[cifs-protocol] Question about self relative form of SECURITY_DESCRIPTOR (SRX091118600013)

Bill Wesse billwe at microsoft.com
Wed Nov 18 10:28:53 MST 2009 

As always, you are very welcome. Glad to have been of assistance!

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com] 
Sent: Wednesday, November 18, 2009 11:50 AM
To: Bill Wesse
Cc: cifs-protocol at samba.org
Subject: Re: Question about self relative form of SECURITY_DESCRIPTOR (SRX091118600013)

Hi Bill,
Thank you, this answers my question. I supposed that the order is indeed irrelevant as long as the offsets are correct, just wanted to double-check because of the explicit ordering in MS-DTYP.

Regards,
Nadya
----- Original Message -----
> From: Bill Wesse <billwe at microsoft.com>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: cifs-protocol at samba.org <cifs-protocol at samba.org>
> Sent: Wednesday, November 18, 2009 6:46:18 PM GMT+0200 Europe;Athens
> Subject: RE: Question about self relative form of SECURITY_DESCRIPTOR (SRX091118600013)

> > Hello Nadya - here are the results of my investigation. Please let me 
> know if this answers your question satisfactorily; if so, I will 
> consider your question resolved. Thanks for helping us improve our 
> documentation.
> 
> If you wish, I will keep the case open until the TDI has been 
> resolved.
> 
> The 'Sacl, Dacl, OwnerSid, GroupSid' data instance order you are 
> seeing in the Windows self relative SECURITY_DESCRIPTOR is due to the 
> Win API function 'MakeSelfRelativeSD' implementation, which emits them 
> in that order. 'MakeAbsoluteSD' is order agnostic.
> 
> This is why both [MS-DTYP] and MSDN define the SECURITY_DESCRIPTOR 
> structure as opaque (references below).
> 
> Given this, I expect that any SECURITY_DESCRIPTOR API functions should 
> not make any assumptions concerning the appearance order of the target 
> fields.
> 
> Hence, I assert that both absolute and self-relative 
> SECURITY_DESCRIPTOR pointer target fields should be assumed to be in 
> no particular order.
> 
> I have filed a TDI proposing clarification of this point in [MS-DTYP] 
> 2.4.6 SECURITY_DESCRIPTOR.
> 
> References:
> 
> [MS-DTYP] 2.4.6 SECURITY_DESCRIPTOR
> http://msdn.microsoft.com/en-us/library/cc230366.aspx
> 
> The self-relative form of the security descriptor is required if one 
> wants to transmit the SECURITY_DESCRIPTOR structure as an opaque data 
> structure for transmission in communication protocols over a wire, or 
> for storage on secondary media; the absolute form cannot be 
> transmitted because it contains pointers to objects that are generally 
> not accessible to the recipient.
> 
> SECURITY_DESCRIPTOR Structure
> http://msdn.microsoft.com/en-us/library/aa379561(VS.85).aspx
> 
> Because the internal format of a security descriptor can vary, we 
> recommend that applications not modify the SECURITY_DESCRIPTOR 
> structure directly. For creating and manipulating a security 
> descriptor, use the functions listed in See Also.
> 
> See Also:
> GetSecurityDescriptorControl
> GetSecurityDescriptorDacl
> GetSecurityDescriptorGroup
> GetSecurityDescriptorLength
> GetSecurityDescriptorOwner
> GetSecurityDescriptorRMControl
> GetSecurityDescriptorSacl
> InitializeSecurityDescriptor
> IsValidSecurityDescriptor
> SetSecurityDescriptorDacl
> SetSecurityDescriptorGroup
> SetSecurityDescriptorOwner
> SetSecurityDescriptorRMControl
> SetSecurityDescriptorSacl
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL:  +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX:  +1(704) 665-9606
> 
> 
> -----Original Message-----
> From: Bill Wesse 
> Sent: Wednesday, November 18, 2009 7:57 AM
> To: Nadezhda Ivanova; Interoperability Documentation Help
> Cc: cifs-protocols at samba.org
> Subject: RE: Question about self relative form of SECURITY_DESCRIPTOR 
> (SRX091118600013)
> 
> Good morning Nadya! I will begin work on this for you this morning. I 
> have created the below case:
> 
> SRX091118600013 [MS-DTYP] 2.4.6 self relative form of 
> SECURITY_DESCRIPTOR
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL:  +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX:  +1(704) 665-9606
> 
> 
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com] 
> Sent: Wednesday, November 18, 2009 6:26 AM
> To: Interoperability Documentation Help
> Cc: cifs-protocols at samba.org
> Subject: Question about self relative form of SECURITY_DESCRIPTOR
> 
> Hello,
> In MS-DTYP, section 2.4.6 (the table on page 55), the self relative 
> format of a security descriptor is described as follows:
> Revision
> Sbz1
> Control
> OffsetOwner
> OffsetGroup
> OffsetSacl
> OffsetDacl
> OwnerSid
> GroupSid
> Sacl
> Dacl
> 
> However, what we receive from the wire from a Win2003 or Win2008 is in 
> fact in the form:
> Revision
> Sbz1
> Control
> OffsetOwner
> OffsetGroup
> OffsetSacl
> OffsetDacl
> Sacl
> Dacl
> OwnerSid
> GroupSid
> 
> Although it does not prevent parsing the security descriptor, on a 
> binary level the encoding between Windows and Samba is different, 
> because Samba's is as documented. Is this the desired behavior or 
> something that will be fixed?
> 
> Best Regards,
> Nadezhda Ivanova

More information about the cifs-protocol mailing list