[cifs-protocol] [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Wed Apr 26 23:53:17 UTC 2023

Thanks Obaid,

The way I have been testing SDDL using a protocol is setting 
defaultSecurityDescriptor on a classSchema object. This has some 
downsides -- the server schema fills up with useless objects, and the 
SDDL is not entirely resolved until a new object is created, at which 
point it gets merged with other defaults and it is often hard to see 
what happened.

It sometimes seems to differ a little from the 
ConvertSecurityDescriptorToStringSecurityDescriptorA API but so far only 
in inconsequential ways, like upper/lower case in hex digits.

I haven't yet got very far with testing conditional ACES, as I have been
finding enough issues in our ordinary SDDL, and working on getting the 
basic conditional ACE code going.

As you can probably guess, I really care more about getting conditional 
ACEs right for Samba client tools than at the protocol level, but the 
same code will be used for both.

I will test some of these escapes and let you know.

cheers,
Douglas

On 26/04/23 04:23, Obaid Farooqi wrote:
> Hi Douglas:
> 
> I want to add some nuance to my previous reply.
> 
> I used an API directly to test the escaping of double quote or 4 hex 
> numbers representing the Unicode of double quote. It did not work at all.
> 
> Having said that, the document is not for API. There is a possibility 
> that the receiving node where the object resides may perform some 
> preprocessing before invoking the API. The preprocessing may take care 
> of escaping.
> 
> Do you have a set up where you can modify the security descriptor of an 
> object using a protocol that you are planning to implement (from 
> Windows-to-Windows) and use the escape sequence?
> 
> Regards,
> 
> Obaid Farooqi
> 
> Escalation Engineer | Microsoft
> 
> *From:*Obaid Farooqi
> *Sent:* Friday, April 14, 2023 12:13 PM
> *To:* douglas.bagnall at catalyst.net.nz
> *Cc:* cifs-protocol at lists.samba.org; Microsoft Support 
> <supportmail at microsoft.com>
> *Subject:* [MS-DTYP] Conditional ACE Unicode literal SDDL format - 
> TrackingID#2302240040001164
> 
> Hi Douglas:
> 
> After much code browsing, my impression was that “ is not allowed in the 
> attribute values. I asked the PG if there is an escape sequence and 
> answer was “maybe”. The person who wrote the code did it 15 years ago 
> and does not work with it anymore.
> 
> So, I tried to test it and it confirmed my finding that “ is not 
> allowed, escaped or otherwise.
> 
> I’ll file a bug to correct ABNF.
> 
> PS: if you want to test various SDDL conditional expressions, you can 
> compile and run the following code:
> 
> Creating a DACL - Win32 apps | Microsoft Learn 
> <https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl>
> 
> In this code, a DACL is created from SDDL, a directory is crated and 
> DACL is applied to it. You can see the DACL is correctly applied in the 
> “Advanced” windows in the security tab of properties of the directory.
> 
> I added the following ACE to the already present ACE’s in the code
> 
> (XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))
> 
> Note: the escaping of quotes around PM is for C++, not SDDL.
> 
> The resulting DACL looks like
> 
> D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; 
> AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)
> 
> The result can be verified in the properties->security->Advanced as 
> follows (the following is a picture and if you did not get it, let me know)
> 
> A screenshot of a computer Description automatically generated
> 
> Notice the 3^rd column “Condition”.
> 
> For the same condition, when I introduced a “ in PM as part of the value 
> (escaped or otherwise), the code errored out when creating DACL from SDDL.
> 
> Regards,
> 
> Obaid Farooqi
> 
> Escalation Engineer | Microsoft
> 
> ===================================
> 
> From: Douglas Bagnall douglas.bagnall at catalyst.net.nz 
> <mailto:douglas.bagnall at catalyst.net.nz>
> 
> Sent: Thursday, February 23, 2023 6:10 PM
> 
> To: cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation 
> Help dochelp at microsoft.com <mailto:dochelp at microsoft.com>
> 
> Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL format
> 
> hi Dochelp,
> 
> I am interested in the details of the format for conditional ACE SDDL 
> format, which is not really described in [MS-DTYP] (unlike the wire format).
> 
>  From the examples, it is clear that it involves double-quote delimiters:
> 
>      (Title=="VP")
> 
> But how are escapes handled -- how would it handle a string that itself 
> contained a double quote?
> 
> In the ABNF there is a thing called "char-string":
> 
>      char-string = DQUOTE *(CHAR) DQUOTE
> 
> which we can deduce applies to Unicode strings due to the definition of 
> value-array, but this doesn't answer the question. Rather, it expands 
> it, since
> 
> RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values, 
> so there must be an escaping mechanism for these characters too (unless 
> the use of CHAR is mistaken).
> 
> My guess is that Unicode strings the same %hhhh sequence as attr-char2 
> (encoding the double quote as %0022), but there is no mention of that.
> 
> cheers,
> 
> Douglas
> 