONG_PTR)NewDescriptor->Type)))            \
+{                                                                    \
+RtlRaiseStatus(STATUS_INVALID_ACL);                                \
+}                                                                    \
+Offset += ROUND_UP(Type##Size, sizeof(ULONG));                       \
+}                                                                      \
+} while(0)
                
                CopyACL(Sacl);
                CopyACL(Dacl);
@ -859,11 +858,9 @@ SeQuerySecurityDescriptorInfo(IN PSECURITY_INFORMATION SecurityInformation,
 */
 NTSTATUS
 STDCALL
-SeReleaseSecurityDescriptor(
-	IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
+SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
                            IN KPROCESSOR_MODE CurrentMode,
-	IN BOOLEAN CaptureIfKernelMode
-	)
+                            IN BOOLEAN CaptureIfKernelMode)
 {
    PAGED_CODE();
    
@ -1076,15 +1073,13 @@ SeSetSecurityDescriptorInfo(IN PVOID Object OPTIONAL,
 */
 NTSTATUS
 STDCALL
-SeSetSecurityDescriptorInfoEx(
-	IN PVOID Object OPTIONAL,
+SeSetSecurityDescriptorInfoEx(IN PVOID Object OPTIONAL,
                              IN PSECURITY_INFORMATION SecurityInformation,
                              IN PSECURITY_DESCRIPTOR ModificationDescriptor,
                              IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
                              IN ULONG AutoInheritFlags,
                              IN POOL_TYPE PoolType,
-	IN PGENERIC_MAPPING GenericMapping
-	)
+                              IN PGENERIC_MAPPING GenericMapping)
 {
    PISECURITY_DESCRIPTOR ObjectSd = *ObjectsSecurityDescriptor;
    
@ -1232,4 +1227,293 @@ SeValidSecurityDescriptor(IN ULONG Length,
    return TRUE;
 }

