Re: Help regarding the security descriptor creation algorithms
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Re: Help regarding the security descriptor creation algorithms
by Nadezhda Ivanova-2
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Obaid, We will need some time to make some tests
and see if there is still behavior we do not understand. If you prefer, we can
consider this issue closed, and if there is something more I will raise a new
issue. Thank you for your assistance! Best Regards, Nadezhda Ivanova From: Obaid Farooqi
[mailto:obaidf@...] Hi Nadezhda: Please let me know
if I answered your question. As mentioned before, if you have any further
questions on ACE inheritance, please feel free to contact us. Regards, Obaid Farooqi Sr. Support
Escalation Engineer | Microsoft From: Obaid Farooqi Hi Nadezhda: The same information
that I sent you will appear in a future version of the document MS-DTYP. The
format may be different but content will be more or less same. If you still have
questions about ACE inheritance, please let me know. The intention of the reply
is to allow you to move ahead with your implementation and not wait for the
documentation. We don’t have a
publically available date that I can provide you for the next documentation
refresh at this time. However, we refresh the MSDN documentation routinely. Regards, Obaid Farooqi Sr. Support
Escalation Engineer | Microsoft From: Hi Obaid, Thank you for the information. It confirms
our current knowledge about how ACE’s are being inherited and we will adjust
our implementation accordingly while waiting for the new version of MS-DTYP. Do
you know whe we can expect that? Regards, From: Obaid Farooqi
[mailto:obaidf@...] Hi Nadezhda: I just realized that
the table in my previous email may not appear correctly. So, I am attaching a
PDF version of my reply. Please let me know if you have any difficulty reading
it. Regards, Obaid Farooqi Sr. Support
Escalation Engineer | Microsoft From: Obaid Farooqi Hi Nadezhda: We have finished our investigation on
your question about ComputeInheritedACLfromParent algorithm. The documentation
is in progress for a newer version of the algorithm that will appear in a
future version of MS-DTYP. For your implementation, you can use the
following rules to derive inherited ACE’s from the parent object. There are seven flags that can appear in
an ACE. Of the seven flags, the following pertains to inheritance: CI
CONTAINER_INHERIT_ACE OI
OBJECT_INHERIT_ACE NP
NO_PROPAGATE_INHERIT_ACE IO
INHERIT_ONLY_ACE ID
INHERITED_ACE IO and ID do not play a part when it
comes to making decisions about inheritance. ID flag is added to any ACE that
is inherited to mention the fact that it was inherited. IO flag is used to
render an ACE ineffective for the child that inherits the ACE. An ACE that has
IO flag can be inherited but the decision is based on other flags, if present.
As such, the following table mostly ignores ID and IO flags. The
following table outlines what would be the flags of the inherited ACE based on
the flags that parent has.
For the cases in which a container
inherits an ACE that is both effective on the container and inheritable by its
descendents, the container may inherit two ACEs. This occurs when inheritable
ACE contains generic information. The container inherits an ACE with an
additional IO flag with generic information and an effective-only ACE in which
the generic information has been mapped. The following page at MSDN also has
similar information that you may find helpful: http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx Please let me know if this answers your
question. If yes, then I’ll consider this issue resolved. Regards, Obaid Farooqi Sr. Support Escalation Engineer |
Microsoft From: Hi, I have been working on
implementing correct nTSecurityDeascriptor creation in the directory service of
Samba 4, and have come upon a problem in the ComputeInheritedACLfromParent
subroutine described in MS-DTYP 2.5.2.6. The way the algorithm
is described, the purpose of this algorithm is to determine which ACE’s from an
object’s parent are to be inherited by the new object actively, and which are
to be inherited only. The ComputeInheritedACLfromParent
as described, walks the parent ACL twice. The first time it
determines the active inherited ACE’s, the second time the ones that are
inherited but inactive. I have been testing our
implementation with the CN=Schema partition, as the attributes and objects by
default are not given a security descriptor during creation, and the
defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL. So, they inherit all
their DACL ACE’s from their parent, CN=Schema. In a Win2008R2, CN=Schema has three inheritable DACL ACE’s: (A;CI;RPLCLORC;;;AU) (A;CI;RPWPCRCCLCLORCWOWDSW;;;SA) (A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) ComputeInheritedACLfromParent has the
following arguments:
ACL:
ACL that contains the parent's
ACEs from which to compute the inherited ACL.
IsContainerObject:
TRUE if the object is a container, FALSE otherwise.
ObjectTypes:
Array of GUIDs for the object type being created. So if we invoke the ComputeInheritedACLfromParent
with the above DACL,and isConatinerObject = true (According to
MS-ADTS 7.1.3, true is always the value), the first walk of the input Initialize ExplicitACL to Empty ACL FOR each ACE in ACL DO IF ACE.Flags contains INHERIT_ONLY THEN
CONTINUE ENDIF
IF(((ACE.Flags contains
CONTAINER_INHERIT) AND
(IsContainerObject = TRUE))OR
((ACE.Flags
contains OBJECT_INHERIT) AND (IsContainerObject = FALSE))) THEN CASE
ACE.Type OF ALLOW: DENY: Set
NewACE to ACE Set
NewACE.Flags to INHERITED Append
NewACE to ExplicitACL OBJECT_ALLOW:
OBJECT_DENY:
IF
(ObjectTypes contains ACE.ObjectGUID) THEN Set
NewACE to ACE Set
NewACE.Flags to INHERITED Append
NewACE to ExplicitACL ENDIF ENDCASE
ENDIF END FOR Will give: D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) Which is as
expected, as this is the DACL of all attributes and classes in Win 2008. However, the
algorithm then walks the input a second time: Initialize
InheritableACL to Empty ACL IF
(IsContainerObject = TRUE) THEN //In our case this is always true FOR each ACE in ACL DO IF ACE.Flags contains NO_PROPAGATE THEN
//This flag is not set CONTINUE ENDIF
IF((ACE.Flags contains CONTAINER_INHERIT) OR (ACE.Flags contains OBJECT_INHERIT)) THEN Set NewACE to ACE Add INHERITED to NewACE.Flags Add INHERIT_ONLY to NewACE.Flags Append NewACE to InheritableACL ENDIF
END FOR ENDIF This second
loop yields: (A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) Which after: RETURN concatenation
of ExplicitACL and InheritableACL Makes the final DACL look like: D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) So ACE’s are duplicated. However, an attribute’s DACL in Win2008 does not have these last three
ACE’s, so I am obviously missing something. How should the flow actually go
with this same example in order to avoid this duplication? Or am I providing
the wrong argument? Best Regards,
_______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|||||||||||||||||||||||||||||||||
Think before you print.| Free embeddable forum powered by Nabble | Forum Help |
