Re: Help regarding the security descriptor creation algorithms

Hi Nadezhda:

I just want to update that work on the final version of algorithm is still in progress. I’ll update you as soon as I have the new version.

Thanks you for your patience.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi Nadezhda:

My name is Obaid Farooqi and I am a member of protocol documentation team. I’ll be helping you with your question regarding security descriptor creation algorithms.

I’ll keep you updated as appropriate with my investigation.

Feel free to contact me if you have any further question or clarification about this issue.

Regards,

Obaid Farooqi

Sr. SEE | Microsoft

Hi,

I have been working on implementing correct nTSecurityDeascriptor creation in the directory service of Samba 4, and have come upon a problem in the ComputeInheritedACLfromParent  subroutine described in MS-DTYP 2.5.2.6. The way the algorithm is described, the purpose of this algorithm is to determine which ACE’s from an object’s parent are to be inherited by the new object actively, and which are to be inherited only. The ComputeInheritedACLfromParent as described, walks the parent ACL twice. The first time it determines the active inherited ACE’s, the second time the ones that are inherited but inactive.

I have been testing our implementation with the CN=Schema partition, as the attributes and objects by default are not given a security descriptor during creation, and the defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL.

So, they inherit all their DACL ACE’s from their parent, CN=Schema.

In a Win2008R2, CN=Schema has three inheritable DACL ACE’s:

(A;CI;RPLCLORC;;;AU)

(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)

(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

ComputeInheritedACLfromParent has the following arguments:

                         ACL: ACL that contains the parent's ACEs from which to compute the inherited ACL.

                         IsContainerObject: TRUE if the object is a container, FALSE otherwise.

                         ObjectTypes: Array of GUIDs for the object type being created.

So if we invoke the ComputeInheritedACLfromParent with the above DACL,and  isConatinerObject = true (According to MS-ADTS 7.1.3, true is always the value), the first walk of the input

Initialize ExplicitACL to Empty ACL

FOR each ACE in ACL DO

IF ACE.Flags contains INHERIT_ONLY

THEN

        CONTINUE

ENDIF

IF(((ACE.Flags contains CONTAINER_INHERIT) AND

        (IsContainerObject = TRUE))OR

                                     ((ACE.Flags contains OBJECT_INHERIT) AND (IsContainerObject = FALSE)))

THEN

CASE ACE.Type OF

ALLOW:

DENY:

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

OBJECT_ALLOW:

OBJECT_DENY:

IF (ObjectTypes contains ACE.ObjectGUID) THEN

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

ENDIF

ENDCASE

ENDIF

END FOR

Will give:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which is as expected, as this is the DACL of all attributes and classes in Win 2008.

However, the algorithm then walks the input a second time:

Initialize InheritableACL to Empty ACL

IF (IsContainerObject = TRUE) THEN  //In our case this is always true

FOR each ACE in ACL DO

IF ACE.Flags contains NO_PROPAGATE THEN  //This flag is not set

CONTINUE

ENDIF

IF((ACE.Flags contains CONTAINER_INHERIT) OR

(ACE.Flags contains OBJECT_INHERIT))

THEN

Set NewACE to ACE

Add INHERITED to NewACE.Flags

Add INHERIT_ONLY to NewACE.Flags

Append NewACE to InheritableACL

ENDIF

                END FOR

ENDIF

This second loop yields:

(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which after:

RETURN concatenation of ExplicitACL and InheritableACL

Makes the final DACL look like:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

So ACE’s are duplicated.

However, an attribute’s DACL in Win2008 does not have these last three ACE’s, so I am obviously missing something. How should the flow actually go with this same example in order to avoid this duplication? Or am I providing the wrong argument?

Best Regards,

Nadezhda Ivanova

Hi Nadezhda:

We have finished our investigation on your question about ComputeInheritedACLfromParent algorithm. The documentation is in progress for a newer version of the algorithm that will appear in a future version of MS-DTYP.

For your implementation, you can use the following rules to derive inherited ACE’s from the parent object.

There are seven flags that can appear in an ACE. Of the seven flags, the following pertains to inheritance:

CI            CONTAINER_INHERIT_ACE

OI           OBJECT_INHERIT_ACE

NP          NO_PROPAGATE_INHERIT_ACE

IO           INHERIT_ONLY_ACE

ID            INHERITED_ACE

IO and ID do not play a part when it comes to making decisions about inheritance. ID flag is added to any ACE that is inherited to mention the fact that it was inherited. IO flag is used to render an ACE ineffective for the child that inherits the ACE. An ACE that has IO flag can be inherited but the decision is based on other flags, if present. As such, the following table mostly ignores ID and IO flags.  The following table outlines what would be the flags of the inherited ACE based on the flags that parent has.