+/*
+ * @implemented
+ */
+NTSTATUS STDCALL
+SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
+{
+    PAGED_CODE();
+    
+    if (*SecurityDescriptor != NULL)
+    {
+        ExFreePool(*SecurityDescriptor);
+        *SecurityDescriptor = NULL;
+    }
+    
+    return STATUS_SUCCESS;
+}
+
+
+/*
+ * @unimplemented
+ */
+NTSTATUS STDCALL
+SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
+                   IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
+                   OUT PSECURITY_DESCRIPTOR *NewDescriptor,
+                   IN GUID *ObjectType OPTIONAL,
+                   IN BOOLEAN IsDirectoryObject,
+                   IN ULONG AutoInheritFlags,
+                   IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
+                   IN PGENERIC_MAPPING GenericMapping,
+                   IN POOL_TYPE PoolType)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
+/*
+ * @implemented
+ */
+NTSTATUS STDCALL
+SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
+                 PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
+                 PSECURITY_DESCRIPTOR *NewDescriptor,
+                 BOOLEAN IsDirectoryObject,
+                 PSECURITY_SUBJECT_CONTEXT SubjectContext,
+                 PGENERIC_MAPPING GenericMapping,
+                 POOL_TYPE PoolType)
+{
+    PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
+    PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
+    PISECURITY_DESCRIPTOR Descriptor;
+    PTOKEN Token;
+    ULONG OwnerLength = 0;
+    ULONG GroupLength = 0;
+    ULONG DaclLength = 0;
+    ULONG SaclLength = 0;
+    ULONG Length = 0;
+    ULONG Control = 0;
+    ULONG_PTR Current;
+    PSID Owner = NULL;
+    PSID Group = NULL;
+    PACL Dacl = NULL;
+    PACL Sacl = NULL;
+    
+    PAGED_CODE();
+    
+    /* Lock subject context */
+    SeLockSubjectContext(SubjectContext);
+    
+    if (SubjectContext->ClientToken != NULL)
+    {
+        Token = SubjectContext->ClientToken;
+    }
+    else
+    {
+        Token = SubjectContext->PrimaryToken;
+    }
+    
+    
+    /* Inherit the Owner SID */
+    if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
+    {
+        DPRINT("Use explicit owner sid!\n");
+        Owner = ExplicitDescriptor->Owner;
+        
+        if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
+        {
+            Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
+            
+        }
+    }
+    else
+    {
+        if (Token != NULL)
+        {
+            DPRINT("Use token owner sid!\n");
+            Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
+        }
+        else
+        {
+            DPRINT("Use default owner sid!\n");
+            Owner = SeLocalSystemSid;
+        }
+        
+        Control |= SE_OWNER_DEFAULTED;
+    }
+    
+    OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
+    
+    
+    /* Inherit the Group SID */
+    if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
+    {
+        DPRINT("Use explicit group sid!\n");
+        Group = ExplicitDescriptor->Group;
+        if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
+        {
+            Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
+        }
+    }
+    else
+    {
+        if (Token != NULL)
+        {
+            DPRINT("Use token group sid!\n");
+            Group = Token->PrimaryGroup;
+        }
+        else
+        {
+            DPRINT("Use default group sid!\n");
+            Group = SeLocalSystemSid;
+        }
+        
+        Control |= SE_OWNER_DEFAULTED;
+    }
+    
+    GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
+    
+    
+    /* Inherit the DACL */
+    if (ExplicitDescriptor != NULL &&
+        (ExplicitDescriptor->Control & SE_DACL_PRESENT) &&
+        !(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
+    {
+        DPRINT("Use explicit DACL!\n");
+        Dacl = ExplicitDescriptor->Dacl;
+        if (Dacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
+        {
+            Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
+        }
+        
+        Control |= SE_DACL_PRESENT;
+    }
+    else if (ParentDescriptor != NULL &&
+             (ParentDescriptor->Control & SE_DACL_PRESENT))
+    {
+        DPRINT("Use parent DACL!\n");
+        /* FIXME: Inherit */
+        Dacl = ParentDescriptor->Dacl;
+        if (Dacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
+        {
+            Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
+        }
+        Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+    }
+    else if (Token != NULL && Token->DefaultDacl != NULL)
+    {
+        DPRINT("Use token default DACL!\n");
+        /* FIXME: Inherit */
+        Dacl = Token->DefaultDacl;
+        Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+    }
+    else
+    {
+        DPRINT("Use NULL DACL!\n");
+        Dacl = NULL;
+        Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+    }
+    
+    DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
+    
+    
+    /* Inherit the SACL */
+    if (ExplicitDescriptor != NULL &&
+        (ExplicitDescriptor->Control & SE_SACL_PRESENT) &&
+        !(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
+    {
+        DPRINT("Use explicit SACL!\n");
+        Sacl = ExplicitDescriptor->Sacl;
+        if (Sacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
+        {
+            Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
+        }
+        
+        Control |= SE_SACL_PRESENT;
+    }
+    else if (ParentDescriptor != NULL &&
+             (ParentDescriptor->Control & SE_SACL_PRESENT))
+    {
+        DPRINT("Use parent SACL!\n");
+        /* FIXME: Inherit */
+        Sacl = ParentDescriptor->Sacl;
+        if (Sacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
+        {
+            Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
+        }
+        Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
+    }
+    
+    SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
+    
+    
+    /* Allocate and initialize the new security descriptor */
+    Length = sizeof(SECURITY_DESCRIPTOR) +
+    OwnerLength + GroupLength + DaclLength + SaclLength;
+    
+    DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
+           sizeof(SECURITY_DESCRIPTOR),
+           OwnerLength,
+           GroupLength,
+           DaclLength,
+           SaclLength);
+    
+    Descriptor = ExAllocatePool(PagedPool,
+                                Length);
+    if (Descriptor == NULL)
+    {
+        DPRINT1("ExAlloctePool() failed\n");
+        /* FIXME: Unlock subject context */
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+    
+    RtlZeroMemory( Descriptor, Length );
+    RtlCreateSecurityDescriptor(Descriptor,
+                                SECURITY_DESCRIPTOR_REVISION);
+    
+    Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
+    
+    Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
+    
+    if (SaclLength != 0)
+    {
+        RtlCopyMemory((PVOID)Current,
+                      Sacl,
+                      SaclLength);
+        Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+        Current += SaclLength;
+    }
+    
+    if (DaclLength != 0)
+    {
+        RtlCopyMemory((PVOID)Current,
+                      Dacl,
+                      DaclLength);
+        Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+        Current += DaclLength;
+    }
+    
+    if (OwnerLength != 0)
+    {
+        RtlCopyMemory((PVOID)Current,
+                      Owner,
+                      OwnerLength);
+        Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+        Current += OwnerLength;
+        DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
+    }
+    else
+        DPRINT("Owner of %x is zero length\n", Descriptor);
+    
+    if (GroupLength != 0)
+    {
+        memmove((PVOID)Current,
+                Group,
+                GroupLength);
+        Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+    }
+    
+    /* Unlock subject context */
+    SeUnlockSubjectContext(SubjectContext);
+    
+    *NewDescriptor = Descriptor;
+    
+    DPRINT("Descrptor %x\n", Descriptor);
+    ASSERT(RtlLengthSecurityDescriptor(Descriptor));
+    
+    return STATUS_SUCCESS;
+}
+
 /* EOF */
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@ -7,32 +7,86 @@
 * PROGRAMMERS:     No programmer listed.
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>

