[cifs-protocol] [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Obaid Farooqi obaidf at microsoft.com
Thu May 25 19:19:32 UTC 2023 

Hi Douglas:
In addition to what I said below, I confirmed with product group that the % with 4 hex digits is only applicable for attribute name. This is correctly documented in MS-DTYP as follows:
	attr-name = attr-name1 / attr-name2   
 	attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2
	attr-char2 = attr-char1 / lit-char
	lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG)
	  ; 4HEXDIG can have any value except 0000 (NULL)



Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Thursday, May 11, 2023 1:14 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Hi Douglas:
I researched the code for classSchema object and the default security descriptor in SDDL is only converted to binary SD when an object of that class is instantiated. And guess what, the same API is used to convert default SD that I have already communicated to you.

I can say with great confidence that there is no support for escape sequences and hex strings as escape sequences in conditional expressions in DACL in SDDL.

If you can make escaping or hex strings as escaping work, let me know.

I'll file a bug to fix MS-DTYP. 

Please let me know if this does not answer your question

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Wednesday, April 26, 2023 6:53 PM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: [EXTERNAL] Re: [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Thanks Obaid,

The way I have been testing SDDL using a protocol is setting defaultSecurityDescriptor on a classSchema object. This has some downsides -- the server schema fills up with useless objects, and the SDDL is not entirely resolved until a new object is created, at which point it gets merged with other defaults and it is often hard to see what happened.

It sometimes seems to differ a little from the ConvertSecurityDescriptorToStringSecurityDescriptorA API but so far only in inconsequential ways, like upper/lower case in hex digits.

I haven't yet got very far with testing conditional ACES, as I have been finding enough issues in our ordinary SDDL, and working on getting the basic conditional ACE code going.

As you can probably guess, I really care more about getting conditional ACEs right for Samba client tools than at the protocol level, but the same code will be used for both.

I will test some of these escapes and let you know.

cheers,
Douglas


On 26/04/23 04:23, Obaid Farooqi wrote:
> Hi Douglas:
> 
> I want to add some nuance to my previous reply.
> 
> I used an API directly to test the escaping of double quote or 4 hex 
> numbers representing the Unicode of double quote. It did not work at all.
> 
> Having said that, the document is not for API. There is a possibility 
> that the receiving node where the object resides may perform some 
> preprocessing before invoking the API. The preprocessing may take care 
> of escaping.
> 
> Do you have a set up where you can modify the security descriptor of 
> an object using a protocol that you are planning to implement (from
> Windows-to-Windows) and use the escape sequence?
> 
> Regards,
> 
> Obaid Farooqi
> 
> Escalation Engineer | Microsoft
> 
> *From:*Obaid Farooqi
> *Sent:* Friday, April 14, 2023 12:13 PM
> *To:* douglas.bagnall at catalyst.net.nz
> *Cc:* cifs-protocol at lists.samba.org; Microsoft Support 
> <supportmail at microsoft.com>
> *Subject:* [MS-DTYP] Conditional ACE Unicode literal SDDL format -
> TrackingID#2302240040001164
> 
> Hi Douglas:
> 
> After much code browsing, my impression was that " is not allowed in 
> the attribute values. I asked the PG if there is an escape sequence 
> and answer was "maybe". The person who wrote the code did it 15 years 
> ago and does not work with it anymore.
> 
> So, I tried to test it and it confirmed my finding that " is not 
> allowed, escaped or otherwise.
> 
> I'll file a bug to correct ABNF.
> 
> PS: if you want to test various SDDL conditional expressions, you can 
> compile and run the following code:
> 
> Creating a DACL - Win32 apps | Microsoft Learn 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea
> rn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecbp%2Fcreating-a-dacl&d
> ata=05%7C01%7Cobaidf%40microsoft.com%7C42c431e76fa7431a2aed08db46b16b5
> 0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638181500076583684%7CUn
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
> wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0yoQHS6gYN4Z%2F9NL92FhkjYbv9W0p
> POBdnrpugEHdbg%3D&reserved=0>
> 
> In this code, a DACL is created from SDDL, a directory is crated and 
> DACL is applied to it. You can see the DACL is correctly applied in 
> the "Advanced" windows in the security tab of properties of the directory.
> 
> I added the following ACE to the already present ACE's in the code
> 
> (XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))
> 
> Note: the escaping of quotes around PM is for C++, not SDDL.
> 
> The resulting DACL looks like
> 
> D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; 
> AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)
> 
> The result can be verified in the properties->security->Advanced as 
> follows (the following is a picture and if you did not get it, let me
> know)
> 
> A screenshot of a computer Description automatically generated
> 
> Notice the 3^rd column "Condition".
> 
> For the same condition, when I introduced a " in PM as part of the 
> value (escaped or otherwise), the code errored out when creating DACL from SDDL.
> 
> Regards,
> 
> Obaid Farooqi
> 
> Escalation Engineer | Microsoft
> 
> ===================================
> 
> From: Douglas Bagnall douglas.bagnall at catalyst.net.nz 
> <mailto:douglas.bagnall at catalyst.net.nz>
> 
> Sent: Thursday, February 23, 2023 6:10 PM
> 
> To: cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation 
> Help dochelp at microsoft.com <mailto:dochelp at microsoft.com>
> 
> Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL 
> format
> 
> hi Dochelp,
> 
> I am interested in the details of the format for conditional ACE SDDL 
> format, which is not really described in [MS-DTYP] (unlike the wire format).
> 
>  From the examples, it is clear that it involves double-quote delimiters:
> 
>      (Title=="VP")
> 
> But how are escapes handled -- how would it handle a string that 
> itself contained a double quote?
> 
> In the ABNF there is a thing called "char-string":
> 
>      char-string = DQUOTE *(CHAR) DQUOTE
> 
> which we can deduce applies to Unicode strings due to the definition 
> of value-array, but this doesn't answer the question. Rather, it 
> expands it, since
> 
> RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values, 
> so there must be an escaping mechanism for these characters too 
> (unless the use of CHAR is mistaken).
> 
> My guess is that Unicode strings the same %hhhh sequence as attr-char2 
> (encoding the double quote as %0022), but there is no mention of that.
> 
> cheers,
> 
> Douglas
>

More information about the cifs-protocol mailing list