For the cases in which a container inherits an ACE that is both effective on the container and inheritable by its descendents, the container may inherit two ACEs. This occurs when inheritable ACE contains generic  information. The container inherits an ACE with an additional IO flag with generic information and an effective-only ACE in which the generic information has been mapped.

The following page at MSDN also has similar information that you may find helpful:

http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx

Please let me know if this answers your question. If yes, then I’ll consider this issue resolved.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi,

I have been working on implementing correct nTSecurityDeascriptor creation in the directory service of Samba 4, and have come upon a problem in the ComputeInheritedACLfromParent  subroutine described in MS-DTYP 2.5.2.6. The way the algorithm is described, the purpose of this algorithm is to determine which ACE’s from an object’s parent are to be inherited by the new object actively, and which are to be inherited only. The ComputeInheritedACLfromParent as described, walks the parent ACL twice. The first time it determines the active inherited ACE’s, the second time the ones that are inherited but inactive.

I have been testing our implementation with the CN=Schema partition, as the attributes and objects by default are not given a security descriptor during creation, and the defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL.

So, they inherit all their DACL ACE’s from their parent, CN=Schema.

In a Win2008R2, CN=Schema has three inheritable DACL ACE’s:

(A;CI;RPLCLORC;;;AU)

(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)

(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

ComputeInheritedACLfromParent has the following arguments:

                         ACL: ACL that contains the parent's ACEs from which to compute the inherited ACL.

                         IsContainerObject: TRUE if the object is a container, FALSE otherwise.

                         ObjectTypes: Array of GUIDs for the object type being created.

So if we invoke the ComputeInheritedACLfromParent with the above DACL,and  isConatinerObject = true (According to MS-ADTS 7.1.3, true is always the value), the first walk of the input

Initialize ExplicitACL to Empty ACL

FOR each ACE in ACL DO

IF ACE.Flags contains INHERIT_ONLY

THEN

        CONTINUE

ENDIF

IF(((ACE.Flags contains CONTAINER_INHERIT) AND

        (IsContainerObject = TRUE))OR

                                     ((ACE.Flags contains OBJECT_INHERIT) AND (IsContainerObject = FALSE)))

THEN

CASE ACE.Type OF

ALLOW:

DENY:

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

OBJECT_ALLOW:

OBJECT_DENY:

IF (ObjectTypes contains ACE.ObjectGUID) THEN

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

ENDIF

ENDCASE

ENDIF

END FOR

Will give:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which is as expected, as this is the DACL of all attributes and classes in Win 2008.

However, the algorithm then walks the input a second time:

Initialize InheritableACL to Empty ACL

IF (IsContainerObject = TRUE) THEN  //In our case this is always true

FOR each ACE in ACL DO

IF ACE.Flags contains NO_PROPAGATE THEN  //This flag is not set

CONTINUE

ENDIF

IF((ACE.Flags contains CONTAINER_INHERIT) OR

(ACE.Flags contains OBJECT_INHERIT))

THEN

Set NewACE to ACE

Add INHERITED to NewACE.Flags

Add INHERIT_ONLY to NewACE.Flags

Append NewACE to InheritableACL

ENDIF

                END FOR

ENDIF

This second loop yields:

(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which after:

RETURN concatenation of ExplicitACL and InheritableACL

Makes the final DACL look like:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

So ACE’s are duplicated.

However, an attribute’s DACL in Win2008 does not have these last three ACE’s, so I am obviously missing something. How should the flow actually go with this same example in order to avoid this duplication? Or am I providing the wrong argument?

Best Regards,

Nadezhda Ivanova

Hi Nadezhda:

I just realized that the table in my previous email may not appear correctly. So, I am attaching a PDF version of my reply. Please let me know if you have any difficulty reading it.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi Nadezhda:

We have finished our investigation on your question about ComputeInheritedACLfromParent algorithm. The documentation is in progress for a newer version of the algorithm that will appear in a future version of MS-DTYP.

For your implementation, you can use the following rules to derive inherited ACE’s from the parent object.

There are seven flags that can appear in an ACE. Of the seven flags, the following pertains to inheritance:

CI            CONTAINER_INHERIT_ACE

OI           OBJECT_INHERIT_ACE

NP          NO_PROPAGATE_INHERIT_ACE

IO           INHERIT_ONLY_ACE

ID            INHERITED_ACE

IO and ID do not play a part when it comes to making decisions about inheritance. ID flag is added to any ACE that is inherited to mention the fact that it was inherited. IO flag is used to render an ACE ineffective for the child that inherits the ACE. An ACE that has IO flag can be inherited but the decision is based on other flags, if present. As such, the following table mostly ignores ID and IO flags.  The following table outlines what would be the flags of the inherited ACE based on the flags that parent has.