-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/

 PSE_EXPORTS SeExports = NULL;
 SE_EXPORTS SepExports;

-static ERESOURCE SepSubjectContextLock;
 extern ULONG ExpInitializationPhase;
+extern ERESOURCE SepSubjectContextLock;

+/* PRIVATE FUNCTIONS **********************************************************/

-/* PROTOTYPES ***************************************************************/
+static BOOLEAN INIT_FUNCTION
+SepInitExports(VOID)
+{
+    SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
+    SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
+    SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
+    SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
+    SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
+    SepExports.SeTcbPrivilege = SeTcbPrivilege;
+    SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
+    SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
+    SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
+    SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
+    SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
+    SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
+    SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
+    SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
+    SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
+    SepExports.SeBackupPrivilege = SeBackupPrivilege;
+    SepExports.SeRestorePrivilege = SeRestorePrivilege;
+    SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
+    SepExports.SeDebugPrivilege = SeDebugPrivilege;
+    SepExports.SeAuditPrivilege = SeAuditPrivilege;
+    SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
+    SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
+    SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
    
-static BOOLEAN SepInitExports(VOID);
+    SepExports.SeNullSid = SeNullSid;
+    SepExports.SeWorldSid = SeWorldSid;
+    SepExports.SeLocalSid = SeLocalSid;
+    SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
+    SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
+    SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
+    SepExports.SeDialupSid = SeDialupSid;
+    SepExports.SeNetworkSid = SeNetworkSid;
+    SepExports.SeBatchSid = SeBatchSid;
+    SepExports.SeInteractiveSid = SeInteractiveSid;
+    SepExports.SeLocalSystemSid = SeLocalSystemSid;
+    SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
+    SepExports.SeAliasUsersSid = SeAliasUsersSid;
+    SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
+    SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
+    SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
+    SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
+    SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
+    SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
+    SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
+    SepExports.SeRestrictedSid = SeRestrictedSid;
+    SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
+    
+    SepExports.SeUndockPrivilege = SeUndockPrivilege;
+    SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
+    SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
+    
+    SeExports = &SepExports;
+    return TRUE;
+}

-/* FUNCTIONS ****************************************************************/

 BOOLEAN
 NTAPI
 SepInitializationPhase0(VOID)
 {
-    SepInitLuid();
+    ExpInitLuid();
    if (!SepInitSecurityIDs()) return FALSE;
    if (!SepInitDACLs()) return FALSE;
    if (!SepInitSDs()) return FALSE;
@ -162,76 +216,6 @@ SeInitSRM(VOID)
    return TRUE;
 }

-
-static BOOLEAN INIT_FUNCTION
-SepInitExports(VOID)
-{
-  SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
-  SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
-  SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
-  SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
-  SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
-  SepExports.SeTcbPrivilege = SeTcbPrivilege;
-  SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
-  SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
-  SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
-  SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
-  SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
-  SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
-  SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
-  SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
-  SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
-  SepExports.SeBackupPrivilege = SeBackupPrivilege;
-  SepExports.SeRestorePrivilege = SeRestorePrivilege;
-  SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
-  SepExports.SeDebugPrivilege = SeDebugPrivilege;
-  SepExports.SeAuditPrivilege = SeAuditPrivilege;
-  SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
-  SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
-  SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
-
-  SepExports.SeNullSid = SeNullSid;
-  SepExports.SeWorldSid = SeWorldSid;
-  SepExports.SeLocalSid = SeLocalSid;
-  SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
-  SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
-  SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
-  SepExports.SeDialupSid = SeDialupSid;
-  SepExports.SeNetworkSid = SeNetworkSid;
-  SepExports.SeBatchSid = SeBatchSid;
-  SepExports.SeInteractiveSid = SeInteractiveSid;
-  SepExports.SeLocalSystemSid = SeLocalSystemSid;
-  SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
-  SepExports.SeAliasUsersSid = SeAliasUsersSid;
-  SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
-  SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
-  SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
-  SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
-  SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
-  SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
-  SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
-  SepExports.SeRestrictedSid = SeRestrictedSid;
-  SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
-
-  SepExports.SeUndockPrivilege = SeUndockPrivilege;
-  SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
-  SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
-  
-  SeExports = &SepExports;
-  return TRUE;
-}
-
-
-VOID SepReferenceLogonSession(PLUID AuthenticationId)
-{
-   UNIMPLEMENTED;
-}
-
-VOID SepDeReferenceLogonSession(PLUID AuthenticationId)
-{
-   UNIMPLEMENTED;
-}
-
 NTSTATUS
 NTAPI
 SeDefaultObjectMethod(IN PVOID Object,
@ -293,399 +277,6 @@ SeDefaultObjectMethod(IN PVOID Object,
    return STATUS_SUCCESS;
 }