For the cases in which a container inherits an ACE that is both effective on the container and inheritable by its descendents, the container may inherit two ACEs. This occurs when inheritable ACE contains generic  information. The container inherits an ACE with an additional IO flag with generic information and an effective-only ACE in which the generic information has been mapped.

The following page at MSDN also has similar information that you may find helpful:

http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx

Please let me know if this answers your question. If yes, then I’ll consider this issue resolved.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi,

I have been working on implementing correct nTSecurityDeascriptor creation in the directory service of Samba 4, and have come upon a problem in the ComputeInheritedACLfromParent  subroutine described in MS-DTYP 2.5.2.6. The way the algorithm is described, the purpose of this algorithm is to determine which ACE’s from an object’s parent are to be inherited by the new object actively, and which are to be inherited only. The ComputeInheritedACLfromParent as described, walks the parent ACL twice. The first time it determines the active inherited ACE’s, the second time the ones that are inherited but inactive.

I have been testing our implementation with the CN=Schema partition, as the attributes and objects by default are not given a security descriptor during creation, and the defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL.

So, they inherit all their DACL ACE’s from their parent, CN=Schema.

In a Win2008R2, CN=Schema has three inheritable DACL ACE’s:

(A;CI;RPLCLORC;;;AU)

(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)

(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

ComputeInheritedACLfromParent has the following arguments:

                         ACL: ACL that contains the parent's ACEs from which to compute the inherited ACL.

                         IsContainerObject: TRUE if the object is a container, FALSE otherwise.

                         ObjectTypes: Array of GUIDs for the object type being created.

So if we invoke the ComputeInheritedACLfromParent with the above DACL,and  isConatinerObject = true (According to MS-ADTS 7.1.3, true is always the value), the first walk of the input

Initialize ExplicitACL to Empty ACL

FOR each ACE in ACL DO

IF ACE.Flags contains INHERIT_ONLY

THEN

        CONTINUE

ENDIF

IF(((ACE.Flags contains CONTAINER_INHERIT) AND

        (IsContainerObject = TRUE))OR

                                     ((ACE.Flags contains OBJECT_INHERIT) AND (IsContainerObject = FALSE)))

THEN

CASE ACE.Type OF

ALLOW:

DENY:

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

OBJECT_ALLOW:

OBJECT_DENY:

IF (ObjectTypes contains ACE.ObjectGUID) THEN

Set NewACE to ACE

Set NewACE.Flags to INHERITED

Append NewACE to ExplicitACL

ENDIF

ENDCASE

ENDIF

END FOR

Will give:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which is as expected, as this is the DACL of all attributes and classes in Win 2008.

However, the algorithm then walks the input a second time:

Initialize InheritableACL to Empty ACL

IF (IsContainerObject = TRUE) THEN  //In our case this is always true

FOR each ACE in ACL DO

IF ACE.Flags contains NO_PROPAGATE THEN  //This flag is not set

CONTINUE

ENDIF

IF((ACE.Flags contains CONTAINER_INHERIT) OR

(ACE.Flags contains OBJECT_INHERIT))

THEN

Set NewACE to ACE

Add INHERITED to NewACE.Flags

Add INHERIT_ONLY to NewACE.Flags

Append NewACE to InheritableACL

ENDIF

                END FOR

ENDIF

This second loop yields:

(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Which after:

RETURN concatenation of ExplicitACL and InheritableACL

Makes the final DACL look like:

D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

So ACE’s are duplicated.

However, an attribute’s DACL in Win2008 does not have these last three ACE’s, so I am obviously missing something. How should the flow actually go with this same example in order to avoid this duplication? Or am I providing the wrong argument?

Best Regards,

Nadezhda Ivanova

Hi Nadezhda:

The same information that I sent you will appear in a future version of the document MS-DTYP. The format may be different but content will be more or less same.

If you still have questions about ACE inheritance, please let me know. The intention of the reply is to allow you to move ahead with your implementation and not wait for the documentation. We don’t have a publically available date that I can provide you for the next documentation refresh at this time. However, we refresh the MSDN documentation routinely.

Regards,

Obaid Farooqi

Sr. Support Escalation Engineer | Microsoft

Hi Obaid,

Thank you for the information. It confirms our current knowledge about how ACE’s are being inherited and we will adjust our implementation accordingly while waiting for the new version of MS-DTYP. Do you know whe we can expect that?

Regards,

Nadezhda Ivanova