-VOID
-NTAPI
-SeCaptureSubjectContextEx(IN PETHREAD Thread,
-                          IN PEPROCESS Process,
-                          OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-    BOOLEAN CopyOnOpen, EffectiveOnly;
-    PAGED_CODE();
-
-    /* Save the unique ID */
-    SubjectContext->ProcessAuditId = Process->UniqueProcessId;
-
-    /* Check if we have a thread */
-    if (!Thread)
-    {
-        /* We don't, so no token */
-        SubjectContext->ClientToken = NULL;
-    }
-    else
-    {
-        /* Get the impersonation token */
-        SubjectContext->ClientToken =
-            PsReferenceImpersonationToken(Thread,
-                                          &CopyOnOpen,
-                                          &EffectiveOnly,
-                                          &SubjectContext->ImpersonationLevel);
-    }
-
-    /* Get the primary token */
-    SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
-}
-
-/*
- * @implemented
- */
-VOID
-NTAPI
-SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-    /* Call the internal API */
-    SeCaptureSubjectContextEx(PsGetCurrentThread(),
-                              PsGetCurrentProcess(),
-                              SubjectContext);
-}
-
-
-/*
- * @implemented
- */
-VOID STDCALL
-SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PAGED_CODE();
-
-  KeEnterCriticalRegion();
-  ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
-}
-
-
-/*
- * @implemented
- */
-VOID STDCALL
-SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PAGED_CODE();
-
-  ExReleaseResourceLite(&SepSubjectContextLock);
-  KeLeaveCriticalRegion();
-}
-
-
-/*
- * @implemented
- */
-VOID STDCALL
-SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PAGED_CODE();
-
-  if (SubjectContext->PrimaryToken != NULL)
-    {
-      ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
-    }
-
-  if (SubjectContext->ClientToken != NULL)
-    {
-      ObDereferenceObject(SubjectContext->ClientToken);
-    }
-}
-
-
-/*
- * @implemented
- */
-NTSTATUS STDCALL
-SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
-{
-  PAGED_CODE();
-
-  if (*SecurityDescriptor != NULL)
-    {
-      ExFreePool(*SecurityDescriptor);
-      *SecurityDescriptor = NULL;
-    }
-
-  return STATUS_SUCCESS;
-}
-
-
-/*
- * @unimplemented
- */
-NTSTATUS STDCALL
-SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
-                   IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
-                   OUT PSECURITY_DESCRIPTOR *NewDescriptor,
-                   IN GUID *ObjectType OPTIONAL,
-                   IN BOOLEAN IsDirectoryObject,
-                   IN ULONG AutoInheritFlags,
-                   IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
-                   IN PGENERIC_MAPPING GenericMapping,
-                   IN POOL_TYPE PoolType)
-{
-  UNIMPLEMENTED;
-  return STATUS_NOT_IMPLEMENTED;
-}
-
-
-/*
- * FUNCTION: Creates a security descriptor for a new object.
- * ARGUMENTS:
- *         ParentDescriptor =
- *         ExplicitDescriptor =
- *         NewDescriptor =
- *         IsDirectoryObject =
- *         SubjectContext =
- *         GeneralMapping =
- *         PoolType =
- * RETURNS: Status
- *
- * @implemented
- */
-NTSTATUS STDCALL
-SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
-                 PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
-                 PSECURITY_DESCRIPTOR *NewDescriptor,
-                 BOOLEAN IsDirectoryObject,
-                 PSECURITY_SUBJECT_CONTEXT SubjectContext,
-                 PGENERIC_MAPPING GenericMapping,
-                 POOL_TYPE PoolType)
-{
-  PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
-  PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
-  PISECURITY_DESCRIPTOR Descriptor;
-  PTOKEN Token;
-  ULONG OwnerLength = 0;
-  ULONG GroupLength = 0;
-  ULONG DaclLength = 0;
-  ULONG SaclLength = 0;
-  ULONG Length = 0;
-  ULONG Control = 0;
-  ULONG_PTR Current;
-  PSID Owner = NULL;
-  PSID Group = NULL;
-  PACL Dacl = NULL;
-  PACL Sacl = NULL;
-
-  PAGED_CODE();
-
-  /* Lock subject context */
-  SeLockSubjectContext(SubjectContext);
-
-  if (SubjectContext->ClientToken != NULL)
-    {
-      Token = SubjectContext->ClientToken;
-    }
-  else
-    {
-      Token = SubjectContext->PrimaryToken;
-    }
-
-
-  /* Inherit the Owner SID */
-  if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
-    {
-      DPRINT("Use explicit owner sid!\n");
-      Owner = ExplicitDescriptor->Owner;
-      
-      if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
-        {
-          Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
-
-        }
-    }
-  else
-    {
-      if (Token != NULL)
-        {
-          DPRINT("Use token owner sid!\n");
-          Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
-        }
-      else
-        {
-          DPRINT("Use default owner sid!\n");
-          Owner = SeLocalSystemSid;
-        }
-
-      Control |= SE_OWNER_DEFAULTED;
-    }
-
-  OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
-
-
-  /* Inherit the Group SID */
-  if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
-    {
-      DPRINT("Use explicit group sid!\n");
-      Group = ExplicitDescriptor->Group;
-      if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
-        {
-          Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
-        }
-    }
-  else
-    {
-      if (Token != NULL)
-        {
-          DPRINT("Use token group sid!\n");
-          Group = Token->PrimaryGroup;
-        }
-      else
-        {
-          DPRINT("Use default group sid!\n");
-          Group = SeLocalSystemSid;
-        }
-
-      Control |= SE_OWNER_DEFAULTED;
-    }
-
-  GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
-
-
-  /* Inherit the DACL */
-  if (ExplicitDescriptor != NULL &&
-      (ExplicitDescriptor->Control & SE_DACL_PRESENT) &&
-      !(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
-    {
-      DPRINT("Use explicit DACL!\n");
-      Dacl = ExplicitDescriptor->Dacl;
-      if (Dacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
-        {
-          Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
-        }
-
-      Control |= SE_DACL_PRESENT;
-    }
-  else if (ParentDescriptor != NULL &&
-           (ParentDescriptor->Control & SE_DACL_PRESENT))
-    {
-      DPRINT("Use parent DACL!\n");
-      /* FIXME: Inherit */
-      Dacl = ParentDescriptor->Dacl;
-      if (Dacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
-        {
-          Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
-        }
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
-    }
-  else if (Token != NULL && Token->DefaultDacl != NULL)
-    {
-      DPRINT("Use token default DACL!\n");
-      /* FIXME: Inherit */
-      Dacl = Token->DefaultDacl;
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
-    }
-  else
-    {
-      DPRINT("Use NULL DACL!\n");
-      Dacl = NULL;
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
-    }
-
-  DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
-
-
-  /* Inherit the SACL */
-  if (ExplicitDescriptor != NULL &&
-      (ExplicitDescriptor->Control & SE_SACL_PRESENT) &&
-      !(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
-    {
-      DPRINT("Use explicit SACL!\n");
-      Sacl = ExplicitDescriptor->Sacl;
-      if (Sacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
-        {
-          Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
-        }
-
-      Control |= SE_SACL_PRESENT;
-    }
-  else if (ParentDescriptor != NULL &&
-           (ParentDescriptor->Control & SE_SACL_PRESENT))
-    {
-      DPRINT("Use parent SACL!\n");
-      /* FIXME: Inherit */
-      Sacl = ParentDescriptor->Sacl;
-      if (Sacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
-        {
-          Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
-        }
-      Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
-    }
-
-  SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
-
-
-  /* Allocate and initialize the new security descriptor */
-  Length = sizeof(SECURITY_DESCRIPTOR) +
-      OwnerLength + GroupLength + DaclLength + SaclLength;
-
-  DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
-         sizeof(SECURITY_DESCRIPTOR),
-         OwnerLength,
-         GroupLength,
-         DaclLength,
-         SaclLength);
-
-  Descriptor = ExAllocatePool(PagedPool,
-                              Length);
-  if (Descriptor == NULL)
-    {
-      DPRINT1("ExAlloctePool() failed\n");
-      /* FIXME: Unlock subject context */
-      return STATUS_INSUFFICIENT_RESOURCES;
-    }
-
-  RtlZeroMemory( Descriptor, Length );
-  RtlCreateSecurityDescriptor(Descriptor,
-                              SECURITY_DESCRIPTOR_REVISION);
-
-  Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
-
-  Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
-
-  if (SaclLength != 0)
-    {
-      RtlCopyMemory((PVOID)Current,
-                    Sacl,
-                    SaclLength);
-      Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += SaclLength;
-    }
-
-  if (DaclLength != 0)
-    {
-      RtlCopyMemory((PVOID)Current,
-                    Dacl,
-                    DaclLength);
-      Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += DaclLength;
-    }
-
-  if (OwnerLength != 0)
-    {
-      RtlCopyMemory((PVOID)Current,
-                    Owner,
-                    OwnerLength);
-      Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += OwnerLength;
-      DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
-    }
-  else
-      DPRINT("Owner of %x is zero length\n", Descriptor);
-
-  if (GroupLength != 0)
-    {
-      memmove((PVOID)Current,
-              Group,
-              GroupLength);
-      Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-    }
-
-  /* Unlock subject context */
-  SeUnlockSubjectContext(SubjectContext);
-
-  *NewDescriptor = Descriptor;
-
-  DPRINT("Descrptor %x\n", Descriptor);
-  ASSERT(RtlLengthSecurityDescriptor(Descriptor));
-
-  return STATUS_SUCCESS;
-}
-

 static BOOLEAN
 SepSidInToken(PACCESS_TOKEN _Token,
@ -718,22 +309,46 @@ SepSidInToken(PACCESS_TOKEN _Token,
 }


+VOID STDCALL
+SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+                          OUT PACCESS_MASK DesiredAccess)
+{
+    *DesiredAccess = 0;
+    
+    if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
+                               GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
+    {
+        *DesiredAccess |= READ_CONTROL;
+    }
+    if (SecurityInformation & SACL_SECURITY_INFORMATION)
+    {
+        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
+    }
+}
+
+VOID STDCALL
+SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+                        OUT PACCESS_MASK DesiredAccess)
+{
+    *DesiredAccess = 0;
+    
+    if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
+    {
+        *DesiredAccess |= WRITE_OWNER;
+    }
+    if (SecurityInformation & DACL_SECURITY_INFORMATION)
+    {
+        *DesiredAccess |= WRITE_DAC;
+    }
+    if (SecurityInformation & SACL_SECURITY_INFORMATION)
+    {
+        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
+    }
+}
+
+/* PUBLIC FUNCTIONS ***********************************************************/
+
 /*
- * FUNCTION: Determines whether the requested access rights can be granted
- * to an object protected by a security descriptor and an object owner
- * ARGUMENTS:
- *      SecurityDescriptor = Security descriptor protecting the object
- *      SubjectSecurityContext = Subject's captured security context
- *      SubjectContextLocked = Indicates the user's subject context is locked
- *      DesiredAccess = Access rights the caller is trying to acquire
- *      PreviouslyGrantedAccess = Specified the access rights already granted
- *      Privileges = ?
- *      GenericMapping = Generic mapping associated with the object
- *      AccessMode = Access mode used for the check
- *      GrantedAccess (OUT) = On return specifies the access granted
- *      AccessStatus (OUT) = Status indicating why access was denied
- * RETURNS: If access was granted, returns TRUE
- *
 * @implemented
 */
 BOOLEAN STDCALL
@ -1002,6 +617,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    }
 }

+/* SYSTEM CALLS ***************************************************************/

 NTSTATUS STDCALL
 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
@ -1198,41 +814,4 @@ NtAccessCheckByTypeResultListAndAuditAlarmByHandle(IN PUNICODE_STRING SubsystemN
    return STATUS_NOT_IMPLEMENTED;
 }

-VOID STDCALL
-SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
-                          OUT PACCESS_MASK DesiredAccess)
-{
-    *DesiredAccess = 0;
-
-    if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
-                               GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
-    {
-        *DesiredAccess |= READ_CONTROL;
-    }
-    if (SecurityInformation & SACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
-    }
-}
-
-VOID STDCALL
-SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
-                        OUT PACCESS_MASK DesiredAccess)
-{
-    *DesiredAccess = 0;
-
-    if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
-    {
-        *DesiredAccess |= WRITE_OWNER;
-    }
-    if (SecurityInformation & DACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= WRITE_DAC;
-    }
-    if (SecurityInformation & SACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
-    }
-}
-
 /* EOF */
--- a/reactos/ntoskrnl/se/sid.c
+++ b/reactos/ntoskrnl/se/sid.c
@ -7,19 +7,17 @@
 * PROGRAMMERS:     David Welch <welch@cwcom.net>
 */

-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/

 #include <ntoskrnl.h>
-
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>

 #if defined (ALLOC_PRAGMA)
 #pragma alloc_text(INIT, SepInitSecurityIDs)
 #endif

-
-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/

 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
@ -56,9 +54,7 @@ PSID SeAuthenticatedUsersSid = NULL;
 PSID SeRestrictedSid = NULL;
 PSID SeAnonymousLogonSid = NULL;

-
-/* FUNCTIONS ****************************************************************/
-
+/* FUNCTIONS ******************************************************************/

 BOOLEAN
 INIT_FUNCTION
--- a/reactos/ntoskrnl/se/token.c
+++ b/reactos/ntoskrnl/se/token.c